Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Mac OS X hacked under 30 minutes
ZDNet Australia ^ | 6 March 2006 | Munir Kotadia

Posted on 03/06/2006 10:47:30 AM PST by ShadowAce

updateGaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".

The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users… There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.

Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.

"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.

Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker.

In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia  that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.… If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.

An Apple Australia spokeswoman said today it was unable to comment at this stage.


TOPICS: Technical
KEYWORDS: mac; osx; security
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-110 next last
To: Senator Bedfellow
Gee, what were those AIX and Solaris admins thinking when they gave all us users shell accounts? Come to think of it, they never did get hacked through the shell, so maybe it's a problem unique to OS X.

I'd like to know a lot more about the conditions of the test. If the guy was dumb enough to allow random users shell access, (I'm assuming through SSH, though there is no way to know it - it could have been telnet!),  it would be nice to know if he did anything at all to secure the box. If he was running an http server, did he allow user mods of cgi directories?

Frankly there is is not nearly enough information in the article to tell if this was anywhere close to a valid test.

81 posted on 03/07/2006 6:56:57 AM PST by zeugma (Anybody who says XP is more secure than OS X or Linux has been licking toads.)
[ Post Reply | Private Reply | To 71 | View Replies]

To: antiRepublicrat
Every multi-user OS I know has had privilege elevation exploits. They are a common danger. Normally when running a server, all of the service accounts do not have logon privileges (meaning a hacker exploiting a service can't use it to log on), only the local admin accounts do. That restricts the abilities of someone who hacked a service. The hacker is left with trying to exploit the flaws in that service to perform a privilege elevation, which is harder than if they could just log on.

Nonetheless, it is very telling that somebody could exploit a local attack on OS X so easily. What that tells me is that OS X users are far too complacent about their own security. Most hacks with banks, financial companies, etc come from the inside. If average users can gain access to root-level resources so easily under OS X, there's clearly trouble brewing for Apple. And, given the recent proliferation of proof-of-concept attacks on OS X, I think you're going to see a *lot* more exploits being produced by (cr)(h)ackers. This isn't a one-off thing. It's going to get a lot worse for Apple before it gets better.
82 posted on 03/07/2006 8:49:32 AM PST by DemosCrash
[ Post Reply | Private Reply | To 76 | View Replies]

To: zeugma

Are you arguing that it isn't possible/practical to lock down a 'NIX box where a user has shell privilges?


83 posted on 03/07/2006 8:51:14 AM PST by DemosCrash
[ Post Reply | Private Reply | To 81 | View Replies]

To: DemosCrash
Nonetheless, it is very telling that somebody could exploit a local attack on OS X so easily.

Well, it's easy if you've previously found an exploit, never notified the vendor, and use it when you get the chance.

84 posted on 03/07/2006 8:51:57 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 82 | View Replies]

To: zeugma; N3WBI3

Why is it so hard to think that maybe local security from the command-line isn't quite what it should be? That's not exactly how Apple intends for anyone to interact with the system, and it certainly seems likely that maybe it hasn't gotten quite as much of their attention as other parts of the system?


85 posted on 03/07/2006 8:55:47 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 81 | View Replies]

To: DemosCrash
Why does it follow that getting local access translates into getting root access? Is OS X security really that bad?

Everybody has this problem. It is the nature of the beast. It's not a good thing, but that's the way life is in a multi-user OS. The best you can do is keep the exploits local, and hopefully not in the core OS (as opposed to exploits in services and applications that not everybody uses).

86 posted on 03/07/2006 9:01:59 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 61 | View Replies]

To: Senator Bedfellow
Why is it so hard for you to think its not just as 'bad' on AIX solaris given all three Operating systems have a common lineage?
87 posted on 03/07/2006 9:14:18 AM PST by N3WBI3 (If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
[ Post Reply | Private Reply | To 85 | View Replies]

To: N3WBI3

Experience? Tens of thousands of users logging in to shell accounts daily for decades? Besides, the common heritage is not much to speak of - AIX is a SysV derivative, not BSD.


88 posted on 03/07/2006 9:21:15 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 87 | View Replies]

To: Senator Bedfellow
Gee, what were those AIX and Solaris admins thinking when they gave all us users shell accounts? Come to think of it, they never did get hacked through the shell

Solaris really is immune to privilege elevation exploits. Oops, found one.

And don't forget AIX.

89 posted on 03/07/2006 9:23:20 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 71 | View Replies]

To: antiRepublicrat
I'm sorry, you must have misdirected your post to me - you must have intended it for someone who actually used the word "immune". As for me, I'm not suggesting that any system is immune to local attacks, merely that Apple's local security is not as good as others, likely by virtue of the fact that it's simply newer.
90 posted on 03/07/2006 9:27:15 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 89 | View Replies]

To: Senator Bedfellow
Tens of thousands of users logging in to shell accounts daily for decades?

Solaris has not been around Decades, solaris has been around for 15 years.. SunOS which existed before that was BSD.

"SunOS was the version of the UNIX operating system developed by Sun Microsystems for their workstations and server systems until the early 1990s. This was based on BSD UNIX with some additions from UNIX System V in later versions."

So in your experience did you hand known hackers shell access and tell them 'go at it'?

91 posted on 03/07/2006 9:29:00 AM PST by N3WBI3 (If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
[ Post Reply | Private Reply | To 88 | View Replies]

To: N3WBI3
So in your experience did you hand known hackers shell access and tell them 'go at it'?

I like that - "known hackers". LOL.

We gave shell accounts to programmers and other specialists who very much had the skills to exploit weaknesses in the system - at the time, they were called "employees", and they used those shell accounts to do the work required of them. So, whatcha gonna do with OS X? Want to try the same thing?

92 posted on 03/07/2006 9:33:44 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 91 | View Replies]

To: Senator Bedfellow
Experience? Tens of thousands of users logging in to shell accounts daily for decades?

With many hacks known during that time.

Besides, the common heritage is not much to speak of - AIX is a SysV derivative, not BSD.

They're just different flavors, and the separation was much earlier, as BSD was based on Ken Thompson's teaching at Berkeley at the same time UNIX System Version 6 was being developed. As of Version 7 (three versions before SYSV) they were separate. Of course, a bunch of BSD was dumped back into SYSV UNIX later (especially TCP/IP), so the lines are blurred. A lot of what SCO claims is their copyright in UNIX (SYSV) is actually BSD licensed code.

But in general, AIX and HP/UX are SYSV, Mac and SunOS are BSD, and Solaris is a hybrid SYSx/BSD. Linux is kind of out in left field, being inspired by a from-scratch OS (Minix).

93 posted on 03/07/2006 9:57:54 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 88 | View Replies]

To: Senator Bedfellow
I'm sorry, you must have misdirected your post to me

Your post suggested that AIX and Solaris have been running without such exploits. OS X is fairly new in a sense, but it does have a quite old base.

Apple has a damn good OS, but somethings have been leading me to think they they need to get a bit more proactive on security if they want to keep their edge.

94 posted on 03/07/2006 10:01:40 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 90 | View Replies]

To: antiRepublicrat
Everybody has this problem.

I'm not disputing that. I recognize that local exploits are a problem for every vendor. HOWEVER, given that OS X users seem to think that they're immune to attack, it's good to take a moment to realize that writing a virus for OS X that exploits privilege escalation to grab root wouldn't be all that difficult.
95 posted on 03/07/2006 10:03:39 AM PST by DemosCrash
[ Post Reply | Private Reply | To 86 | View Replies]

To: Senator Bedfellow
We gave shell accounts to programmers and other specialists who very much had the skills to exploit weaknesses in the system

And could have went to jail on top of losing their jobs if they did hack the system.

So, whatcha gonna do with OS X? Want to try the same thing?

Give shell accounts to people who I can fire / imprison if they hack a system... Sure I already do that on my Linux systems.. Would I give shell access to someone who is a hacker and tell him he is free to do it? no..

96 posted on 03/07/2006 10:08:45 AM PST by N3WBI3 (If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
[ Post Reply | Private Reply | To 92 | View Replies]

To: DemosCrash
given that OS X users seem to think that they're immune to attack

Only the stupid ones. I've always said an OS X virus will eventually be found in the wild. But people switching from Windows at 10.2 (first good stable version) would have enjoyed almost four years of virus-free operation by now. There are probably a few more years before the Mac virus problem becomes severe enough (if it ever does) to be a significant cost to any business as it is with Windows boxes now. Not bad, huh?

97 posted on 03/07/2006 10:09:14 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 95 | View Replies]

To: antiRepublicrat
I believe you're missing the point - even back then, I would wager that they were more secure then than OS X is now. And even if you don't buy that, the critical point is that they're more secure now than OS X is. We can jawbone all day long about what wonderful things OS X theoretically inherited from BSD, but at the end of the day the question is what happens when the rubber meets the road - well, you got that here, and it didn't go so well.

And this thing about complaining how things might have gone on Windows or some such doesn't make things better - "Windows is just as crappy!" is probably not the tagline Jobs is looking for in his next "Switch" campaign. So let's just deal with the fact that the thing got owned, in a situation where it shouldn't have been, and go from there.

98 posted on 03/07/2006 10:18:48 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 93 | View Replies]

To: N3WBI3
Give shell accounts to people who I can fire / imprison if they hack a system...

Ah, I see - it's setting the critical "can this person be fired?" bit that makes the system secure. LOL. Look, at the end of the day, you can either have a system that's secure WRT local accounts, or you can trust everybody. Or, in your case, trust everyone to be afraid of you. My suggestion is that sooner or later you're gonna get burned by trusting someone you shouldn't, unless you take steps to trust but verify the security of your system.

99 posted on 03/07/2006 10:23:20 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 96 | View Replies]

To: Senator Bedfellow
I believe you're missing the point - even back then, I would wager that they were more secure then than OS X is now.

I'd bet with you on AIX, but I'm not so sure about Solaris. Remember sadmind?

but at the end of the day the question is what happens when the rubber meets the road - well, you got that here, and it didn't go so well.

No viruses/worms in the wild. Going good so far. The sadmind vulnerability (sadmind installed by default, authenticated in clear text by default, buffer overflow exploit) was discovered seven years after the release of Solaris, not counting its pre-Solaris heritage (SVR4 and BSD/SunOS).

And this thing about complaining how things might have gone on Windows or some such doesn't make things better ... So let's just deal with the fact that the thing got owned, in a situation where it shouldn't have been, and go from there.

The situation that shouldn't have been was this whole test, using a client, giving out shell accounts. I called BS on this test, and my Windows comment was that I would also call BS on a test with these parameters using XP instead of 2003 Server.

100 posted on 03/07/2006 11:04:04 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 98 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-110 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson