Mac OS X hacked under 30 minutes

ZDNet Australia ^ | 6 March 2006 | Munir Kotadia

[Senator Bedfellow]

The situation that shouldn't have been was this whole test, using a client, giving out shell accounts.

Why not? With its Unixy underpinnings, someone might think to use it in the role of a traditional multiuser timesharing system. Obviously, that's worth reconsidering at the very least, given that there appear to be holes in local account security that are known to blackhats. What's wrong with allowing that maybe, just maybe, OS X is not suitable for that role? It's not like that's the target market for Apple anyway, so they're hardly going to be losing much business as a result.

[antiRepublicrat]

Why not?

Wouldn't you agree that it's better to test a server role using the actual server version of an operating system?

What's wrong with allowing that maybe, just maybe, OS X is not suitable for that role?

It's as suitable as any other OS in its market. They ALL have had privilege elevation exploits.

It's not like that's the target market for Apple anyway

[Senator Bedfellow]

Wouldn't you agree that it's better to test a server role using the actual server version of an operating system?

Sure. Lemme get out my copy of FreeBSD Server Edition (TM), rather than Desktop Edition (TM)...err, wait. There isn't any such thing.

I can sort of understand segmenting your clientele based on the number of concurrent connections, or the number of processors, or some such. I'm not so sure segmenting based on security is such a hot idea. Unless you're suggesting something other than that OS X server is more secure than the desktop version.

It's as suitable as any other OS in its market. They ALL have had privilege elevation exploits.

Which one do we know for a fact has unpublished, unpatched exploits TODAY?

[antiRepublicrat]

Sure. Lemme get out my copy of FreeBSD Server Edition (TM), rather than Desktop Edition (TM)...err, wait. There isn't any such thing.

Not for FreeBSD, but there is for OS X. Since we don't know the exact exploit used, we don't know if it works on Server too. This isn't as big as the difference between NT4 (server) and Windows 98 (client), but it's bigger than the difference between NT 3.51 Server and Workstation (the only difference there being registry entries that restricted Workstation, Microsoft made it a bit harder for NT 4 but it's still doable).

Face it, all OSs are a race against hackers. At any one time, any OS will have known and unknown vulnerabilities, patched and unpatched. What matters is the reaction time to fix once notified and the number/severity of the vulnerabilities for the roles you're using. Anything else is just playing games.

[Senator Bedfellow]

Wait, wait. So far, you're telling me what the difference is not - it's not the same as the difference between 98 and NT, or the same as the difference between NT Server and NT Workstation - but you're not telling me what the difference is. What's the difference between Server and diet OS X, and why would we expect that difference to have an impact on security? And if it really is the case that Server is measurably more secure for local users than vanilla OS X, why isn't the desktop version incorporating those measures?

[Halgr]

I agree

I own a MAC and Several PC's....SSH isn't normally left open....for GAWD sake...and I would never set any machine as a server....

The article is out to lunch....and not real world!

[DemosCrash]

Only the stupid ones.

Then that's most of them. ;-)

[antiRepublicrat]

And if it really is the case that Server is measurably more secure for local users than vanilla OS X, why isn't the desktop version incorporating those measures?

Learn to read. We don't know the exploit. An exploit could be as serious as a flaw in core OS components used by both client and server, or as simple as a difference in the default configuration between the two. From the article, it sounds like he used a buffer overflow exploit. Because he had shell access, he could have attacked any number of software packages on the system (made by Apple or third parties, although Apple is in the end responsible for the security of third-party apps it ships with OS X). Some that may or may have not been present in Server in various states of configuration (an iPhoto exploit wouldn't have done any good on Server), or part of a different security rollup that would have included the appropriate patch. We just don't know.

FYI, there are numerous code changes between client and server, but the biggest difference is the huge package of management and configuration software that ships with the server. That's software the helps you put a server on the Internet without screwing things up, things that can lead to a compromised machines.

But none of that is meant to say that Apple shouldn't start really being on guard security-wise as its OS is starting to get on the radar.

OTOH, Apple had a much smaller marketshare during OS 8/9, and there were over a hundred exploits for those OSs.

[Senator Bedfellow]

Learn to read. We don't know the exploit.

Take your own advice - I didn't ask about the exploit, I asked about the difference between Server and desktop.

[amigatec]

It really amazes me that some people believe this report.

Lets look at what we do know about this.

1. The version of OS X used was a client version.
2. The server stuff was added.
3. The hackers were given ssh access.

Now lets look at what is not known.

1. What was the patch level?
2. Was the server stuff even set up up right?
3. How much of a shell were these guys given?

There is a good possibility that the server stuff was downloaded from who knows where.

What where the permissions set to?
What was the real name of the hacker?
What unknown exploit was used?

There simply is not enough info to go on.

Until these questions are answered, I am going to throw this report in the trash.