Screensaver Bug in Mac OS X

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."

Why...

Is it always buffer overflows? :/

Re:Why...

Probably becuase they are the easiest programmikng error to overlook

Re:Why...

[gnurb]

write your own buffer overflow exploit

Re:Why...

[Dirus]

Is it always buffer overflows? :/

No, IIRC the last story on slashdot about a vulnerablity was this one. The exploit it mentioned was an integer underflow vulnerablity.

This message has been doubly encrypted with rot13 for enhanced security.

Re:Why...

[Waffle+Iron]

Is it always buffer overflows? :/

Because extensive user testing has shown that some people can type their passwords so fast that even a GHz-class RISC processor can't keep up unless the password capture program is written in C. The system can fall behind if it takes more than a handful opcodes per character in the inner loop. Unfortunately, these performance constraints preclude checking array bounds between each typed character.

It's regrettable that we have to live with risks like these, but we have little choice when dealing with data input at these kinds of speeds.

Re:Why...

[Alsee]

a GHz-class RISC processor can't keep up unless the password capture program is written in C.

How the hell did you get it to work in C? I had to hand roll the code in assembler and optimize the register allocations. You can also save a byte and a cycle on the loop if you take the branch-prediction microcode into account.

-

Re:Why...

You gotta love the C programming language....

However, I believe that the Cocoa string class doesn't suffer from the classic buffer overflow problem. It may be this particular implementation of the password-enabled screen saver (and apps that use the same class) that suffer from this problem.

Re:Why...

Yep. Seconf only to typos that make you look like an idiot.

Re:Why...

[LittleBigLui]

you can't imagine how much the resource usage can be optimized by constraining the password to 4 letters max, only caps, and only letters from A to D, no numbers or other symbols. By imposing those limits on the passwords you could implement range-checking and avoid any and all buffer overflows, hence making the system WAY MORE SECURE!

Re:Why...

[kasperd]

Is it always buffer overflows?

Because it is easy to introduce such bugs in your program. And they are often easy to exploit. It has been claimed (I haven't seen any statistics though) that 50% of all security problems are buffer overflows. I think that next to buffer overflows, the most frequent class of security problems are caused by race conditions.

Re:Why...

[kasperd]

The exploit it mentioned was an integer underflow vulnerablity.

Sure, but it was used to cause a buffer overflow.

Re:Why...

[Alsee]

By imposing those limits on the passwords you could implement range-checking and avoid any and all buffer overflows, hence making the system WAY MORE SECURE!

Ah, excellent. Even better I have created password code that is mathematicly provably correct and bug free. An absolute guarantee of security. It implements a 1 character binary password.

-

Re:Why...

[Synithium]

, the most frequent class of security problems are caused by race conditions.

Do you live in Cincinnati?

Re:Why...

[kasperd]

Do you live in Cincinnati?

No, why?

Re:Why...

[Synithium]

Cincinnati has horrible racial problems. It was a stupid joke, i know.

Quick!

[Kappelmeister]

Someone identify the Final Cut Pro box cutting Return of the King and swipe the rough cut!

Re:Quick!

Wow, that's the first time someone else has ever defended one of my modded-down posts... thanks :-)

-K

Re:LP

[sunilrkarkera]

Okay now...Apple is swiftly closing the gap with Microsoft in the amount of holes it has.

Hey! I'm famous.

[DarkAurora]

I was the one that posted about the address bar in Safari. I am using 10.2.6. This is a problem for ALL cocoa apps.

It'll probably be trivial for Apple to fix, though. So I'm just waiting for the patch to arrive.

*taps finger on desk*

Re:Hey! I'm famous.

[Jayzz]

Please, if you don't know anything, just don't post. They'll charge for new version which is 10.3 not 10.2.8, and it is not another bug fix.

On second thought, I don't think you want to know what is truth, you just want to say something cynical hoping that makes you look cool. Well, it seemd to work, at least for those who modded up for whatever reason which I won't understand.

Re:Hey! I'm famous.

[mosch]

Well, this isn't a 2048 character bug, so it's probably different. This one seems to be about 1367 characters. If OS X was truly open source, we'd probably be patching our machines right now, instead of impotently discussing this on slashdot.

Re:Hey! I'm famous.

[CoolVibe]

And, when, pray tell, are they going to fix this?

[loki:~] coolvibe% setenv EDITOR %p
[loki:~] coolvibe% chsh
chsh: 0x1: No such file or directory
chsh: /etc/master.passwd: unchanged
[loki:~] coolvibe% uname -a
Darwin loki.ipv6.hackerheaven.org 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc

Hmm? Smells like a formatting bug

Re:Hey! I'm famous.

[joeykiller]

Well, perhaps you would be patching your machine if OS X were open source, but let's face it: 99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile). They're waiting for binary upgrades trough something like RedHat's update program.

So in that respect I don't think the vast majority of OS X users are worse off then most Linux users.

Re:Hey! I'm famous.

[Lev13than]

If OS X was truly open source, we'd probably be patching our machines right now, instead of impotently discussing this on slashdot.

True, except you wouldn't be able to run Fink to download the screensaver patch until you figure out why your computer crashes every time you type with your hardware-hacked keyboard. You suspect that it's because your version of OpenAqua is creating conflicts with GND (GND's Not Darwin), but you can't go online to check because the web forum doesn't support OnSafari 0.1.2.33a.

Re:Hey! I'm famous.

[alienw]

Well, yes, but his point was that we would already have a patch available in binary form by now were it open-source. Since it isn't, we have to wait for Apple to cough up a patch when it feels like it.

Re:Hey! I'm famous.

[Lars+T.]

A patch? Or four, one of them a trojan?

Re:Hey! I'm famous.

I told you not to download the patch from that angelfire page. But noooo, you felt the Redhat official mirrors were too slow.

Re:Hey! I'm famous.

[dwillden]

Well, perhaps you would be patching your machine if OS X were open source, but let's face it: 99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile).

What????, You mean there are other ways to update my Linux distro, other than manually retyping every line of code each time there is an update?

Re:Hey! I'm famous.

[Kashif+Shaikh]

99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile)


Because you run abc-2.2-9rh9.i386.rpm. A patch is available for abc-2.2-1, but it doesn't apply cleanly to abc-2.2-9rh9.src.rpm.

Now you have two choices: download abc-2.2-1 original tarball, apply patch and recompile(thus tainting your 'prestine' rpm and possibly screwing dependencies). Or be like me and just wait for redhat to release an updated package.

Now suppose you were adventurous and proceeded to download abc-2.2-1.tar.gz. Then it complains you don't have foo-devel headers. @#$ OK so you get foo-devel. Next thing you know the source tree is 100+ megs and compiling takes 5+ hours. If you're lucky and the package compiled, then "Welcome to the Next Level!" and pray you didn't break anything...

[Insert your source-code adventure here]

Finally, there's no objection!

[HomerNet]

A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

Re:Finally, there's no objection!

sig as do all OSes

Re:Finally, there's no objection!

You just dont get it.

Mac OS X doesn't have a UNIX layer like Cygwin.

It IS a true, blue UNIX.

see, cygwin can be removed from windows, there is absolutely no way to remove the UNIX CORE from Mac OS X.

Use it, and you'll see.

Re:Finally, there's no objection!

[GlassHeart]

Sounds like MacOSX can be called UNIX in a same way as Windows-95

What are you talking about? A screensaver password vulnerability requires physical access to the machine. Most Unices will not protect against a malicious user with physical access, either.

at least [Linux and NT] has a general design idea of what is a protection of user sessions.

That's even more ridiculous. This is a bug, not something there by design.

Re:Finally, there's no objection!

Sounds like MacOSX can be called UNIX in a same way as Windows-95. I think that's because BSD layer on MacOSX is like cygwin on Windows - it wasn't designed to be there.

You're kidding, right?

Re:Finally, there's no objection!

[khuber]

Nah, the core is the Mach microkernel. BSD is on top of that. I bet you could put BSD on top of the Windows kernel if you wanted to.

I'm not saying BSD isn't a critical part of the system, just that the OS X architecture is not like "a true, blue" Unix. It's a hybrid.

Re:Finally, there's no objection!

[Bastian]

Two things:

First, it doesn't work on my computer, which is running Jaguar. Given that the person was talking about AppleScreenSaver and not Screen Effects, I think that they were talking about screen savers for OS 9, not OS X. (Then again, it may just be that the vulnerability is for OS X 10.0 or 10.1, but not Jaguar). If it is OS 9, that makes sense - OS 9 is _NOT_ a multiuser operating system, and there's not sense in even pretending it has any security - kind of like how having a login to a Win95 machine gives you access to all files.

Second, OS X doesn't have a BSD layer. OS X is a flavor of BSD called Darwin with a separate GUI called Aqua thrown on top. Granted, some things are handled in a very un-unixy way (anyone who has tried to edit their own default login shell via the password file on OS X has probably noticed this), but it still Unix, and if you don't like Aqua you can configure OS X to not load Aqua and use XFree86 instead, or just boot to a text terminal.

Re: Finally, there's no objection!

[Black+Parrot]

> A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

And think how much faster the exploits will run on a G5!

Re:Finally, there's no objection!

[Alsee]

Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

I'm sorry but you're going to have to provide support for more than a single security hole before you convince me to switch. Windows has a proven track record of reliable security holes in almost every portion of the system, everything from E-mail to wordprocessors to Plug-N-Play and more.

-

Re:Finally, there's no objection!

[wo1verin3]

>>kind of like how having a login to a Win95 >>machine gives you access to all files.

Er... really?

I guess all those clients I charged to setup logins are gonna be pissed if they find out. :(

Re:Finally, there's no objection!

[axxackall]

OSX is the microkernel (aka in Next) + BSD drivers + BSD core userland + GUI Aqua. I wouldn't call it flavor of BSD - it's completely another design (kernel, FS, file tree) with just some re-sue of BSD pieces. There is obviously a BSD layer between Next microkernel and Aqua to me, but that doesn't let me to call it BSD. BTW, I wonder would it be called OSX when I'll hack it to rip Aqua off?

Re:Finally, there's no objection!

It IS a true, blue UNIX.

I think the Open Group might disagree with you on that one. Since they own the trademark, that would mean you are wrong.

Re:Finally, there's no objection!

The version of Mach used predates the actual microkernel work.

Re:Finally, there's no objection!

[cscx]

Reminds me of that old local root exploit in SunOS where you could just hold down the enter key at the login: prompt and get root.

Re:Finally, there's no objection!

[Trusted+Content]

I almost posted a long rant about how you're completely wrong (you are, since the BSD layer underlies the rest of OS X, not the other way around). But then I realized I would fall victim to a quality troll. Kudos to you, sir. :)

Re:Finally, there's no objection!

Same thing applies to 98 machines. If you have clients still setting up 95 or 98 machines, you might want to advise them they have no security whatsoever if they are using just Microsoft products.

Re:Finally, there's no objection!

[chrome]

I just tested it on my G4 17" running 10.2.6.

Its verified.

Setting a lock password, and starting the screensave, when I move the mouse the authentication dialog pops up. I type some 'a' characters, select the text with shift-left, ctl-k it then hold down ctl-y until the box stops scrolling.

Hit enter.

Screensaver crashes back to desktop, not typed my real password at all.

I don't know why it didn't work for you, but you must have done it differently.

Re:Finally, there's no objection!

[fireman+sam]

The real reason that Apple didn't go with Linux is because they had a conversation with RMS. The outcome of which would have resulted in the calling of the product GNU/Linux/OSX/Aqua. Apple just couldn't bring themselves to share the product name with any other company/entity.

Re:Finally, there's no objection!

[Flywheel]

Well it is a large/heavy FreeBSD wrapper that has been used for wrapping in the Mach-kernel.

IMO Apple chose right when they decided not to go with the GNU system, even if they still would have used a Mach kernel - and got a a result some HURD look-a-like hybrid.

Without the Arqua i would just be Darwin, but IMO it would be a shame - then you could just as well use some sort of PPC Linux :o)

Re:Finally, there's no objection!

[LittleBigLui]

yeah, but you wouldn't call SunOS a UNIX. I mean, its name doesn't even end in an "x"!!

Re:Finally, there's no objection!

[axxackall]

Why Apple should care about name/license/whatever of their OS if the real source of profit they have is from hardware. Unless Steve Jobs again cares about his own personal ambitions and wants to sell OS even with loses.

Re:Finally, there's no objection!

[khuber]

The version of Mach used predates the actual microkernel work. Huh? http://developer.apple.com/darwin/history.html "Darwin is comprised of five main components: the Mach microkernel and BSD subsystem, the file system, networking, and the I/O Kit."

Re:Finally, there's no objection!

[mindstrm]

Having used BSD in most of it's incarnations over the years, as well as many other unix and unix like systems, I would very MUCH call OSX a flavor of BSD. Since when does using mach disqualify it?
IF by "some re-used bsd pieces" you mean "an entire BSD system" then yeah, I guess so.

If you rip aqua off, which you can certainly do, (or hey, you could just grab darwin and build your own), sure, you could say it's not osx.. you'd call it darwin, probably. Then again, if I take Mandrake Linux, ditch KDE, Gnome, and X, and use one of the lightweight framebuffer based non-x GUIS, is it still linux? What if I take another unix, say Solaris, take off X, and write a gui app that uses the framebuffer directly.. is it still unix?

Trying to say "it has a custom gui so it's not unix" is rediculous... unix has no requirement for any particular gui. X is available in several formats for OSX.... in fact, it's Xfree86 even.

As a unix user, developer, fanatic... I have no problem calling OSX "unix" or "bsd" or whatever.. those are both words that accurately describe what's going on inside.

Re:Finally, there's no objection!

[axxackall]

Then again, if I take Mandrake Linux, ditch KDE, Gnome, and X, and use one of the lightweight framebuffer based non-x GUIS, is it still linux?

Neither KDE nor GNOME nor Xfree make Linux. Linux OS is OS with Linux kernel. If you run same OS with HURD or BSD kernels than it's not Linux anymore. Example: Gentoo/Linux vs Gentoo/BSD.

There are also conventions about what should be on a top of the kernel to make Linux OS as operating system. That includes a user security model, virtual filesystem, virtual memory etc. In more detail there are few groups of Linux de-facto standards defining how that operating is providing through /etc, /sbin, /var, /bin and partially /usr. Those standards are still recognizable to avoid any mistaking Linux with BSD. And personally, I don't see any place for GUI in those standards.

I was running same versions of KDE and Gnome and Xfree in Linux and BSD and Solaris. I did not see any essential difference that would force me to say "Linux/KDE vs BSD/KDE". GUI is not OS. Period.

In some OSes (proprietary) GUI that is delivered with that OS is not ported to other OS (yet!). Examples: Aqua for OSX and win32/MFC (do they have a better name?) for MS Windows. Of course Aqua is more progressive than win32 mainly since I can run OS without Aqua.

But no way I can call OSX as BSD. FreeBSD and OpenBSD and NetBSD kernel are very similar. If I ported the application to one of them then it will build on another one. Moreover, it's most likely it will run on another one without recompilation. For OSX it's not true. Especiall speaking about binary compatibility. Can I run any NetBSD/PPC binary on OSX or vice versa? If recompilation will still bring a lot of issues. Thus, no way I can call OSX as BSD. Isn't it simple?

Re:Finally, there's no objection!

[sjpadbury]

Not only is it a security hole, it's a security hole in the screensaver!

I remember the good old days of NT, when all you needed to do was replace login.scr with cmd.exe, log out, wait for 15 minutes, and you then happily play "logged in" as the system.

Moral of the story: the only secure computer is the one sitting in a locked room, without any users on it at all!

Re:Finally, there's no objection!

[mausmalone]

I'm trying this exploit now on an iMac 600MHz G3 at work with OS 10.2.6. It's not working... or at least not yet. I stopped hitting ctrl-Y about 3 minutes ago and it's still trying to catch up. Boy do I hate this OS.

Re:Finally, there's no objection!

[stanmann]

You need a login on a win95 machine to access all files?? Really?

you mean I can't just press cancel to bypass the password prompt??... Which version of 95 are you using.

Didn't work for me ...

[wtmcgee]

using 10.2.6 - not saying it's not a real bug, just can't get it to crash my screen-saver.

Re:Didn't work for me ...

[Mister+Black]

Ditto. Not able to crash screen saver. 10.2.6 on a G4/400

Re:Didn't work for me ...

[gnuadam]

I didn't at first either, but did using the ctrl-a, ctrl-k, crtl-y method others have described.

Re:Didn't work for me ...

[Myuu]

Sad to say, it worked for me on 10.2.6 Build 6L60 on my 900 ibook with 640.
Interestly, it took forever for the screen effects to crash.

slashdotted already

someone mirror and/or post text please.

5 Point Defacing to be lowered?

[LaptopZZ]

Does this mean when all the script kiddies have their defacing party OSX will be worth less than 5 points?

Re:5 Point Defacing to be lowered?

[SpriteGF]

Unlikely, since this bug has to do with Cocoa text fields. Script kiddies can't perform this exploit remotely because they don't have direct access to the windowing manager (Aqua), unless they also found a way around Apple's Remote Desktop. :: www.firastudios.com ::

Re:5 Point Defacing to be lowered?

[scrod]

Does this mean when all the script kiddies have their defacing party OSX will be worth less than 5 points?

Yeah, probably, since they'd need to be sitting in front of the machine to begin with.

THe bug is bigger than the article lets on

[fiftyvolts]

First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it. It's not pretty. I really hope apple takes heed to this bug and fixes it at the core. Unfortunately the original bug report was.... well... not too elegantly written. We'll see what happens.

In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine. That way you prevent people from logging in using single user mode. Hit command+O+F during boot to get into open firmware, then type in password. After that type reset-all. You should be good to go. And don't forget the password or you will be totally screwed!

Re:THe bug is bigger than the article lets on

[tbmaddux]

In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine... don't forget the password or you will be totally screwed!

The open firmware password can still be circumvented with physical access to the machine. Change the amount of RAM and then zap PRAM 3 times and you're in. Or just yank the hard drive and go to work on it at your leisure. So 1) you won't be totally screwed, and 2) you can't count on it to protect you. If someone can get to your machine, they don't need the exploit described in the original article to compromise it (though it does make things convenient).

Re:THe bug is bigger than the article lets on

If someone can get to your machine, they don't need the exploit described in the original article to compromise it (though it does make things convenient).

You can lock the case, though. Of course this can also be circumvented and people might even steal your computer. So while we might never get into the realm of the totally secure, we might at least get closer all the time. (i- and PowerBooks are harder to secure physically, though, and much more likely to be stolen.)

Re:THe bug is bigger than the article lets on

[SuperBanana]

The open firmware password can still be circumvented with physical access to the machine. Change the amount of RAM

That'll work great, unless there's a lock on the securing bar, which has been standard on every system since the G3 and keeps the case from being opened VERY effectively- the case is riveted together under that plastic, and the bar engages in a whole bunch of places. You'd have to take a die grinder, drill, or dremel tool to it to get it open.

Re:THe bug is bigger than the article lets on

[Arker]

You can't secure a computer if the attacker can physically pick it up and cart it away for an extended period of time. That's a given.

But the point is that taking reasonable precautions like this can make sure no one can get into your puter and ftp all your files off while you're in the bathroom.

Re:THe bug is bigger than the article lets on

[Hadlock]

you forgot laptops. powerbooks, you just lift up the keyboard and there's the ram. the 'lock' is somthing that can be opened with a sharp fingernail by anyone. they're also considerably more likely to be stolen.

Re:THe bug is bigger than the article lets on

[Llywelyn]

"You'd have to take a die grinder, drill, or dremel tool to it to get it open."

Gives a new (old?) meaning to the term "hacking," doesn't it?

Re:THe bug is bigger than the article lets on

And this is why OSX 10.3 will have built-in filesystem encryption.

Re:THe bug is bigger than the article lets on

[Dr_Cornholio]

That's why I have an iBook. Have you tried getting the hard drive out of one of these suckers? Gimme a screensaver hack any day!

2 words

[amanpatelhotmail.com]

log out!

Re:2 words

[Daveman692]

You can crash the login box to.

Re:2 words

[__aafkqj3628]

But you aren't logged in, just pushed into the console. (Still bad, just not as bad is crashing the login box, getting root access and resetting all passwords to *blank*)

Re:2 words

[Phroggy]

(Still bad, just not as bad is crashing the login box, getting root access and resetting all passwords to *blank*)

Compare to rebooting while holding Cmd-S to get to a single-user root prompt. This can be disabled in OpenFirmware, but how many users actually do that? Generally if you've got console access, the machine is yours. The major issue here is, if you're just bypassing the screensaver, you can reactivate the screen saver when you're done, and the user will never suspect you were there, because everything is just as they left it.

Re:2 words

[__aafkqj3628]

This can be disabled in OpenFirmware,

Doesn't that mean that it can also be re-enabled in OpenFirmware But if they've got physical access to the machine, it's over pal.

and the user will never suspect you were there, because everything is just as they left it.

Until you change their background, trash their home directory and fill their dock with millions of useless files.

Re:2 words

[Daveman692]

Until you change their background, trash their home directory and fill their dock with millions of useless files. Copying and pasting program icons is my favorite. It looks like Excel but it opens Terminal. So evil.

Re:2 words

[Phroggy]

Doesn't that mean that it can also be re-enabled in OpenFirmware But if they've got physical access to the machine, it's over pal.

Not necessarily.

Until you change their background, trash their home directory and fill their dock with millions of useless files.

Well sure, if that's what you had in mind.

Re:2 words

[__aafkqj3628]

Choosing / and changing all of the permissions is also great fun.

Earlier Today....

[casings]

Today meaning July 4th at 3:00 pm, this bug made its rounds on every major vulnerabilty database before slashdot even posted it... Why doesn't slashdot get its own vuln db? Or maybe a link to bugtraq: http://www.securityfocus.com/archive/1

then we wouldn't have to get our vulnerabilty news a day late and a dollar short.

Re:Earlier Today....

Because /. is about bitching about problems, not fixing them. With it's own list, there'd be one less thing to bitch about.

Cool... I'm trying it on the boss tomorrow..

That should get him paranoid...

Anyone know any good keystroke loggers for Mac OS X?

Re:Cool... I'm trying it on the boss tomorrow..

[cioxx]

There is MonitorerX Pro

Wow.

[Duncan3]

Wow, a bug, who would have guessed software has bugs, oh, the horror.

It's only news becasue OS X doesn't have heaps of bugs like everything else.

I'd paste the list of current problems with glibc, but I only have DSL and it would take too long.

Re:Wow.

Hmmm...go easy there cowboy, you may want to check the new root exploit for OS X before you post like this. Don't take this to be anti any OS, but ALL software has bugs.

Mike Cho

Re:Wow.

[khuber]

You should know that Adam was involved with one of the most widespread viruses of all time. I had it on a couple dozen computers.

Re:Wow.

[andreMA]

New? The undated linked article appears describe a vulnerabilty that was promptly patched nearly a year ago.

Re:Wow.

[Trusted+Content]

Wow. A 1-year-old exploit that was fixed within a week or two of its announcement and never used. MODDED INFORMATIVE.

GOD I LOVE SLASHDOT.

FUCKING MORONS.

Re:Wow.

OK... a) this Software Update problem is not new, it's old and has been addressed/fixed by Apple, and b) did you see the guy's pictures... http://www.cunap.com/~hardingr/photos/angi/index.h tml

Re:You want a medal or something?

I would have thought that hot RMS action would be something only linux users would dream of

Full Text

Sub'ing as AC - so I get no karma bitching. Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard. fucking kids these days. :)

CB

-=-=-=-=-=-=-=-=-
[Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back
Delfim Machado bipbip@xpto.org
04 Jul 2003 15:23:03 +0100

* Previous message: [Full-Disclosure] Essentia Web Server 2.12 (Linux)
* Next message: [Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--=-S6gunci//kb/Gq0/KoN3
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi all,

three days ago i discovered a security issue, with the last MacOSX.

there is a way to crash the screensaver locked with password and gain
the desktop.

how? - you ask.
i don't know the exact amount of characters, only that if you leave a
key pressed for 5 minutes or more and then hit the enter key, you crash
the screensaver and gain access to the desktop.
you can mess the desktop and all around it (network, mail, docs,
anything you can imagine).

i think that this is a huge secure hole and it must be corrected.

i hope that this is good for everyone who cares about "how to secure
your desktop".

solution?
wait until someone at the apple make a patch and realise it...

here is the mail that i've sent to apple security people, they didn't
replied :(

[cut]

Cheers
--
Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org

Re:Full Text

so I get no karma bitching

What the fuck does karma have to do with anything? You think if someone says anything negative about you, you won't come back in your next life as a chipmunk or something? It's a fucking number. Slashdot people spend more time arguing over a fucking number than anything else

Re:Full Text

[slamb]

An AC wrote: Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard. fucking kids these days. :)

About a message containing:

Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org

He's Portuguese. Could you have written that report as well in his language? I'm all for basic literacy, but I can speak English and a tiny bit of Spanish. I think anyone who can communicate in a language other than their native one is doing pretty well, even if the readers do have to struggle a bit.

Re:Full Text

real id? what id? The only id we need is the one TIA is giving us!

Re:Full Text

[thynk]

Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard. fucking kids these days. :)

That should be "sentence" not "sentance". When I was growning up and we learned about those "sentance" things, they taught me that we need to capitalize the first word of each new "sentance". English isn't the posters first language, what's your excuse? If you're going to bitch and moan, please use proper grammer when doing so. Tard.

Re:Full Text

Was growning up painful? When I was growing up, I was taught to spell "grammar" as "grammar."

Re:Full Text

[1010011010]

"Growning?"
"Tard?"

When I was growning up and we learned about those "sentance" things, they taught me that we need to capitalize the first word of each new "sentance".

I? We? The sentences taught you what? Perhaps the word "they" in your sentence refers something or someone not mentioned in your statement. When constructing a proper, unambiguous sentence, you might want to check for agreement between subject and verb, as well as consistent use of tense.

If you're going to bitch and moan, please use proper grammer when doing so.

Indeed. Might as well use proper spelling while you're at it, as well.

Re:Full Text

Here's a tip for you. When criticising someone else's grammar, always check your own grammar and spelling. When you were growning up? Who's the 'tard now (note the apostrophe). Oh yeah, and since when did a single noun constitute a sentence? You're an idiot (note proper sentence construction).

Re:Full Text

[thynk]

Point well made. Now where *DID* I put that coffee to have with my humble pie? I think I need some.

*blush*

Re:Full Text

Not everyone was raised to speak American. Dick.

Re:Full Text

Oh yeah, and since when did a single noun constitute a sentence?

While the parent to this is obiously a moron, I think I should point out that one word sentences are acceptable.

You're an idiot. Perfect sentence.
Asshole. This example is also acceptable. However, this would generally be used in a converation.

Re:Full Text

Ahhh, spoken like a true anonymous coward, too scared to submit using your real ID for fear of backlash, too scared to lose your precious Karma, you make me sick, be a man motherfucker, expose yourself to a bitchslapping, now bend over and feel the thickness of my strap-on you goddamn whore

Re:Full Text

claps derisively

Nicely done, but you forgot the rule: Any post criticising someone's spelling or grammar will contain at least one error. I believe questions generally end with a "?" these days.

Just out of curiosity, when did your English teacher tell you it was all right to start a sentence with "Oh yeah"?

Re:Full Text

[Trusted+Content]

:gb2gbs:

What, like this is the first security issue?

[binaryDigit]

I don't see what the big deal with this is. It's not like Apple hasen't released other security patches to OSX. Or are we "forgiving" them for stuff that is found in the non Apple specific parts (e.g. sendmail), if so, why should we, they ship it, they charge for it, right? Anyone out there honestly believe that there aren't a whole host of other issues just waiting to be found?

Re:What, like this is the first security issue?

[gnurb]

the problem as i see it, is that they didn't respond to the guy in a timely manner. i just don't understand why companies wouldn't do something as simple as this, in order to avoid all this negative press.

Re:What, like this is the first security issue?

[Raven42rac]

No, no one believes that it is the only security issue waiting to be found, /. is just publicizing this so people will patch their boxes and discuss various aspects of the vulnerablility in order to better understand it, and future threats along the same lines. For instance, if you know how to saw a 2x4, you will be able to learn how to saw a 4x4 really quickly. This is different from any other security issue, because, far fewer people use, lets say kismet, or vim, than use a screen saver, so it affects far more people, therefore, gets more publicity. And before I get all the gurus flaming me, the above mentioned programs are examples. I do respect your insight, but please don't nitpick.

Still no evidence...

[idiotnot]

....that it's remotely exploitable.

Any machine you can get physical access to is insecure.

It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).

Re:Still no evidence...

[dadams]

Camino doesn't use Cocoa text field widgets. Otherwise, it would have spellchecking built-in, wouldn't it?

Re:Still no evidence...

[idiotnot]

Which is why I sort of asked...I don't know of that many pure cocoa network apps. The only one that I use on a regular basis is iJournal. I don't have my mac with me right now to check on iChat.

Re:Still no evidence...

[Sunnan]

I'm getting kinda tired of hearing "Pah! It wasn't a remote exploit, anyway..." followed by "Any machine you can get physical access to is insecure." as an excuse when there's a security hole. Sure, network exploits are worse but local exploits are still problems.

As for "Any machine you can get physical with..", how about a machine with good security measures before and during the boot loading (to avoid stuff like bios/OF-tricks or the classic "passing /bin/sh to lilo"-trick) as well as encrypted filesystems to prevent someone just taking your disks and mount them in another computer?

Or I dunno, maybe any machine you can get physical with is insecure. That won't make me take this bug any less seriously. The unfreeness of many prominent cocoa objects, including end-user-widget ones, does seem like quite a risk to me. Relying on a single source of fixes has never been a good idea.

Re:Still no evidence...

[jbolden]

I'm getting kinda tired of hearing "Pah! It wasn't a remote exploit, anyway..." followed by "Any machine you can get physical access to is insecure." as an excuse when there's a security hole. Sure, network exploits are worse but local exploits are still problems.

That's that the point being debated. You can assert local exploits are a problem to prove local exploits are a security hole.

In any case, PC Bios aren't very well protected. PC hardware encryption drive cards aren't paired to a particular motherboard.....At least apples and suns allow you to have microforth so that appliance style machines can be really secure. Neither off the shelf PCs nor Apples do anything to stop someone who has physical access from reading any information on the system.

Re:Still no evidence...

encrypted filesystems to prevent someone just taking your disks and mount them in another computer?

Why bother? If it's that important, lock away the main case behind a concrete wall. Sure, you wouldn't be able to get to the CD-ROM drive either (unless it's external), but if security is that important, who cares?

And aside from the fact that bugs are bad, local security holes can become remote security holes. All it takes is one "oops, you send keystrokes remotely, no big deal" bug.

Re:Still no evidence...

[Sunnan]

Can't you use software encryption for (at least parts of) the drive using the proper kernel?
And as you say, you can do pretty much with the forth of Open Firmware and clones.

Re:Still no evidence...

[Sunnan]

If it's that important, lock away the main case behind a concrete wall.

Sure, or just encrypt any particularly sensitive files.

Re:Still no evidence...

[jbolden]

Yes. Linux fully supports encrypted filesystems so there is no reason the genereric stuff like: /boot, /bin./sbin... can't be standard while /home, /usr, /var... is encrypted.

If Linux itself doesn't have the password at boot then at the very least the standard reboot exploits won't work. Certain hardware based attacks would still work but....

In fact what is typically done for high end PC encryption is a combination of a physical key (USB) and a typed in password -- something you have + something you know.

This is NOTHING

[SeanTobin]

This is nothing to be upset about. Heck, windows users have had this feature since windows 95. 3-finger salute and end the screen saver task :)

Security via screensavers should never be trusted. I'm not quite sure why its still being put in place. WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k :)

Now, if this can be used as a buffer overflow attack as stated in the second link, that can be a problem. Not so much that a local user will overflow thier own system and gain local root, but the fact that this is the same throughout multiple cocoa apps shows the possibility of one of those being remotely exploitable.

Of course that's only for the 4 people running OSX as a server.

Re:This is NOTHING

[ramzak2k]

WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... actually WinXP doesnt log you out, it puts you in the switch user mode. Your processes are still running.

Re:This is NOTHING

[Ben+Hutchings]

WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k :)

Windows NT has always done this, with the limitation that only an administrator can log-off the previous user.

I've tried it before on the screensaver ...

[locohijo]

and was able to crashed it, dropping me into the desktop, now I've tried it too on the Log-in and was able to crash it, sending me into a full Darwin/BSD console, you'll have to login again for you to be able to access the console though ... but full screen console Mac ... this you've gotta see. w007!!!!

Re:I've tried it before on the screensaver ...

[TheMicrosoftH8r]

try ">console" at the login panel. no password.

Re:Hot on the heels of...

[MrLint]

Umm this one was in fact fixed a long time ago by a checksum on all the packages.

Once again... no response from the company?

[kylef]

here is the mail that i've sent to apple security people, they didn't replied :(

I'm not trying to blast Apple in particular here or anything, but it seems that all companies have had a poor record lately responding to security holes pointed out by email users. Recall the Microsoft Passport security vulnerability.

Granted, I would guess that the email volume these receive claiming discovery of new exploits is daunting, but doesn't this deserve top priority for response?

Re:Once again... no response from the company?

[2nd+Post!]

Apple's response, if it was like their Software Update spoofing vulnerability, will be to post a fix within a week of hearing about the vulnerability; assuming it takes a day to fix.

Or roughly a week after it takes them to fix it.

I heard speculation that the fix for Software Update had already been written and was going to be released at a later date, so they just repackaged it and released it earlier when someone discovered how vulnerable it really was.

Re:Once again... no response from the company?

[kylef]

The troubling response to which I was referring is not how Apple will handle the vulnerability now that it is publicly known, but rather their response to the initial warning email.

If a company can fix a vulnerability before it becomes publicly known, all computer users can obviously benefit. But in this case, the guy apparently tried to let Apple know, but didn't even receive a response. It is that response (or rather, lack of response) that concerns me.

Re:Once again... no response from the company?

[2nd+Post!]

Well, the initial mail is dated July 4th... which is a States-wide holiday, so they obviously couldn't reply until the Monday following... Which is the 7th of July. It is now the 14th of July and a fix is out.

We still don't know how much of it is due to publicity and how much to Apple doing the right thing and fixing a bug/vulnerability reported to it.

Re:Hot on the heels of...

[Jeffrey+Baker]

Well, to be fair Debian Linux suffers from the same problem. Trusted update is a more difficult problem than solving some buffer overrun in xlock or whatever.

doesnt work for me...

[jaxle]

I tried it on my iBook... waste of 5 minutes :/. I am running 10.2.6 with all the updates installed availible from Apple. I have 384megs of ram and a G3 800mhz. The guy on MacSlash says this works on his iBook. Could this be hardware related?

(I went over 5 minutes holding down a key and my repeat rate is the highest OS X allows so I don't think there is possibility for error.

Re:doesnt work for me...

[jaxle]

errrrrr, correction, the MacSlash guy says it works on his PowerBook. It does not work on my iBook, can anyone else confirm that it does work on an iBook?

Re:doesnt work for me...

[Johnny+Mnemonic]

Works on an iBook; works for me. I would be surprised if hardware made that much difference. I suspect that you didn't try for long enough--although I wonder if you have more RAM than I, which allows for a bigger buffer?

Re:doesnt work for me...

i have a ibook 500mhz/384mb ram, and it didn't work for me when i just left a key pressed for about 15minutes.

BUT when i used k (emacs cut) y (emacs yank or paste) to input characters much faster, i filled the password box to the point where it wouldn't accept any further characters.

Hit okay, get beachball for a while, then poof back on the desktop, all in all it could be done in 30-45 seconds.

Oh my god!

[sageFool]

Someone with physical access to your machine can access it!! WHO KNEW?! Call in the army reserve and physically secure access to all your machines!

Re:Oh my god!

[Trusted+Content]

This post needs more love.

Oh shit

[Ballresin]

I believe this to be the first "public" exploit of OS X, or any OS 9, in quite some time....

Not good say confucious.

Interesting, though...is the screensaver portion of the OS open source linux_bsd_mach_whatever or is it closed Apple source?

Re:Oh shit

[Phroggy]

I believe this to be the first "public" exploit of OS X, or any OS 9, in quite some time....

Apple Security Updates

There have been more than you think. Apple, however, does release patches fairly quickly, and many of the holes are in 3rd-party code (e.g. OpenSSL) which affects Linux users too.

Re:Oh shit

[Ballresin]

I know there are more, but how many do you actually hear about before it pops up on your screen? I usually find out about security concerns on my OS X box when SW Update tells me, not by /. news.

So it is a bigger deal...

Re:Hot on the heels of...

[mlyle]

This was fixed July 16, 2002. Old news. Move along.

(It wasn't even that bad of a vulnerability, as it required end-user cooperation to exploit and also excellent timing/sustained penetration of the target network (software update runs once a week by default-- you need to guess when to arpspoof/dnsspoof properly. Still, it's not a good thing, and Apple fixed it promptly).

Flying Toasters

[jinglecat]

"Flying toasters are neat..."

"oh look, a CLI flying toaster."

Re:LP

heh, MS had a bigger screensaver exploit way back in NT4(perhaps earlier?). you could run any program with elevated privs by replacing login.scr with an executable. this is mildly irritating compared to that. seem to remember that the cd autorun feature would run applications behind a password protected screensaver in win9x.

screensavers should be abolished anyway, no real need and blanking the screen or sleeping the monitor is more effective, anyway.

Re:Hot on the heels of...

[ozric99]

Indeed. Hence the Windows comment. I was highlighting the difference between OSX and Windows' "bug release schedule". Comedy is wasted on slashdot ;)

Re:Oh please, Zealot.

uh i think you mean "security through obscurity" brainiac.

Screensavers...

[Meneudo]

who needs 'em anyway?
Well it's not like anyone is going to be breaking in on my computer because I'm on all the time...

So this will only affect people who leave their computers, and at that, only users who do not shut down or log out when they leave.

Good Grief!

[computerme]

If you have access to any machine, you can override security. Can anyone say, "boot up with a cd-rom"? I thought you could. These are the droids you are looking for, move along... move along...

Re:Good Grief!

Hey dumbfuck, it is these *aren't* the droids your looking for.
Whadda dumbfuck!

Re:Good Grief!

If you have access to any machine, you can override security.

Actually, the Power Macs can be locked down in Open Firmware to not allow the boot device to be changed, and presumably FireWire target disk mode can also be disabled that way. You can also put a nice, stout lock on the Mac to prevent unauthorized access to the innards.

Re:Good Grief!

[grennis]

Then why do they put a password on the screen saver at all? The ILLUSION of security is good enough for you? Would you have said the same thing if it was a Win XP bug?

Re:Good Grief!

[andreMA]

Then why do they put a password on the screen saver at all?

I've always seen it as a minimal amount of security/privacy against the casual passerby in an office setting... for example, when the user takes a coffee break. I don't recall it ever being touted as "real" security... but I expect it to be fixed shortly anyway.

Re:Good Grief!

That's not the friggin point! You don't have to reboot a machine with this exploit. Just crash the screen saver, do what you need to with the full permissions of the user, and lock the machine again. Now no one's the wiser. A reboot to single-user mode or whatever is a pretty big tip off.

Re:Good Grief!

It probably will end up that way, with people using it instead of "aren't" for the same reason as people "could care less".

People never think about what they say.

I writed this commented..

[banal+avenger]

It's no wonder why Apple didn't reply, look at the subject of the email sent to Apple: "forgot your screensaver password ?? Hackit anyway." Must have been Jeff K reporting the bug.

In other news, a similar bug has been an issue on the Mac OS X version of Folding@Home. The screen saver crashes when lock screen is activated, and it's been months since I first noticed it, and I've seen it mentioned on the Folding boards, and it still hasn't been fixed. I agree with some of the people on the Macslash forum: Don't rely on screen savers if you have truly sensitive data within in reach of scrupulous characters.

Re:I writed this commented..

[banal+avenger]

Ah jeez, that link's completely wrong. That's too bad, because it's the best site ever: Jeff K.

Re:I writed this commented..

I bet his english is a lot better than your portuguese, you bigot.

Re:I writed this commented..

[jeremyp]

If I received a message with the subject line "forgot your screensaver password? hackit anyway" I'd bin it without looking at the text because it looks like spam.

Re:Reading the article...

Boogle! Boogle boogle boo!

So...my cat

[Spoticus]

can hop up on the desk and crack OS X?

Re:So...my cat

Would that be a puma, a jaguar or a panther?

Re:So...my cat

$ cat >/dev/null

Re:So...my cat

Faster Pussycat! Kill! Kill! : )

Yawn....

Wintel fanboys/Apple haters who are having your fun because (finally!) there's a security hole in Mac OS X, take note: This bug requires PHYSICAL ACCESS TO THE COMPUTER to exploit. Compared to the network security holes Windows is famous for Nimda, Code Red, IE-buffer-overflow-of-the-week, this bug is about a serious as a typo in a dialog box.

Re:Yawn....

You and the other two people using macs...

Physical access to access a computer. huh. imagine that. As much as I'd love to keep all computers on Mars for safekeeping...

Re:Yawn....

You know what I meant, fucktard.

I highly doubt any of my coworkers will crash my screensaver and then use their unauthorized access to my Power Mac to set up a hidden warez FTP server while I'm at lunch.

But some little shit script kiddie sitting in his bedroom in the Ukraine might do that to a Windows box.

Re:Yawn....

Hmm.. You work with better people than I.

Re:Yawn....

Better is so subjective. I prefer the term "pussies".

Re:LP

Got any numbers to support your closing the gap blathering? WIth that logic, Linux (insert flavor here) has the same problem. Carry on.

Re:you should patent it before SCO does

;p

Doesn't X have and even easier exploit?

[LtFiend]

It's always found this mildly annoying but since I've never had that much to protect and the people around me really arent that smart anyway I haven't gone in search of the fix.

But in X at least on slackware when the screensaver is on I can Ctrl-Alt-F1 and Ctrl-X to kill X windows and get myself to prompt.

Re:Doesn't X have and even easier exploit?

[Phroggy]

But in X at least on slackware when the screensaver is on I can Ctrl-Alt-F1 and Ctrl-X to kill X windows and get myself to prompt.

Unless you're using xdm/kdm/gdm, which will automatically start X without you logging into the console first. If you kill X, it'll just restart X for you, and give you a graphical login prompt.

Re:Doesn't X have and even easier exploit?

That's not an exploit, it's a feature. You leave a terminal open, and you're asking for trouble.

When I start X, I do:

startx & logout

Alternatively, I once wrote a program that starts X, and asks for a password to return to the shell.

Re:Doesn't X have and even easier exploit?

[Equinox]

So you just hit CTRL+ALT+R to kill xdm...dunno about kdm or gdm...but then again, you still need to login at the console.

Re:Doesn't X have and even easier exploit?

[Luke-Jr]

Try using this instead of 'startx':
{ nohup startx >/dev/null & }; exit

Re:Doesn't X have and even easier exploit?

[Phroggy]

So you just hit CTRL+ALT+R to kill xdm...dunno about kdm or gdm...but then again, you still need to login at the console. ...and if you could do that, you could have just entered the password at the screen saver prompt.

Re:Doesn't X have and even easier exploit?

Well, that's easy to fix. You should be doing "exec xinit" instead of just "xinit". This is for two reasons:

1. You don't have to type "exit" at the prompt when you have ended up your X11 session, which is good because it's convenient, but also good because sometimes you forget (important in a lab environment or whatever).
2. If you do "exec xinit" instead of "xinit", then the system doesn't have to keep around a useless, memory-wasting shell instance for the whole duration of your X session.

Also, it's not X that has that issue (if it can be called an exploit) -- it's Xfree86 that does. There do exist other versions of X11 still. (I'm using one right now!)

Re:Doesn't X have and even easier exploit?

[djtrainwreck]

just do "ctrl-alt-f2" or so. Command prompt.

Unable to reproduce

[Phroggy]

I just pasted about 2.7MB of text into Safari's address bar, and it didn't crash at all. I pressed return, and it attempted to load the page; Squid aborted the connection but Safari's still trying to load it. I'm typing this in another Safari window. No problems. Process Viewer shows Safari is using 25% of my RAM.

This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.

I also tried crashing the screen saver login window. It hung with the SPOD trying to manage that much data being pasted all at once, but it did not crash. After several minutes, I killed the processes remotely, but even killing the process did not return me to the desktop - I just got another login prompt, and was able to log in.

I'm running 10.2.6, the latest available version.

Re:Unable to reproduce

I'm running 10.2.6, latest everything and was able to crash the screensaver by leaving a heavy spindles of CDRs on the keyboard while I went to do something else for 5 minutes.

Re:Unable to reproduce

[mosch]

I'm running 10.2.6 as well, and I was unable to bypass the password field, though it did lock up, leaving me to stare at the homo rainbow of death until i ssh'ed in and killed the hung process.

Re:Unable to reproduce

[Graff]

Just like you, I'm running MacOS 10.2.6. On my first attempt to reproduce the screen saver crash I had the screen saver pause for a second, fade to black and then the login window came back up again. I tried it for a second time and this time it did crash and I was able to get to the desktop. This was repeatable several times.

I then logged out and tried the same trick with the user login window. This time the login window greyed out the buttons and it refused to let me enter any password or take any action. I had to reboot the machine externally. Once I did so and the system restarted I was presented with the login window again, even though I have the machine set to auto-log me on. I tried the trick again with the same results, had to reboot. This time I entered in my normal user password and had no problems logging in.

I tried the trick on several other programs without being able to use it to circumvent security. It looks to me like this is a problem with the screen saver only. That being said, you should NEVER use a screen saver as a way to protect sensitive data. If you are that worried about your data then log out from the account when you leave your desk, it only takes a few seconds to log back in. If you are really worried about security then keep your computer behind lock and door - no matter what the machine it is so easy to bypass any security measures once you have physical access to the machine.

Re:Unable to reproduce

[FeTrut]

That being said, you should NEVER use a screen saver as a way to protect sensitive data.

Perhaps, but the problem with OS's on the whole(OS X is a huge step up in this regard from something like windows) is the lack of consistency, and simplicity. Not everyone is a slashdot user who knows about exploits in various parts of the system and what to do/what not to do when it comes to security. If the developer puts a password option into something, to the average user this means: "This is now protected by a password. For someone to access it they would have to know the password". Pretty simple! And that's how it should work. No excuses, period.

Re:Unable to reproduce

[Phroggy]

Perhaps, but the problem with OS's on the whole(OS X is a huge step up in this regard from something like windows) is the lack of consistency, and simplicity.

OSX may be better than Windows, but it's nowhere near where it needs to be. Notice that this discussion has been about a bug that affects Cocoa applications. Which ones are those? I usually know, and yes, the screen saver certainly is (although I wouldn't expect most users to think of it as being an application). I noticed that Emacs keys (^K and ^Y) work in those fields, but Mac keys (Cmd-X and Cmd-V) don't. This is no worse than Windows where ^V works in some places and Shift-Insert works in other places and both work most of the time but not always, but a far cry from the simplicity of Mac OS 9. We're getting there, though!

o.o

Aaaah, the old

char s[NUM_HOW_MUCH_TILL_BUFFER_OVERFLOW];

Good to see it is still in use.

Sad logic

1. Send Apple bug information on leading Unix product
2. Apple does not achnowledge communication
3. Post bug on Slashdot.org
4. ???
5. Users receive eMail on newest update (Profit)

Well, well, well! This is a new communication trend I've been noticing latly from massive corporations; ala Microsoft, Apple, SCO, etc. Everyone seems to be speaking HTTP/Slashdot instead of NNTP/ASCII. Great work guys! Rub their feces in their faces publicly!

5. Profit!

Re:Sad logic

[Arcady13]

4. Realize that Apple employess like to take July 4th off, and will fix this minor bug when they finish drinking beer and lighting fireworks.

buffer overflow ?

If this is a buffer overflow, in theory it could let you run any code (though you would have to type it, restricting the instructions you can use...).

Running code with the screensaver privileges is not very interesting, but isn't the loginwindow runned as root ?

Defeats openfirmware password protection...

Re:buffer overflow ?

runned? runned?!

what the...

*tears hair out*

put the rag in the "busket" and give it to me

Is this a true "buffer overflow" attack?

[Thaidog]

It sounds as if all you need to do I type in enough charaters in to the imput field fast enough, and bamm the screensaver or whatever app "crashes" and now you're as the desktop or in single user mode. I thought a true buffer overflow attack was something different than this.

Re:Is this a true "buffer overflow" attack?

[Lukey+Boy]

It probably is a real buffer overflow; the problem though is injecting executable code into the textbox. Manually entering in the "sh" program would be a little tricky, but it still sounds like an overflow.

Re:Is this a true "buffer overflow" attack?

[HeghmoH]

A buffer overflow just means that you overflow a buffer. This results in writing to memory beyond the buffer. Most buffer-overflow exploits involve using a buffer overflow to write interesting things to the memory beyond the buffer, resulting in having the program execute code the attacker sends it. But even if writing to that memory just crashes the program, it's still a buffer overflow.

Re:Is this a true "buffer overflow" attack?

[Thaidog]

So it does do something ie it crashes the app with the overflow issue. But this type of error would not really allow for a program to be placed into memory via the actual buffer overflow... ?

Re:Is this a true "buffer overflow" attack?

[Have+Blue]

Normally, a buffer overflow overwrites random data in the heap, which is where the program keeps the data it is processing, which does indeed cause the app to crash most of the time because the garbage from the buffer leaves the heap in an inconsistent state which the program cannot handle. The way a buffer overflow attack works is by putting in the proper amount of excess data to overwrite the stack, which is the data regarding the program's own execution. The stack is overwritten with precisely designed data that form a pointer into the new data that got dumped into memory by the faulty buffer code, so it jumps to the new data and attempts to execute it. If this is legal machine code, it will successfully run and perform whatever task the attacker would like it to do. And, yes, once the new code has finished executing, the app will run off the new valid machine code, encounter some real garbage, and crash, but the system has already been compromised (it can only take a few function calls to create a backdoor which the attacker can activate later).

Re:Is this a true "buffer overflow" attack?

[Thaidog]

Right, but to do something that complicated calls for connecting to say a ftp port with a command prompt that can run a script to inject the code, right? A simple "overflow" issue like this can not execute such code, can it? Of course I guess it really does not matter since now you have the king of kings a graphical shell to do whatever at this point...

Re:LP

[jyoull]

I don't use this screensaver as a "screen saver". I use it as a "lock this terminal, leaving all my stuff open, cuz I really don't need to log, out, but I do want to prevent casual snooping when I'm not watching over the machine."

A beneficial side effect is that it prevents accidental things from happening, for examine, when the cat walks on the keys.

ok people wtf

[carpe_noctem]

I saw this "exploit" on full-dis, where it started a rather large thread, given how silly this bug actually is (a screensaver breaker...ooooh now I'm quaking in my boots). I thought it was excessive that -anyone- responded to his thread, and now it got posted on /. ? What gives?

Probably going to get modded down for troll, but I had to vent. Excuse me. ;)

Re:ok people wtf

[Lukey+Boy]

In a graphical multi-user OS, a screensaver exploit is pretty bad. If the root user leaves the machine screen-locked then anyone can access the system. How is this not bad?

Re:ok people wtf

[carpe_noctem]

because I could just as easily reboot the machine and root it. local, physical access exploits are fucking stupid, in the same way that non-suid binary sploits are worthless.

Re:ok people wtf

[Lukey+Boy]

I disagree; in a work environment where there's a server room with a bunch of machines with a KVM attached but no physical access, this opens up the machines to attacks from insiders that don't have access.

I mean, shit, when it comes to security it's always better to be safe than sorry.

Re:ok people wtf

[Phroggy]

because I could just as easily reboot the machine and root it.

Not without the user knowing when they got back.

Re:ok people wtf

[Thaidog]

The fact that it works in the screensaver is not that troublesome... BUT that idea being pushed around that *all* objective c applications suffer the same issue is a big deal.

Re:ok people wtf

[jbolden]

I hate to tell you this. On an an Intel CPU all hardware runs at level 0, that means the keyboard has more privs than root does. If you have physical access to the keyboard and the keyboard has physical access to the keyboard port its over.

Re:ok people wtf

Why is it that everyone who indicates that their post will be modded down for troll never is? It's obviously a way to avoid getting modded as troll, but it seems to work anyway. I'll probably get modded as troll (except that now that I've said that, I won't! Except that I openly stated my motivation, so maybe I'll get modded down anyway. Maybe some heads will just explode. x_X)

Re:ok people wtf

ssssh....you wanna ruin it for everybody?

Re:ok people wtf

[Lukey+Boy]

So this is the typical rationale in not fixing a buffer overflow? That since a keyboard is pretty much a security hole to begin with, fuck local exploits? Jesus Christ, what an amazing attitude.

If I were to use the currently-discussed exploit, I could get into a machine and fuck with whatever I wanted in about 5-6 minutes. Using this um, interesting "level 0 hardware concept" (which, according to your post concerns Intel - not Apple - hardware) then okay, I can um... Hm. Maybe force a reboot. Hopefully I have a bootable floppy with the proper password tools on it. Oh wait, hopefully the machine has a floppy drive. Since most servers just plain don't.

I'm not trying to be rude, honestly. It's just the attitude that "Well, other shit's broke, so let's not fix this" is totally bogus.

Re:ok people wtf

[Orion_]

If the root user leaves the machine screen-locked then anyone can access the system. How is this not bad?

Agreed that this is bad, but the root user is disabled by default on OSX. If you enable the root account in Netinfo, log into the GUI with it, and then leave it logged in with a screen saver running, you're a fucking idiot anyway, and you really deserve what you get.

That said, this will be a good test of Apple's response time for security issues. My understanding is that they've been pretty good about that; I guess we'll see.

Re:ok people wtf

[Lukey+Boy]

...the root user is disabled by default on OSX.

Cool, didn't know that.

Re:ok people wtf

[PCM2]

Agreed that this is bad, but the root user is disabled by default on OSX.

How so? OK, so the user called root is disabled by default. But the username you're asked to enter when you install the OS has all kinds of privileges, including the ability to install software into privileged areas.

Re:ok people wtf

[Orion_]

How so? OK, so the user called root is disabled by default. But the username you're asked to enter when you install the OS has all kinds of privileges, including the ability to install software into privileged areas.

The username you're asked to enter when you install the OS is an ordinary user; tasks requiring root access have to be done using sudo (or the GUI equivalent), so require the password of the user. And of course, if the attacker already had the user's password, s/he wouldn't need this exploit.

Re:ok people wtf

[mosch]

Not particularly. Administrative users in os x don't have privleges, they just can sudo to do things, so after breaking the screensaver, you'd still need to know the logged-in user's password to do anything to a privileged area.

Re:ok people wtf

[Paradise+Pete]

when it comes to security it's always better to be safe than sorry.

Can you think of any situation where it would be better to be sorry than safe?

Re:ok people wtf

Not without the user knowing when they got back.

What if they didn't have a watch?

Re:ok people wtf

[Yottabyte84]

Well, root's password is disabled, but administrative users can sudo

Re:ok people wtf

[Bueller_007]

RTFA.
It's not just a screensaver bug. It affects the cocoa core.

Re:ok people wtf

[usr122122121]

In a graphical multi-user OS, a screensaver exploit is pretty bad. If the root user leaves the machine screen-locked then anyone can access the system. How is this not bad?

I highly doubt that the select people who have gone through the steps to activate the root account on OS X will login through the GUI and let it sit around unprotected.

The people who choose to activate the root account generally know what they're doing, and those that don't are just asking for it.

Re:ok people wtf

[pi+radians]

Sudo still requires the user's password as long as its been unused for 5 minutes (a value that can be changed).

Any major changes have to still get the admin's password. Basically the person who uses this exploit will only have access to the current users file (which I'm sure for all is bad enough).

Re:ok people wtf

If you have physical access to the keyboard and the keyboard has physical access to the keyboard port its over.

So?

The keyboard sends keys. It cannot send code.

I'll bet you worry about viruses embedded in plain text files as well...

Re:ok people wtf

[Chester+K]

I saw this "exploit" on full-dis, where it started a rather large thread, given how silly this bug actually is (a screensaver breaker...ooooh now I'm quaking in my boots). I thought it was excessive that -anyone- responded to his thread, and now it got posted on /. ? What gives?

Because it's not just a bug with the screensaver, but rather with one of the default components of Cocoa. If there's an application out there that accepts data from the network and runs it through a edit field for any reason, this could easily become a remote exploit.

Re:ok people wtf

And you are stupid enough to leave a superuser logged in protected only by a screensaver?

Re:ok people wtf

[jbolden]

If I were to use the currently-discussed exploit, I could get into a machine and fuck with whatever I wanted in about 5-6 minutes. Using this um, interesting "level 0 hardware concept" (which, according to your post concerns Intel - not Apple - hardware) then okay, I can um... Hm. Maybe force a reboot.

Depends on where the keyboard is plugged into. On a keyboard port you can force an interupt to any IRQ you choose and thus pass arbitrary information to any device driver (level 1)... and you are off to the races. If you are coming in on a USB you can pretty much push arbitrary code through and then run it (i.e. buffer data and then execute it).

And yes you would need a computer playing the role of a keyboard for this to work. But that would be something someone in the KVM example could do.

___________

The attitude is one of questioning whether it is broken to begin with. The original poster argued that keyboard access != full access; he did not argue that full access != full control as you are doing. The philosophy of most OSes has always been that physical access is full control. Microsoft was a notable exception to this since they wanted to offer business the ability to distribute CPU power without distributing administrative privledges. They choose an architecture (x86) which does not support their choice so they have never been succesful.

Apple along with all the other Unixes has never even claimed that root access is not full access. However from a design standpoint Apple hardware is more capable of being locked down than x86 hardware because of the micro-forth level.

The main thing that most /. posters are arguing though is denying the existence of "local exploits" because they have not accepted Microsoft's jump.

Re:ok people wtf

[jbolden]

See my reply above. A keyboard port can recieve code.

Re:ok people wtf

[jeremyp]

My user on my Mac OSX box is in the admin goup and it appears to have full read/write access to the Applications folder.

I've just renamed the textedit application without having to type in a password of any sort.

Re:ok people wtf

[Orion_]

Read/write to /Applications, yes, but not to /etc, /dev, /var, /System, /Users, etc.

Re:ok people wtf

[Lukey+Boy]

On a keyboard port you can force an interupt to any IRQ you choose and thus pass arbitrary information to any device driver (level 1)... and you are off to the races. If you are coming in on a USB you can pretty much push arbitrary code through and then run it...

Do you have any pointers to information on this?

Re:ok people wtf

[Lukey+Boy]

Holy fuck, of course not. But are you stupid enough to think that people don't?

Re:ok people wtf

[jbolden]

Sure I'd go right to the horse's mouth for this one:
Architecture volume 3. The basics are in chapter 4; the hardware issues are in chapter 5.

Re:ok people wtf

[tenton]

And if you knew the user's password, then you wouldn't need the exploit (you would just use the password to dismiss the screensaver, instead of spending the 15 seconds to crash it, using the ctrl-k ctrl-y commands).

While you could still mess things up or have access to sensitive files, system things would remain safe.

Confirmed

[Stenpas]

I was able to reproduce the bug. Running 10.2.6 on a G4/733 Quicksilver. I simply held down the 'a' key for a little longer than five minutes. It takes a few seconds for screensaver to actually crash after you click on ok. Afterwards, there is no message that screensaver has crashed, and you have full access.

Sten

Re:LP

Why do you have to bring linux into this? And what facts do you have to say that Macs are not closing the gap with MS in terms of breaches?

Tried it, but

[krray]

Couldn't get it to crash with 10.2.6.

Reminds me of the email I send to the admin/owner of the BSD server he used @ his ISP -- kicked my foot up and hit -0- while on the phone. Not noticing page after page their Unix box finally crashed from my tcsh. He had no idea why it went down (I did it three times to make sure it _was_ me :).

It was fixed fairly quickly (and it doesn't crash anything in OS.X or Linux either [anymore :-]).

I remember seeing the same thing back on a 3b2 running AT&T SysVr2 Unix waaaay back when.

Windows certainly isn['t much better...

Re:LP

[ramdac]

That was a joke dumbass.

Cannot get this to work...

[iJed]

I'm also running 10.2.6 and I cannot repeat this bug. I'm also using the emacs shortcuts to copy and paste the text in the password field (since command-c and command-v are disabled). Maybe I'm just to impatient to take the time to reproduce this but my 450MHz PowerMac was becoming so slow between pastes that it was becoming intolerable.

Re:Cannot get this to work...

[mlyle]

I can't repro either. I have tried both holding down a key and the Emacs shortcuts. I think I reached a cap on the size of the field in all cases (as no more letters were being added to the field after ~1 minute). My machine is a dual 1.2GHz with 1GB ram, 10.2.6.

Physical access != physical access

[yerricde]

Any machine you can get physical access to is insecure.

Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.

Re:Physical access != physical access

[Juanvaldes]

FYI It's called TextEdit now.

Re:Physical access != physical access

without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"

Actually the Notepad utility in Mac OS 8.1 was called "Note Pad."

Re:Physical access != physical access

[pbaker]

Have you been to an Apple store? Actually you have pretty free reign over any machines on display in the store. I have opened PowerMac G4's to look inside. I have inserted CD's. I have inserted DVD's and even watched them for long periods of time. I have downloaded programs from the internet and installed them. I have even rebooted them into safe mode. I have never once been stopped from doing any of these things. All the machines are set to NetBoot and are fresh and clean upon boot. No harm done.

Re:Physical access != physical access

[RestiffBard]

heh, you know the funny thing though is that when I go to CompUSA all the macs are open and showing off the desktop. I think Apple wants you to play with them. Mind you, down the aisle all of the WinTel machines are screensavered and passworded. Usually it's either pipes or maze. heh.

Re:Physical access != physical access

[yerricde]

Actually the Notepad utility in Mac OS 8.1 was called "Note Pad."

There was a Note Pad on Mac OS 8.x, but it was limited to editing a single multi-page document in the System Folder called the "Note Pad File".

Notepad on Windows is just a basic text editor.

Re:Physical access != physical access

I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"

back in system 7 days, it was intuitively called "TeachText". The type creator codes of text files still reflect this (well in OS 9 anyways). For example ttxt creator for "teach text" and ttro type for "teach text read only".

I believe this is no longer true...

[igabe]

If I am not mistaken, this was on Slashdot a while back. Apple was quick to correct this.

The only problem(an ironic one) is that they updated the flaw through Software Update =)

emacs in a password box...

[ceswiedler]

Hah! I knew it! Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!

Actually, the thing that surprises me is that they managed to trim emacs down so it's only an operating system.

Re:emacs in a password box...

[evilviper]

Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!

And they even managed to run a decent editor on top of it!

Re:emacs in a password box...

At least it's yet another reason to move to MacOS X from linux... emacs-style keyboard shortcuts actually work, just like in all traditional unix GUI apps, and very much unlike the windows clone apps you get on linux.

Re:emacs in a password box...

[Jon+Abbott]

Indeed -- it's nice being able to move the cursor around using Ctrl-P/N/F/B/A/E in any text form... I can do it while typing a Slashdot post, typing an email, etc. etc...

There are some apps that don't properly handle these key combos (the iApps and Office X seem to all ignore them), but I think this is because they are using a slightly different part of OS X (perhaps Carbon instead of Cocoa)... The nice part about Office X though is that you can reconfigure the key combos so that they do work -- it just takes time to do it.

Since you need physical access...

[crispy1083]

...you can probably just boot using a CD or external hard drive, which results in a much worse security problem, since it'll give you access to Mac OS 9. You can use that to trash the Mac OS X system, since you can destroy all the normally hidden files and not worry about permissions.

Re:Since you need physical access...

Supposed that it is only the screensaver.

Re:Since you need physical access...

[Thaidog]

There is a firmware password program that you can dowload from apple to make sure that only the system selected gets booted into... otherwise you need a password to boot from a CD or another boot folder. You have to hold option down at boot time and a password field comes up. There is also a password screen for the mulitple users option for OS 9 that secures booting into it. The only question is Are there any problems with the security of the security system in OS 9 like this bug in OS X? For that reason OS 9 should still be patched and support for another couple of years just like micrsoft was still supplying patches for NT untill a few weeks ago.

Just tried this exploit

[2nd+Post!]

It doesn't seem to work for me.

You sure it's real? Have you verified it?

I'm running 10.2.6 on a 933MHz Quicksilver with SuperDrive

Tried entering another users's login and password at the screensaver prompt and could not get access.

When I used Folding@Home, however, I *could* crash the screensaver, and thus forcing the user back into the desktop, but that has nothing to do with the bug you're mentioning, but with the fact that Folding@Home crashes.

Re:Just tried this exploit

When I used Folding@Home, however, I *could* crash the screensaver, and thus forcing the user back into the desktop, but that has nothing to do with the bug you're mentioning, but with the fact that Folding@Home crashes.

Uh, that's exactly the point. This bug affects ANY Cocoa app with an entry field. The screensaver is just an example.

Re:Just tried this exploit

[straybullets]

supergoo is better. and hypno sex ray, also.

Re:LP

[Phroggy]

Okay now...Apple is swiftly closing the gap with Microsoft in the amount of holes it has.

Compare:

Microsoft

Apple

Notice how many of Apple's security holes are actually holes in things like Sendmail, BIND, Samba, Apache and CUPS, all of which are off by default, and affect Linux and FreeBSD as well.

The screensaver was never meant to be secure

[Carthag]

It's a screensaver. It's not a lock-out mode. Hopefully, though, the new switch-user thingie in Panther will be what you're all thinking the screensaver is.

Re:The screensaver was never meant to be secure

[axxackall]

Hopefully, since Panther OSX will have more reasons to be called Unix. But not until then.

Re:The screensaver was never meant to be secure

[steeviant]

For the purposes of this post, I'll assume that we are including unix work alikes like Linux under the umbrella of Unix

I don't think you understand much about this subject. Mac OS X is a multi user system from the ground up, as much as any other Unix system, the only thing that is NOT multi user about it at the moment is the GUI.

If you go into /etc/inittab on any other Unix and comment out all of the lines that start virtual terminals except one, that doesn't stop it from being a Unix system, nor does it stop it being multiuser.

You are confused about what makes a system into a Unix system. The architecture of Mac OS X is a lot like every other Unix system (but for a few technical changes to abstract the OS from the hardware, and make it easier to write low level OS plugins, and binary device drivers) until you reach the GUI level.

If I take Linux or BSD or Solaris or HP/UX or AIX or Tru64 and put a GUI on it that is not the X Window System, it doesn't stop being a Unix machine.

It seems like you think Apple took Mac OS 9, stuck a Unix layer like Cygwin on top and are trying to call it a Unix system, This is not the case. If anything, compatibility with Mac OS 9 is the thing that is tacked on and "not supposed to be there".

If you want to read all about Mac OS X's history, so that you can fully understand it, and not seem like an idiotic troll when posting on the subject try reading something like these two O'Reilly articles on the history of Mac OS X.

http://www.macdevcenter.com/pub/a/mac/2002/05/03 /c ocoa_history_one.html
http://www.macdevcenter.com /pub/a/mac/2002/05/10/c ocoa_history_two.html

Anyway, rest assured that Apple didn't take their old OS and tack on new features to make it Unix, they took Unix, and tacked on new features to make it compatible with Mac OS.

heh

Well if OS X was really open source and not just a phony half-open half-closed marketing trick this pathetic exploit might have been fixed sooner.

If an exploit this dumb is discovered what else is lurking in there?

Sure it's good enough to do a little photoshop and play some mp3s but trusting it for anything important would be career suicide.

Win95 Screensaver Security

[Fred+Ferrigno]

I can't remember if ctrl-alt-del worked to bypass the screen saver in Win95 (though I doubt it), but I know it never worked in Win98. The more effective way to do it is to burn a CD with a simple program that kills the screen saver. Unless the user actively searched out and disabled autorun, which is a much bigger safety/security hole that comes enabled on all Windows systems, it works flawlessly.

Of course, as others have mentioned, if you've got physical access to a machine, it's insecure. While I'm thinking about it XP and 2k have autorun enabled by default; I wonder how they handle autorun security when the computer is locked.

Re:Win95 Screensaver Security

In Windows XP/NT/2K, the screen saver is just a program that happens to be running on the login desktop (I believe that's what it's called.) No matter what you do to the screen saver, you're still stuck at the login desktop.

Interesting idea, though. I wonder if you really can run arbitrary code on a locked machine just by popping in a CD?

Re:Win95 Screensaver Security

[bmetz]

Autorun does not occur until you log back in under XP.

Re:Win95 Screensaver Security

[Enucite]

It worked on the first release of 95, OSR2 and above disable CTRL-ALT-DEL when the screensaver is running.

Re:Win95 Screensaver Security

[Ibn+al+Arabi]

All you need to do in Win 95 to get past the screen saver password is hit the Escape key, thats it, nothing fancy :)

Re:Win95 Screensaver Security

Interesting idea, though. I wonder if you really can run arbitrary code on a locked machine just by popping in a CD?

Yes, you can. Just another way Microsoft's OS's help keep your system "trustworthy" :)

Re:Win95 Screensaver Security

[mess31173]

I can't remember if ctrl-alt-del worked to bypass the screen saver in Win95 (though I doubt it)

Nope it didn't. Instead, you could just reboot the computer, finger to the power button style. Then at the logon box click the super duper secure cancel button at the logon screen. Then "boom you're in". Then when you're logged in (er not logged in?) right click->properties-screen saver-OFF! Screen savers were terriably hard to circumvent in 9x. ;)

Re:Win95 Screensaver Security

[Thrakkerzog]

We found that if you make the computer go to sleep while the screen saver is on, when it comes back, it had the start menu at the bottom, with the screen saver still running. (This was windows 95.)

From here, you could just pretend the screen saver was not there.

Re:Win95 Screensaver Security

[Artifex]

Autorun does not occur until you log back in under XP

Great. So people could still put a batch files to turn they keyboard off, maybe the mouse, and erase all accessible file shares on mini CDs which they can carry in their wallet, waiting to stick them in peoples' computers when they're not looking. It's just that with XP, the victims get to watch everything disappear.

Bet a lot of Microsoft admins who leave themselves logged in as root on company machines will get fired over this.

Re:Win95 Screensaver Security

[Baggio]

Yes, but then you are asking someone to burn a mini-CD that has autorun bits. This is a premeditated attack, and is not as sever as the Mac screen saver attack. Both attacks could be avoided if the machines were physically secure. Let's face it, this is where the admin would truly have failed because their box has NO security if it can be physically accessed.

Quick summary of article.

It's been discovered that someone with physical access to your computer can access it.

Re:FIRST POST!

how the fuck is this "insightful"?! Mods are on crack again...

Ok let's get these out of the way...

[rune2]

In Soviet Russia the buffer overflows you!!

1. Release new version of OS X
2. Release shiny new G5 machines
3. Marvel how said machines defeat PCs while using incredibly unoptimized compilers on the PCs
4. Find buffer overflow vulnerability in your screensaver
5. Celebrate that now you can offer a major 'feature' of Windows
6. Profit!

Very Good News for Me!

[Doctor+Sbaitso]

My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!

Re:Very Good News for Me!

[Lord_Dweomer]

"My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!"

Yes, but please be thoughtful of other people who might happen to see the screen while you're on the site....Besides, you can go to www.msn.com from home anyways.

Re:Very Good News for Me!

[NotAnotherReboot]

Type in goatse.cx links in a Safari window and put the screensaver back on. Allow unsuspecting employees to turn off the screensaver and hit enter.

Re:Very Good News for Me!

[HELLO.JPG]

What is that man doing to his anus?!

Re:Very Good News for Me!

[Trusted+Content]

I wish I had your life, Bigpeeler. 5!

Re:Very Good News for Me!

[Trurl's+Machine]

I think they will be rather happy about that. How many times visitors call them with this annoying "sir, can you unlock this screensaver, please"? (and then the inevitable "damned, where did I stuck this post-it note with our current password"). I bet the whole instruction "how to crash the screensaver in 3 easy steps" will be pasted right at the entrance!

Bug Sure, Security bug no

[zenyu]

Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd... I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A.. Lilo lets you enter single user mode with just a kernel parameter to linux... You can overwrite the password files in Windows, etc.

You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.

Re:Bug Sure, Security bug no

[Blondie-Wan]

You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.

Maybe you could, like, lock the door to the room with the Mac in it...

Re:Bug Sure, Security bug no

[zenyu]

Maybe you could, like, lock the door to the room with the Mac in it...

Well that is sort of the point, the screensaver feature won't bite you in the ass if you lock the door, same as all the other much easier ways for someone to gain access to a machine when she has physical access.

Re:Bug Sure, Security bug no

How about this? Install your own OS X on an iPod. Hook it up through firewire, reboot and hold down option. You'll be given the option of booting of your own system. From there you could do plenty of damage. This has been blown way out of proportion just because the PeeCee users can finally say OS X is "buggy" like Windows. Regardless, it is still one of the most secure OS's available.

Re:Bug Sure, Security bug no

I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A

Dude, the command
eeprom security-mode=full security-password='iamr()()t'
lies upon the path to enlightenment.

man eeprom | less '+/^ *security-mode' for more info.

Re:Bug Sure, Security bug no

[Mister+G]

you can always just disable the use of Stop-A on a Sun as well. Keeps you from having to break the fingers of "power" users that think that rebooting suns is a natural thing to do.

Confirmed Positive

[HaloZero]

PowerBook G4 12" (iFootlong)
Mac OS X 10.2.6
Darwin Kernel Version 6.6

Wow. I'm shocked. That sucks. It's an easy-ass fix, though. Now to just shoot anyone who goes near my computer, until Software Update beeps.

Re:Confirmed Positive

How exactly is this post a troll post?!?

Re:Confirmed Positive

[dave1212]

They don't like Family Guy.

The exploit didn't work on my machine for a while (Dual 450 G4), but then I found that I was able to crash the screensaver and 2 other apps. Keep trying, my system specs are the same as yours. Who knows, maybe it's just those of us who have installed some "haxie" or something.. we should know soon, either way.

Re:Hot on the heels of...

The only wasted comedy is the jokes that either aren't funny, or aren't jokes.

Keychain Access "Lock?"

[TiMac]

Okay so the exploit works for me fine when I am using the normal "Ask me for a password" from the screensaver. But when I enable the screen saver via "Lock Screen" in the Keychain Menu Extra (open Keychain Access, go to View Menu to activate), the buffer overflow exploit crashes the password dialog, but then the screen stays black and asks me for a password again if I type a keystroke or move the mouse.

Anyone else experiencing this? Is this a temporary fix?

Re:Keychain Access "Lock?"

[TiMac]

Hmmmm.....well it only seems to work once for me....as in, it will "relock" once, but after performing the exploit twice, it is wide-open. D'oh!

Reproduced

I crashed both the login panel and the screensaver. I typed in some characters, ctrl-a/ctrl-k/ctrl-y, hold it down for a few seconds, then repeat the process. The text control fills up pretty quickly. Hit enter, and the application crashes.

For the login panel, it dropped me into console mode, but I wasn't logged in. Crashing the screensaver took me to the desktop. Not a big deal, in either case, but it could be a big deal with a different application.

Weird how some people can reproduce this and others can't. I have a PowerMac G4 (mirrored drive doors) running 10.2.6.

The Postedon

[sharkey]

Mortal enemy of the Mastodon!

Re:No moron, I meant difficulty.

If you had more more brain cell

You're embarrassing enough for both of us.

Confirmed for me

[coolmacdude]

I was able to reproduce it on my Powerbook. Here is the crash log.

2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0) Jul 6 00:10:42 localhost crashdump: Crash report written to: /Users/jonathan/Library/Logs/CrashReporter/ScreenS averEngine.crash.log

Re:Confirmed for me

[leifm]

See why you should sell that Powerbook and buy a NGSCB complient Wintel laptop as soon as they are avail. :-)

2048 is soo ugly, use hexadecimal notation!

[Thinkit3]

That's 800h.

Didn't work...

Not even for 6 minutes.... sounds like bogus FUD to me.

Re:Hot on the heels of...

[DataPath]

How about APT Secure, which is the working name of a project to add to APT the ability to verify the authenticity of Debian packages. It accomplishes this via a chain of trust which is initiated by the package maintainers and ends on the installing machine.

Yet another triumph for irony against stupidity...

[Ho-Lee-Chow]

Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard.

Once again, our intrepid hero, known to his legions of fans as "Slashdot Grammar Nazi", fails to check his own grammar and spelling as he ruthlessly tears apart another post for...poor grammar and spelling.

X isn't :0 only

[arth1]

What are you talking about? A screensaver password vulnerability requires physical access to the machine. Most Unices will not protect against a malicious user with physical access, either.

A screensaver password vulnerability works just as well remotely as with physical access. The screensaver is just another X11 program which runs the same way whether local or remote.

While this in itself doesn't give *easy* access, it might very well open for a remote X spoof attack from a third party.

Regards,
--
*Art

Re:X isn't :0 only

[Jeremiah+Cornelius]

Uhhhh.. OSX doesn't use X. It has a native, non-netrwork display renderer called "Quartz": interactive PDF based, with OpenGL acceleration.

The buffer exploit is a Quartz problem, and entirely local.

There is an X implementation for OSX - it runs on Quartz, like Exceed or CygX run on Win GDI. It may be possible to send events to Quartz via the Aplle X server - but this is not shipped by Apple as a production code, and won't be until Panther. That is several months and many bug-fixes away!

Re:X isn't :0 only

If only people would know wtf they were talking about instead of making themselves look stupid.

Re:X isn't :0 only

[clarkcox3]

You haven't got the slightest idea about what you're saying. The screensaver on MacOSX is [b]not[/b] an X11 application. It (like most OSX apps) use Apple's Quartz window server, which (as of 10.2) only allows connections from the local machine, and only from root and the user currently logged in to the GUI.

Screenshots!

Post the .pngs someplace! w007!

Exploit works

I'm using 10.2.6 on a dual G4 450.....

I held the "x" key down for a little over 7 minutes (ok, I used my stapler to weigh down a battery that was placed to press down the key.....MacGyver lives ;-) )

I agree with another posting that mentions one should actually log out the the account if they really want to keep their data safe.

My guess is that you'll see a security update in the next week.

refers something

[iamweezman]

Perhaps the word "they" in your sentence refers something or someone not mentioned in your statement

ha ha ha..."refers something"? Oh my!

Re:refers something

[1010011010]

Yeah, yeah. Three levels deep. :)

The tone of the original letter to apple

[ultrapenguin]

Was so immature, its no wonder it got ignored.
I would be surprised if the mail didnt get deleted after just looking at the subject of it :)

Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.

Re:The tone of the original letter to apple

He is not a native english speaker, fuckface.

Re:The tone of the original letter to apple

Chill, I think the guy is Portugese. He did quite well actually.

Re:The tone of the original letter to apple

[CaptCanuk]

Not to demean the business world, but if they aren't truly paying attention to any and all of their e-mail (lack of it looking like spam) then they should expect much worse to happen. There are many individuals who have C++ as a first language followed by a distant second, english. Whether the e-mail starts with "Dear Sir/Madam..." or "Pimp this...", if it's addressing possibly any security circumvention, it should be taken equally seriously. As you can see, I've taken the parent's post seriously though most English teachers would have blown up: "was", "it is", "did not", "English", "Script k!66!3$".

Re:The tone of the original letter to apple

Neither is God, fuck whore.

Re:The tone of the original letter to apple

[zangdesign]

And how many emails a day do you suppose Apple receives that start out with a crank-like salutation? After a while the auto-filter goes on and you learn to ignore them. It probably would have been better for the guy to contact Apple Portugal and have them kick it up the ladder. At least then the English would be "more official" and not sounding like a script kiddie.

I'm not saying he's not right, just that the letter itself leaves a lot to be desired from a grammar and construction standpoint.

It's not a bug....

[ebbomega]

It's a feature!

Seriously, all software produces exploits of some kind, even the beloved Linux and its considerably more stable cousin OpenBSD. The difference between an open source project like Linux or OpenBSD and more proprietary software like Cocoa and Windows is that more often than not if there's an exploit, the sooner it's discovered the sooner someone patches it, and as a result the sooner it gets fixed. I remember /. reported a samba security hole about three months ago that I had patched about an hour before the article was even posted, thanks mainly to Mandrake's Security Update.

Re:It's not a bug....

[swordgeek]

That's quite an interesting statement. Do you have any evidence whatsoever that open source security bugs get fixed faster than closed source ones? Compare Linux with Solaris, if you want a level playing field.

Not a troll--I've heard this statement tossed out so many times as absolute fact, and yet I don't know if it's ever been tested.

As for Samba, you might have had good luck with a security patch, but we had a bug that caused a prouduction system to crater (12 CPUs and about 8GB of RAM) completely. It existed for TWO YEARS after being reported because no one on the Samba team felt like dealing with it. Sometimes you really do get what you pay for.

Re:It's not a bug....

[listen]

What, you mean this bug mattered to you, you like paying for stuff, and you DIDN'T offer anything to the Samba team to fix it? Or try and band up with other people vulnerable to this and pay for it?

Why would the Samba team care about this bug more than those that they themselves are vulnerable to, and a large amount of users are vulnerable to? Theres one way to get them to care a lot more, and that is money.

Software is soon to be a service industry. That means you pay for what is important to you. That means the home user isn't subsidising all the features that only matter to big ass systems like yours. If you want to push the envelope, you pay for it.

Re:It's not a bug....

[swordgeek]

OK, it's now another day or two since this reply went up...

Here's a bit more of the story: We had a problem with Samba that was crashing our system, and bringing down our production environment. When we tracked it down (through some fairly extensive work on our part), we posted it to Usenet and also the Samba mailing list. The only response we got was one person who pointed us to a post with exactly the same problem, from two years prior.

Now paying money to a company for software updates is one thing. Offering money as a 'bounty' to a loose and informal organisation in the hopes that someone might get around to it is another thing. A ridiculous thing.

Software as a service industry is an interesting idea, and may actually be quite viable. However, withholding service without payment, ESPECIALLY on supposedly free software, is just stupidity. It's doubly stupid when the work needed isn't a new feature or an enhancement, but a mission-critical show-stopping bug.

More concisely, if the Samba team refuses to read bug reports until they've been paid, then they should post rates on their website instead of asking for donations.

Graphical login screen

[arth1]

First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it.

Now this makes the bug much more serious. Any host that can ask for a login window on the machine can then use the buffer overflow exploit to potentially pass executable code to the server, to be executed as root.
Time to check your Xaccess file and make sure it doesn't allow any remote hosts, whether by query or broadcast. Or block port 177 and 6000 both ways.

Regards,
--
*Art

Re:Graphical login screen

[Trusted+Content]

Right, because, you know, OS X uses X11 as its windowing system and to log in users.

I almost forgot.

STFU, n00b. You're way out of your league on this one.

Re:Graphical login screen

[jcr]

Any host that can ask for a login window on the machine can then use the buffer overflow exploit to potentially pass executable code to the server, to be executed as root.
Time to check your Xaccess file and make sure it doesn't allow any remote hosts, whether by query or broadcast.

Dude, none of this pertains to Mac OS X. There is no way for any other host to "ask for a login window" on a mac OS X host.

-jcr

Re:Graphical login screen

[arth1]

I stand corrected -- I completely forgot that OS X doesn't use X (the X in the product name doesn't really help reduce the confusion), but relies on Apple Remote Desktop, an extra product, for remote functionality.

Regards,
--
*Art

Doesn't matter

[itistoday]

This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.

Re:Doesn't matter

[Trusted+Content]

Not if Open Firmware password is enabled. Then you can't change anything about your boot (boot from CD, single user mode, verbose mode, boot into OF, anything) without the OF password. Which can't be reset without removing the RAM, I believe, three times.

Re:Doesn't matter

Yeah, but you'll notice your box has been rebooted. There's something to be said for the regular stealthy exploits!

Re:Doesn't matter

True true true.

anyone who relies on a screensaver to keep people off their machine deserve everything they get. If you truly want to keep people out, don't use the damn screenasaver, and make it promt for pasword at reboot too.

Re:Doesn't matter

[drinkypoo]

You can probably reset the pram by removing and replacing the battery or by pressing one of those adorable little buttons on the motherboard. Not the power on one, but the one next to it whose name I forget.

I wonder if you can nuke an OF password with the pram-clear spock pinch, is that what you meant?

Re:Doesn't matter

[mslinux]

I wonder if you can nuke an OF password with the pram-clear spock pinch...

Yes, you can do this. Change the amount of RAM in the system (either add or remove a RAM chip) and then clear the pram. Bingo... no OF passwd.

Re:Doesn't matter

[SlamMan]

Close. only way to remove the OF-Password is to crack the case (which I hope you'd locked if you're worried about security on a tower), remove the ram and battery, turn on, wait for the horrible "I've got no ram, fool" sound, then put it em back in.

Re:Doesn't matter

[SlamMan]

Right, but you have to crack the case to do that, can't just zap it from the keyboard. Towers you can physically lock, but iMacs, eMacs, and latops have no such protection.

Re:Doesn't matter

[MoneyT]

Though if they have enough time to get into the internals of an iMac or an eMac you've got bigger problems on your hands.

Now laptops are another story....

Re:Doesn't matter

[SlamMan]

I dunno. I can get to the ram in a crt iMac or an eMac and have it back booting in under 2 minuites. LCD-imac's a bit longer cause its freaking akward, but not much more.

Explot response times

[fervent_raptus]

This will be a good test of Apple to see how long it takes them to deploy a fix on Software Update.

Seems everyone is always judging everything by how fast their creators release security fixes!

Re:No moron, I meant difficulty.

[36526542DD]

Thats funny, my linux server has been up and serving pages for 2.5 years without a reboot.

DITTO: worked for me

I could not get it to work holding down a key but the cntl-k cntrl-Y worked for me.

5 minutes?

[Alsee]

The article says it takes 5 minutes to enter enough characters to fill the buffer, but my testing shows it can be done in under 5 seconds.

Of course results may vary from machine to machine. I happen to always use a key repeat setting of 1200 cps on my computer.

-

HERE's an even simpler hack

[goombah99]

got physical access? good. then put in a install CD. boot it, and select change password from the menu. Ta Da.

Oh you dont want to change the password? well then boot in single user mode and you dont need one. Ta Da

Oh they left open firmware on?. open the case and remove one of the memory cards. reboot. ta da!

i saw this in a movie

[cyberrodent]

that's how Mystique hacked into that government computer in Xmen 2 -- and I'm pretty sure that's how Jeff Goldblum hacked into the alien ship too - only we didn't know it at the time because os X was only released to celebrites at that time.

(and that's why he did those commercials too!)

cyberRodent

Revenge of the drinking bird

[gotr00t]

Like how Homer Simpson got his "drinking bird" to cover for him by constantly pressing 'y' while he went to the movies, you could do the same thing. Have one of those drinking birds continually tap a single key over and over again while the Mac is in screensaver mode, and EVENTUALLY, it will terminate due to this bug.

It probably didn't work for you because you didn't type enough stuff. Go buy a drinking bird.

Get root access

[gotr00t]

On any computer using OSX, it is possible to change the root password with 6 easy steps:

Reboot the computer
Hold down appl ctrl + S
Type "mount -uw /"
"su" (it dosen't ask for a password)
"/sbin/systemstarter"
"passwd"

Re:Get root access

[usr122122121]

On any computer using OSX, it is possible to change the root password with 6 easy steps: [snip]

This suggestion wouldn't work if the computer was secured with the Open Firmware Password method.

Yes, the OF Password is also circumventable, but not if the machine is physically locked :-)

If you want your machine to be secure, you can take steps to ensure that it is, regardless of platform, but when there is physical access to the machine it generally takes a lot more security to do so.

Re:Get root access

[tesmako]

For those who have missed it here is the classic get-root-in-3-steps for Linux;

* reboot
* at lilo/other obscure bootloader load linux with -init /bin/sh
* run passwd

Of course easily avoided with a BIOS password or mean bootloader, just like on a mac where you can avoid this problem with an OpenFirmware password.

Re:Get root access

smart cat!

Re:Get root access

[Huge+Pi+Removal]

It's rather easier just to boot from the installer CD and select "change password" from the Installer menu. Change an admin's password, and away you go...

Try Xlock!

[aWalrus]

You could just install Xlock (available via Fink, accordintg to this list) and run it from a shell. There should be a way to replace the default screensaver thing with Xlock too.

Re:Try Xlock!

[aWalrus]

Sorry for replying to my own comment, but now that I think about it, Xlock is for locking X windows environments. Don't think it would work for Aqua. Anyone knows if there's another program available to do that?

Re:Try Xlock!

[swdunlop]

Invest in a safe. The only way to properly control access to a computer is to airgap it, lock it in a container, then post several rabid animals to guard the container. Even then, this is no guarantee, but the annoyance factor should be high enough to protect grandma's secret cookie recipe.

Same sh!t different day

I reported the same bug to Apple, only it delt with the login screen. You could overflow the password buffer and kill Aqua, which would drop you into a root shell. Although it was never mentioned in any of the security alerts, it was a problem up to one of the later 10.1 or early 10.2 releases.

Now with the PowerMac G5, OSX security holes can be expoited upto 32% faster than equivalent P4 systems running WindowsXP.

Someone should write quartz backend for GNUstep.

And port GNUstep over OS X or Apple should release source for Cocoa.
It's easier and quicker to patch a free software project.
This would only benefit Apple because sooner or later GNUstep will be stable on both Windows and GNU/Linux.

I'll be fine.

[dotgain]

Anyone who has access to my Mac can't even remember their own 6 character passwords - I don't think they'll manage a 2000 char overflow.

Where's the hole exactly?

[zachlipton]

While this is a bug in OS X, it really isn't anything more. It can only be exploited with physical access to the machine, something that we have known for a long time to be insecure. Apple should fix it for sure, but with the same priority given to any other minor crasher bug (minor as users cannot really expect the application not to crash when typing thousands of characters into the tiny password field).

Screensaver passwords provide no real security; anyone exploiting this issue in the real world would know many (far easier) methods and anyone with data that must be kept secure will (should) know better than to rely on the screensaver password.

Re:Where's the hole exactly?

You say screensaver provide no security, yet this is a big security issue because many people use it even to lock the computer when they go to lunch for 1 hour in real life. You can do quite a bit during that time.

The way Apple has coded passwords has been up to debate before when you could use a very long password and think you by doing that was very secure and it didn't matter because the code did only verify a fixed sum of characters.

Mac OS X technology names

[seismic]

Everytime someone posts a message about OS X, I try really hard to take it seriously.

I repeat to myself..

Its a BSD kernel, its a BSD kernel, its a BSD kernel, its a BSD kernel.

But whats with the names? Safari? Jaguar? Panther? It's hard not to imagine mac users wearing helmets and riding elephants.

And its nearly impossible to say 'cocoa' without smiling? Seriously, try it.

Cocoa. :)

Steve Jobs:
Well you're going to be AMAZED by what we've done. Today we're ready to unveil... Coconut! Inspired by Guano, and the successor to Firefly. Fully compatible with Gerber API's.

Re:Mac OS X technology names

[scrod]

Its a BSD kernel, its a BSD kernel, its a BSD kernel, its a BSD kernel.

Kernel? No, that would be Mach. FreeBSD 4.4 is the reference platform for the rest of the command line environment, however.

And its nearly impossible to say 'cocoa' without smiling? Seriously, try it.

Yeah, four years ago when the "Yellow Box" environment was renamed that I thought it was funny for maybe a day or two.

OSX vs MS bugs...

[New+World+Odor]

Well, that just goes to show how much Apple has done for you lately! They just created a distro! You still owe it to the rest of the community for the help.

An eloitable bug on OSX

[Botunda]

oh the humanity!!! I can just see it now... "well we relied on the IBM chip and SCO seems to have a problem with that. But hey look*poof* Ipod == good!!!


life is like a box of really fucked up chocolate...

Reply to self

[Phroggy]

This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.

It didn't. Probably because the page never loaded.

Uhh

[cscx]

If you had write access to \WINNT\System32 (where logon.scr resides) you were probably logged in with admin privileges already, so what's the point?

Re:Uhh

[cscx]

To add fuel to the fire, couldn't you likewise replace /bin/sh on a Unix machine with a trojaned shell and achieve the same results?

Re:Uhh

[Sunda666]

man you are so wrong (and so right at the same time)...

right, because \winnt\system32 is ofcourse a system directory and should
be acessible only by admins.

wrong because winnt4 defaults to FAT for its root drive, and even if you
choose NTFS, you end up with "everyone full controll(all)(all)" for the
entire drive. So much for the average MS sysadmin out there.

hope they fixed it for the newer versions, never tried anything beyond
nt4, it was enough shit for me to switch to linux & bsd.

cheers.

It's a security bug; you CAN secure these systems

[piranha(jpl)]

Of course this is a security bug; it's a bug in an authentication program which, when exploited, allows an attacker access to a computer that they wouldn't have otherwise had. How is that not a security bug?

Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd...

If the user cared about security, they'd enable the OpenFirmware password feature. Without the password, you won't be able to boot in any way but from the default disk and with no special boot arguments.

I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A..

Then you've never met a Sun workstation with its OpenProm password enabled. You can interrupt the machine with L1-A (and it's L1-A, aka Stop-A, not Meta-A), but you can't get anywhere without the password. I do this on my Ultra 1 and my Sparcstation LX.

Lilo lets you enter single user mode with just a kernel parameter to linux...

Unless the 'password' option in lilo.conf is in use.

You can overwrite the password files in Windows, etc.

I'm not very familiar with Windows security, but as far as I understand, if you can prevent the hard disk from being removed from the machine, and you can prevent the machine from booting anything but the hard disk, Windows can be configured so that you cannot simply overwrite password files (or any other files, for that matter).

Keep in mind that on PCs, the BIOS can be protected from booting from anything but a hard disk.

Many PC cases, and every Sun case I've seen, have the option for installing a lock into place, so that the case cannot be removed without damaging the case or damaging the lock. Since the only way to circumvent a PC BIOS, OpenFirmware, or OpenProm password is to open the case, a security-conscious person would inspect the lock to ensure it hasn't been tampered with. If it hasn't, then it is extremely unlikely an attacker could have, for instance, booted their own OS and installed a trojan horse to the computer's disk which intercepts passwords and passphrases.

May Not Affect 10.2.6

[Ashcrow]

I havn't been able to reproduce this on my OS X.2.6 machine. Other 10.2.6 users have reported the same thing. It *might* have been fixed before it was found.

Re:May Not Affect 10.2.6

[coolmacdude]

Works for me on 10.2.6.

Its the Language

[Mooncaller]

And my friends think I'm silly for wanting to write an OS and Desktop/WM in Ada. The only time I ever plan to use C/C++ again is for work. Buffer overflows, geesh.

Because Panthers run faster

[igabe]

Just FYI Panther seems immune to this exploit.

Tried doing the procedure ~10 minutes in the Screen Saver and nothing happened. Then tried again in few other cocoa apps. Still nothing. Just worked like normal(for once this is a good thing).

My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.

And yes, I realize most people can't just upgrade to Panther yet to fix this rather major oversight on Apple's part.

Yea and I think that you should be able to use Exposé as a screensaver =)

Re:Because Panthers run faster

[kasperd]

My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.

Or perhaps somebody realized there was a bug and fixed it without ever considering how bad the bug was.

vim

[SHEENmaster]

As one of two people ho runs vim rather than a GUI editor on a handheld, I should have a whitty anti-emacs remark to put below.

<joke subject="emacs" />

Re:vim

[Arker]

VIM?

Emacs emulates it perfectly with just one line of lisp.

(use-global-map (make-sparse-keymap))

Maybe that'll spur some creativity. You know you've got a comeback, somewhere... ;)

(Yes, I'm one of the two people that uses emacs in a terminal on a tibook.)

Re:vim

[rjforster]

Ahem. 3 people. Unless you counted me already.

There are worse...

[FooGoo]

But everytime I try and type it into my Mac Steves head fills my 23" cinema display and tells me I need to listen closer to the next keynote. I think it's a security feature.

Not working in 10.2.6

[dadman]

I was not able to reproduce the same effect, i.e., screensaver did not crash, by following the "exploit" mentioned on two 10.2.6 systems: G4 AGP tower and 12" G4 PowerBook, both running the Flurry screensaver:

G4 Tower:
Darwin bogon.local. 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc

12" PowerBook:
Darwin Rouge.local. 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc

For all you pro-MS trolls

[inkswamp]

If Slashdot is anything like other forums where this has been posted, we can all expect the predictable tripe along the lines of "but gosh, I thought everything from Apple 'just worked' and that MS was the only company with bugs... etc." from the pro-MS crowd. The real difference, btw, isn't whether or not OS X has bugs (probably has tons) but rather how Apple chooses to address the issue, particularly the security problem with the screen lockout. Unlike MS, you can count the hours until Apple releases an update to address this or patch the potential security hole. There will be no "shhh... if nobody knows, it's not a security issue" bullshit with Apple. So consider that before any of you bizarre, pro-MS trolls jump in here to cause trouble.

Not on my Box

[GnarlyNome]

This requires "5 minutes" to hold down the key long enough.
To set of the C-4 charge under the desk.

But... But...

It just works?!

So quick to judge...

Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.

Perhaps English is not his first language:

"Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org"

Doesn't work at all! WTF?

[EvilStein]

I got drunk last night and passed out at the keyboard and came 'round *six hours later* - a lot longer than the 5 minutes needed for this "exploit" and I STILL couldn't get into my Mac OS X box.

Couldn't find any more beer, and I couldn't find my pants, either.. but that's another story.. grrr

Pffft

[fireman+sam]

I remember once I had to get "root" access on OSX. So I held down the two buttons on the bottom left of the mac keyboard (I don't have one here, so I can't say which ones). Then held down 'S' (or a key around that area) and powered on the box (If you could call it a box) I was then presented with a bash prompt and full access. Sort of like init=/bin/sh, or single user mode.

So you do not need buffer overflows or anything like that if you have the box in front of you and you have a hammer.

DOS: smash the box until it no longer works.
root exploit: smash the box and get the hard disk. Plug that into another computer.

Re:Pffft

[Trurl's+Machine]

DOS: smash the box until it no longer works.
root exploit: smash the box and get the hard disk. Plug that into another computer.

Dual-boot Macintosh: Boot into OS 9. Congratulations, you have now root access to everyf***thing.

Set an Open Firmware Password.

You could always set an Open Firmware Password, if you're afraid of people rebooting your system to exploit it.

Is there any reason you're still using iJournal...

...when Xjournal does everything it does, and a hell of a lot more?

Re:It's a security bug; you CAN secure these syste

[zenyu]

Since the only way to circumvent a PC BIOS, OpenFirmware, or OpenProm password is to open the case, a security-conscious person would inspect the lock to ensure it hasn't been tampered with. If it hasn't, then it is extremely unlikely an attacker could have, for instance, booted their own OS and installed a trojan horse to the computer's disk which intercepts passwords and passphrases.

An $8 hardware keyboard logger can get someone a long ways unless you take more than a cursory look at your hardware. Not that you shouldn't do all those very common sense things you suggested. When I was a kid I had a bad habit of breaking into machines that looked "secured." The tougher ones took all the measures you suggested and then encased the machine in metal or plexiglass. Those machines took up to an hour to break into. Unfortunately, when it comes to these things the kid will break into more of those machines than the totally unsecured ones because your machines present some challenge. The easy machines will be accessed only for convenience.

Lock the door to your office, and worry about someone running NFS or a Windows machine on your network.

why ?

why is it no one cares so much about this.. oh wait - it's not an ms windows flaw/vunerabibity so therefore it's just "ome of those things with os's" - if this was found on a windows os, these forums would be full of "oh christ, windows is so insecure - even their screen savers are vuberable"... look at them apples...

Re:WTF?

[Trusted+Content]

GO

BACK

TO

GBS

No, it's not.

[jcr]

This exploit requires physical access to the machine, and if you have physical access, it's a lot simpler to just kill the power, and reboot while holding command-S.

I haven't been able to reproduce it on my machine, but even assuming that the original report is completely accurate, it's still not a big deal.

-jcr

Re:No, it's not.

[TCM]

Yes, except with this exploit you're taking over a running session with potentially open terminals to other systems. I know, you shouldn't be leaving root session or just plain user sessions to other systems alive when leaving your desk.

"But hey, I'm going to leave for only 10 minutes and this screensaver has a password protection and my password is $lower_than_crashing_threshold chars long so noone will be able to brute force it in 10 mins, right?" (Of course in this example you wouldn't know that it is crashable in 30secs)

Anyway, this needs to be fixed, no matter that it's easier to just reboot if you have physical access. Taking over a live session give you potentially more than examining a cold box.

Re:No, it's not.

[jhagman]

>I haven't been able to reproduce it on my machine, but even assuming that the original report is completely accurate, it's still not a big deal.

I could not reproduce the thing either, but with C-k and C-y shortcuts I managed to get the input field long enough for the screensaver to crash.

On one hand it is not a big deal, but it certainly is very bad PR and (hopefully) easy to fix.

Re:No, it's not.

[diamondsw]

Setting an Open Firmware password (as mentioned above) prevents both changing the boot disk and single user mode. As also pointed out above, only physically changing the RAM or the hard drive will get around the Open Firmware password. If someone breaks in while you're not there, you're screwed. If your machine is in a relatively public environment where people would notice someone disassembling a machine (computer lab, at home with you present), it's secure.

macosx software update down

[Niksie3]

I think the update is about to be released, I can't access the software update servers. I think that usually happeneds just before an upgrade

Re:LP

That's because Microsoft has its own software that does the same thing, so that bug in Microsoft DNS, SMTP service, etc. is no different from Apple's BIND bug, it's just that Microsoft wrote the whole operating system, and Apple obviously didn't so there's more Microsoft code to have bugs - more code more bugs simply statisitically.

SWEET JESUS!

OMG, this thing actually works.. I am taking summer school classes and got saturday detention for cutting one of my classes earlier in the week. I tried the sploit at school on the macs there BEHOLD it freakin' works!!!

It works in ANY of the OSX apps I tried. My school has some security software installed to prevent us from running anything other than IE and some mail program for the schools e-mail. Now I can get access to play games (i'm bringing my diable cd's monday)... In fact.. It might even work as a way to gain access to the teachers grading software .. Ohh, sweet.

emacs?

didn't you mean vi? just type yy2048p in normal mode :-)

however, does your comment mean that the default keybinding of an apple computer is the same as used in emacs?

Re:LP

oh yeah - you mean the functionality that Apple "borrowed" since they couldn't make it themselves; but then if there is a flaw they can shift the blame. I guess Billy Gates is not as smart as Jobs - he should have been more obvious when he stole parts for his OS.

Summaries:

[mindstrm]

1 "The OSX desktop isn't networked, so this isn't a remote exploit, so it doesn't matter, anyone with physical access can break in anyway"
2 "OSX is not real bsd / not real unix"
3 "This is what you get for having closed source"

1 - Yes, it's more or less a local exploit. So what? Does that mean it doesn't matter?
2 - Yes, it is.
3 - Lots of open source apps have had security vulnerabilities. Let's wait and see how apple deals with it.

Hey, that's brilliant.

[mindstrm]

Does that mean you run with all local passwords disabled? I mean, if they have physical access, what's the point?

Unable to reproduce on 10.2.6

[borgheron]

I tried both scenarios described without success.

GJC

Yes they do

[theolein]

To a certain extent. Bios passwords on PCs and OpenFirmware passwords on Macs. Yes, you can get around them, but you have to open the case to do so.

Enjoy.

Pretty small really

[ExEleven]

When you think about it, this isnt that big. I am being a bit redundant but all a screensaver does is pull wool over the prying eyes of others from your screen.

Of cource then it is a small problem, and the fact that I cant see a fix makes me proud to be using an Operating System made by geeks for geeks (Linux). For example in a some enviroments and other situations logging out is not always practical.

On top of this consider that tbis can be logged unless the user has permission to root with the /var/log and stuff like that. Which they shouldnt, in that case, if you have administration privs, then yes you should be logging off in some enviroments every time you go get a tissue or some more HyperMints.

But there is to much Media Whoreing as usual by countless nobodys that are dieing for attention, it happens all the time, people start websites, make action groups all for the wrong reasons. People start a great many projects on sourceforge that never actually happen. I big example of media whoreing is the SCO case. Walk up to your average joe blow and ask what he thinks about this stuff, not much. Or ask Linus Torvalds, what DID he think, not much. The fact is nobody really cares about this stuff, and im including geeks. Its these attention whores that need to be filtered.

Its the same in this case the AH (Attention Whores) keep focusing on the negative as if the US run OS X with screensaver passwords to control there nuculear goverment or somthing. What about the real issues, like standing for what you belive in, if you dont belive in in anything then just get out of the path of those who do. Its purely selfish, and on the whole can gradually ruin things for the rest of us.

I wrote this because this article and the way people flaired up on it sorta told me what 90% of people dont mean what they say. This article told me how much time is spent on what is important.

Mother of all MacOS X Exploits

[Yujenisis]

Awww, this ain't nothing!

You folks seem to forget the mother of all intended security exploits: FireWire Target Disk Mode. Officially sanctioned by Apple for the lazy 'l33t h@x0rz' among us.

To have full unfettered access, as it completely ignores the UNIX permisions, to any and all data on a Mac User's computer simply hold down Apple+T on the victim's computer connect via 6pin-6pin firewire cord to your own computer.

Happy copying. Maybe with the additional data features of Panther this wont be an issue, but for now, happy downloading. ^^

Re:Mother of all MacOS X Exploits

[valkraider]

I don't care *what* OS you use - if I have *physical* access, there is *no* security that can protect the computer.

Now if you encrypt EVERY file on your box with a good key - that can slow people down a bit, but never stop them if they want the data. Lets see - we can boot off CD, we can remove hard disks and attach them to other computers... Nothing is impossible.

No, you don't understand my implication

[2nd+Post!]

I tried it with three screensavers.

Only Folding@Home crashes.

The other two did not; and this 'Any User Logs In' bug that was linked to, if you read the same post I did, has *nothing* to do with a buffer overflow. The thread *I* am reading says if you use *any* valid login, you can disable the screen saver.

While I tried, I could not repeat this supposition.

Re:Why?

[TheAncientHacker]

Because, 30 years ago, people decided to adopt the idiotic C language rather than any of the existing programming languages that knew what a string was...

We've been paying for that mistake ever since.

Riddle me this Batman!

[3770]

Riddle me this Batman, why is it an outrage when something like this happens in windows but when it happens in an alternate OS it is an overreaction.

Is it possible that you (and many others here) have double standards?

10.3

[catwh0re]

i would be concerned.. if i used such silly security.. but if you are concerned: the 10.3 developer version rips up how users enter passwords for screen savers, awoken systems and so on. Chances are it's already been out-coded in the next version.

This cant be happening...

[t0ny]

But, whats going on? I dont get it... they said Apple was so secure, that it was so much better.

I put all my kiddie porn and recipies on my Apple; does this mean I have to move them again?

Re:This cant be happening...

Your sig fucking rocks.

Scrupulous characters?

[smcv]

If you're only within reach of scrupulous characters, security isn't a concern. ("Scrupulous" = "having scruples"; "scruples" has a similar meaning to "morals" or "ethics")

Of course, if there are any unscrupulous characters around, then you need to think about security.

If you *really* want to see something scary...

[Bones3D_mac]

Use a password for a user/admin account in Mac OS X that is longer than 8 characters. Enable file sharing, then log into it from another system using either the first 8 characters only, or followed by random text. The host machine simply assumes the password is valid after only the first 8 characters match up.

OS X screensaver rarely works for me anyway

[GrahamIX]

Am I alone in the fact that the OS X screensaver password doesn't work at all anyway? Ever since I replaced my beige Windoze box with a lovely dual processor G4 at home, all it takes to get rid of the password prompt on the screensaver is to wiggle the mouse a bit.

This is problematic as it means that I can't easily secure the machine when my cleaner/nosey friends come around, without turning it off or logging out. I've heard people mention third party apps to use instead, but I kind of think that Apple should be able to get something as simple as this right. My machine is running 10.2.6 and I have all the patches via Software Update - where am I going wrong?

Re:OS X screensaver rarely works for me anyway

[berniecase]

You need to go to System -> Preferences -> Screen Effects -> Activation and select "Use my user account password" under "Password to use when waking the screen effect:"

I also set the activation to Never, and then use a hot corner to activate the screen saver.

Thanks to this exploit, all of this is useless, however.

you asked for it

[SHEENmaster]

Emacs stands for Eight Megabytes and Constantly Swapping

Encrypted Disk images and this exploit

[Aram+Fingal]

I tried the exploit with my screensaver and got right in. Fortunately, I usually keep confidential data on encrypted disk images. If you leave them mounted, they will re-lock when the machine sleeps.

I also tried the exploit on the password dialog for an encrypted disk image and it did indeed crash but I did not get access to the volume. The dialog box remained up and could not be dismissed but the image mounter said that the filesystem could not be mounted because of an error of type -60008.

Thanks, you demonstrated my point.

[mindstrm]

In that what you call somethign is arbitrary.
You say "netBSD and FreeBSD and OpenBSD kernels are similar" or "You only call it linux becaues of the kernel" .

Yes, these are all true statements.. but unfortunately, it means more than that, at least to many of us out here.

When someone describes a system as "BSD" I expect to find the bsd style tools I expect on a bsd system.. and that is FAR more important to me than the innards of the kernel I may never ever get to even see. There are many more real world implications of calling it BSD than the kernel.

GUI is not OS, as you say. Couldn't agree more.

If you don't want to call OSX BSD, that's fine.. I guess BSD has different meanings for you. It probably means "FreeBSD or NetBSD or OpenBSD.

Personally, I have a problem calling FreeBSD BSD or OpneBSD BSD.. as none of them are actually BDS, they are derivations of it.

If you think "Linux" Just means the kernel... well, sure, that's technically correct, I surely understand that... but when people talk about a "linux server" you know damn well they are talking about more than just the kernel.. the same goes for when people in general speak about bsd.

Not everyone is a kernel developer.

Recompilation doesn't bring a lot of issues; porting is rather easy. Does that make it simpler?

Re:MOD UP!!!

enogh of this boning. You need to get some bonercoaster Oh! Oh! Priorities. Your cereal taste like mascara. And I don't think this is 1985, so that shit is not gonna fly.

BTW, if you were born in 1085, this year you're legal. And if you're from mars and yhou have a pussy, I WILL FUCK YOU!

|/\/AN|

PS I can run two pussah

Re:Why?

[riko_at_anubics]

Well.. i politely disagree...
30 years ago you could use ASSEMBLY (but that would have been very bad) or C... Pascal Sucks...
Lisp is really good (I love it), it's string aware... there wer also Lisp Machines and all that stuff...
but dynamically resize arrays (that is basically what needs to be done when dealing with strings) is time consuming. Today there is no problem, still old machines...
Of course you can tell there where other programming Languages...
But considering C idiotic... well
Using C is a very good way to understand how the machine works... and if you are skilled enough you understand which assembly code lies under C code...
Think C as a kind of structured assembly...
and then... do you think you could develope an OS in java??

Tried it and it doesn't fail

I tested the exploit by copying/pasting blocks of text, and although the screensaver server failed momentarily, it came right back up and I had to enter my password to get to the Desktop.

Seems to me this is not a universal hole (i.e. it might be something on certain people's machines).

Doesn't work.

I got the screensaver to crash--but it comes right back on!

I've verified this on 2 other machines.

Re:Why?

[TheAncientHacker]

Obviously you weren't around 30 years ago. For example, Pascal didn't exist. Perhaps you should look into the capabilities of PL/I (or PL/S or PL/AS for writing an OS) or ALGOL for examples that had been around a LONG time by then or SmallTalk-72 for an almost exactly 30 year old example.

Handling all data as a byte stream is pretty stupid for a general purpose language. (C was made for reading telecom streams and it makes some sense for that limited use) Handling strings as "start reading a stream at fixed memory location and keep going until you hit the magic cookie" is flat out idiotic.

I'd suggest reading the ACM's history of programming languages books to see what we lost by commonly accepting C just because it was cheap and easy to implement.

This is a pain in the sphincter

[Foxone]

You guys keep saying that since people have physical access they can rest the password anyway... that is not the issue. I have tons of apps that are open at the same time at work. (Photoshop, quark, Golive) Golive is linked to more than 4 network servers mounted on the desktop. When I log in it takes more than 5 minutes to load all apps and files. I can t log off everytime I go to grab some water or leave my desk for a meeting. Our webserver has more than 25 thousand pages and they all need to be loaded/parsed by Golive on launch. What I need is to protect the machine from temporary access from co-workers/consultants etc. looking for personal/confidential stuff. They will not reset the password because that would raise eyebrows, what they need is stealth. This needs to be fixed very very quickly since login out all the time is NOT an option for me.

One little break, please

[Lonesome+Squash]

...brain implants that let you tap into people's memories . . . it's not science fiction, it's science fact.

Ooh, I'm all goose-pimply. I don't know about y'all, but when I see something like that in the first paragraph it takes a mighty effort of will to read the second.

circumvention

[commodoresloat]

Someone exploiting your system can always remove the RAM to reset OF. If hostile forces have physical access to your machine, they will be able to use it.

Huh??

[commodoresloat]

I don't even know what Apple Remote Desktop is, but when I want remote functionality to my OS X machine I use ssh, like I would with any other UNIX.

Re:MOD UP!!!

IF you were born in 1085, you are 918 years old, and I don't know what you have to be 918 to be legal for, but it must be dirty.