Slashdot Mirror
Screensaver Bug in Mac OS X
dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."
I was the one that posted about the address bar in Safari. I am using 10.2.6. This is a problem for ALL cocoa apps.
It'll probably be trivial for Apple to fix, though. So I'm just waiting for the patch to arrive.
*taps finger on desk*
First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it. It's not pretty. I really hope apple takes heed to this bug and fixes it at the core. Unfortunately the original bug report was.... well... not too elegantly written. We'll see what happens.
In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine. That way you prevent people from logging in using single user mode. Hit command+O+F during boot to get into open firmware, then type in password. After that type reset-all. You should be good to go. And don't forget the password or you will be totally screwed!
100% Crunchier
Sub'ing as AC - so I get no karma bitching. Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard. fucking kids these days. :)
:(
CB
-=-=-=-=-=-=-=-=-
[Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back
Delfim Machado bipbip@xpto.org
04 Jul 2003 15:23:03 +0100
* Previous message: [Full-Disclosure] Essentia Web Server 2.12 (Linux)
* Next message: [Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--=-S6gunci//kb/Gq0/KoN3
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi all,
three days ago i discovered a security issue, with the last MacOSX.
there is a way to crash the screensaver locked with password and gain
the desktop.
how? - you ask.
i don't know the exact amount of characters, only that if you leave a
key pressed for 5 minutes or more and then hit the enter key, you crash
the screensaver and gain access to the desktop.
you can mess the desktop and all around it (network, mail, docs,
anything you can imagine).
i think that this is a huge secure hole and it must be corrected.
i hope that this is good for everyone who cares about "how to secure
your desktop".
solution?
wait until someone at the apple make a patch and realise it...
here is the mail that i've sent to apple security people, they didn't
replied
[cut]
Cheers
--
Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
Hmmm...go easy there cowboy, you may want to check the new root exploit for OS X before you post like this. Don't take this to be anti any OS, but ALL software has bugs.
Mike Cho
This was fixed July 16, 2002. Old news. Move along.
(It wasn't even that bad of a vulnerability, as it required end-user cooperation to exploit and also excellent timing/sustained penetration of the target network (software update runs once a week by default-- you need to guess when to arpspoof/dnsspoof properly. Still, it's not a good thing, and Apple fixed it promptly).
try ">console" at the login panel. no password.
write your own buffer overflow exploit
hooray! it's a sex wiki
Ditto. Not able to crash screen saver. 10.2.6 on a G4/400
You are standing in an open field west of a white house, with a boarded front door. There is a small mailbox here.
I just pasted about 2.7MB of text into Safari's address bar, and it didn't crash at all. I pressed return, and it attempted to load the page; Squid aborted the connection but Safari's still trying to load it. I'm typing this in another Safari window. No problems. Process Viewer shows Safari is using 25% of my RAM.
This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.
I also tried crashing the screen saver login window. It hung with the SPOD trying to manage that much data being pasted all at once, but it did not crash. After several minutes, I killed the processes remotely, but even killing the process did not return me to the desktop - I just got another login prompt, and was able to log in.
I'm running 10.2.6, the latest available version.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
If this is a buffer overflow, in theory it could let you run any code (though you would have to type it, restricting the instructions you can use...).
Running code with the screensaver privileges is not very interesting, but isn't the loginwindow runned as root ?
Defeats openfirmware password protection...
Camino doesn't use Cocoa text field widgets. Otherwise, it would have spellchecking built-in, wouldn't it?
--"In dreams begin responsibilities" - Delmore Schwartz
I believe this to be the first "public" exploit of OS X, or any OS 9, in quite some time....
Apple Security Updates
There have been more than you think. Apple, however, does release patches fairly quickly, and many of the holes are in 3rd-party code (e.g. OpenSSL) which affects Linux users too.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
But in X at least on slackware when the screensaver is on I can Ctrl-Alt-F1 and Ctrl-X to kill X windows and get myself to prompt.
Unless you're using xdm/kdm/gdm, which will automatically start X without you logging into the console first. If you kill X, it'll just restart X for you, and give you a graphical login prompt.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I didn't at first either, but did using the ctrl-a, ctrl-k, crtl-y method others have described.
You say
There is MonitorerX Pro
It doesn't seem to work for me.
You sure it's real? Have you verified it?
I'm running 10.2.6 on a 933MHz Quicksilver with SuperDrive
Tried entering another users's login and password at the screensaver prompt and could not get access.
When I used Folding@Home, however, I *could* crash the screensaver, and thus forcing the user back into the desktop, but that has nothing to do with the bug you're mentioning, but with the fact that Folding@Home crashes.
GPL Deconstructed
I can't remember if ctrl-alt-del worked to bypass the screen saver in Win95 (though I doubt it), but I know it never worked in Win98. The more effective way to do it is to burn a CD with a simple program that kills the screen saver. Unless the user actively searched out and disabled autorun, which is a much bigger safety/security hole that comes enabled on all Windows systems, it works flawlessly.
Of course, as others have mentioned, if you've got physical access to a machine, it's insecure. While I'm thinking about it XP and 2k have autorun enabled by default; I wonder how they handle autorun security when the computer is locked.
because I could just as easily reboot the machine and root it.
Not without the user knowing when they got back.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
No, IIRC the last story on slashdot about a vulnerablity was this one. The exploit it mentioned was an integer underflow vulnerablity.
This message has been doubly encrypted with rot13 for enhanced security.
Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd... I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A.. Lilo lets you enter single user mode with just a kernel parameter to linux... You can overwrite the password files in Windows, etc.
You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.
I crashed both the login panel and the screensaver. I typed in some characters, ctrl-a/ctrl-k/ctrl-y, hold it down for a few seconds, then repeat the process. The text control fills up pretty quickly. Hit enter, and the application crashes.
For the login panel, it dropped me into console mode, but I wasn't logged in. Crashing the screensaver took me to the desktop. Not a big deal, in either case, but it could be a big deal with a different application.
Weird how some people can reproduce this and others can't. I have a PowerMac G4 (mirrored drive doors) running 10.2.6.
I was able to reproduce it on my Powerbook. Here is the crash log.
/Users/jonathan/Library/Logs/CrashReporter/ScreenS averEngine.crash.log
2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0) Jul 6 00:10:42 localhost crashdump: Crash report written to:
-You may license this sig for only $6.99.
It's a feature!
/. reported a samba security hole about three months ago that I had patched about an hour before the article was even posted, thanks mainly to Mandrake's Security Update.
Seriously, all software produces exploits of some kind, even the beloved Linux and its considerably more stable cousin OpenBSD. The difference between an open source project like Linux or OpenBSD and more proprietary software like Cocoa and Windows is that more often than not if there's an exploit, the sooner it's discovered the sooner someone patches it, and as a result the sooner it gets fixed. I remember
Karma: Non-Heinous
New? The undated linked article appears describe a vulnerabilty that was promptly patched nearly a year ago.
The buffer exploit is a Quartz problem, and entirely local.
There is an X implementation for OSX - it runs on Quartz, like Exceed or CygX run on Win GDI. It may be possible to send events to Quartz via the Aplle X server - but this is not shipped by Apple as a production code, and won't be until Panther. That is several months and many bug-fixes away!
"Flyin' in just a sweet place,
Never been known to fail..."
You gotta love the C programming language....
However, I believe that the Cocoa string class doesn't suffer from the classic buffer overflow problem. It may be this particular implementation of the password-enabled screen saver (and apps that use the same class) that suffer from this problem.
I just tested it on my G4 17" running 10.2.6.
Its verified.
Setting a lock password, and starting the screensave, when I move the mouse the authentication dialog pops up. I type some 'a' characters, select the text with shift-left, ctl-k it then hold down ctl-y until the box stops scrolling.
Hit enter.
Screensaver crashes back to desktop, not typed my real password at all.
I don't know why it didn't work for you, but you must have done it differently.
You could always set an Open Firmware Password, if you're afraid of people rebooting your system to exploit it.
This exploit requires physical access to the machine, and if you have physical access, it's a lot simpler to just kill the power, and reboot while holding command-S.
I haven't been able to reproduce it on my machine, but even assuming that the original report is completely accurate, it's still not a big deal.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Any host that can ask for a login window on the machine can then use the buffer overflow exploit to potentially pass executable code to the server, to be executed as root.
Time to check your Xaccess file and make sure it doesn't allow any remote hosts, whether by query or broadcast.
Dude, none of this pertains to Mac OS X. There is no way for any other host to "ask for a login window" on a mac OS X host.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Is it always buffer overflows?
Because it is easy to introduce such bugs in your program. And they are often easy to exploit. It has been claimed (I haven't seen any statistics though) that 50% of all security problems are buffer overflows. I think that next to buffer overflows, the most frequent class of security problems are caused by race conditions.
Do you care about the security of your wireless mouse?
OMG, this thing actually works.. I am taking summer school classes and got saturday detention for cutting one of my classes earlier in the week. I tried the sploit at school on the macs there BEHOLD it freakin' works!!!
.. Ohh, sweet.
It works in ANY of the OSX apps I tried. My school has some security software installed to prevent us from running anything other than IE and some mail program for the schools e-mail. Now I can get access to play games (i'm bringing my diable cd's monday)... In fact.. It might even work as a way to gain access to the teachers grading software
It's rather easier just to boot from the installer CD and select "change password" from the Installer menu. Change an admin's password, and away you go...
- Oliver
The right to bear arms is only slightly less stupid than the right to arm bears...
Indeed -- it's nice being able to move the cursor around using Ctrl-P/N/F/B/A/E in any text form... I can do it while typing a Slashdot post, typing an email, etc. etc...
There are some apps that don't properly handle these key combos (the iApps and Office X seem to all ignore them), but I think this is because they are using a slightly different part of OS X (perhaps Carbon instead of Cocoa)... The nice part about Office X though is that you can reconfigure the key combos so that they do work -- it just takes time to do it.
Slashdot's first reaction to VMware
I wonder if you can nuke an OF password with the pram-clear spock pinch...
Yes, you can do this. Change the amount of RAM in the system (either add or remove a RAM chip) and then clear the pram. Bingo... no OF passwd.