Slashdot Mirror
Screensaver Bug in Mac OS X
dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."
Is it always buffer overflows? :/
I was the one that posted about the address bar in Safari. I am using 10.2.6. This is a problem for ALL cocoa apps.
It'll probably be trivial for Apple to fix, though. So I'm just waiting for the patch to arrive.
*taps finger on desk*
A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.
I have no tag line
using 10.2.6 - not saying it's not a real bug, just can't get it to crash my screen-saver.
*** For a better tommorow, change your life today ***
Does this mean when all the script kiddies have their defacing party OSX will be worth less than 5 points?
-=LaptopZZ=-
First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it. It's not pretty. I really hope apple takes heed to this bug and fixes it at the core. Unfortunately the original bug report was.... well... not too elegantly written. We'll see what happens.
In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine. That way you prevent people from logging in using single user mode. Hit command+O+F during boot to get into open firmware, then type in password. After that type reset-all. You should be good to go. And don't forget the password or you will be totally screwed!
100% Crunchier
log out!
Today meaning July 4th at 3:00 pm, this bug made its rounds on every major vulnerabilty database before slashdot even posted it... Why doesn't slashdot get its own vuln db? Or maybe a link to bugtraq: http://www.securityfocus.com/archive/1
then we wouldn't have to get our vulnerabilty news a day late and a dollar short.
Wow, a bug, who would have guessed software has bugs, oh, the horror.
It's only news becasue OS X doesn't have heaps of bugs like everything else.
I'd paste the list of current problems with glibc, but I only have DSL and it would take too long.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
I don't see what the big deal with this is. It's not like Apple hasen't released other security patches to OSX. Or are we "forgiving" them for stuff that is found in the non Apple specific parts (e.g. sendmail), if so, why should we, they ship it, they charge for it, right? Anyone out there honestly believe that there aren't a whole host of other issues just waiting to be found?
....that it's remotely exploitable.
Any machine you can get physical access to is insecure.
It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).
This is nothing to be upset about. Heck, windows users have had this feature since windows 95. 3-finger salute and end the screen saver task :)
:)
Security via screensavers should never be trusted. I'm not quite sure why its still being put in place. WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k
Now, if this can be used as a buffer overflow attack as stated in the second link, that can be a problem. Not so much that a local user will overflow thier own system and gain local root, but the fact that this is the same throughout multiple cocoa apps shows the possibility of one of those being remotely exploitable.
Of course that's only for the 4 people running OSX as a server.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
and was able to crashed it, dropping me into the desktop, now I've tried it too on the Log-in and was able to crash it, sending me into a full Darwin/BSD console, you'll have to login again for you to be able to access the console though ... but full screen console Mac ... this you've gotta see. w007!!!!
I'm not trying to blast Apple in particular here or anything, but it seems that all companies have had a poor record lately responding to security holes pointed out by email users. Recall the Microsoft Passport security vulnerability.
Granted, I would guess that the email volume these receive claiming discovery of new exploits is daunting, but doesn't this deserve top priority for response?
Well, to be fair Debian Linux suffers from the same problem. Trusted update is a more difficult problem than solving some buffer overrun in xlock or whatever.
Someone with physical access to your machine can access it!! WHO KNEW?! Call in the army reserve and physically secure access to all your machines!
This was fixed July 16, 2002. Old news. Move along.
(It wasn't even that bad of a vulnerability, as it required end-user cooperation to exploit and also excellent timing/sustained penetration of the target network (software update runs once a week by default-- you need to guess when to arpspoof/dnsspoof properly. Still, it's not a good thing, and Apple fixed it promptly).
If you have access to any machine, you can override security. Can anyone say, "boot up with a cd-rom"? I thought you could. These are the droids you are looking for, move along... move along...
It's no wonder why Apple didn't reply, look at the subject of the email sent to Apple: "forgot your screensaver password ?? Hackit anyway." Must have been Jeff K reporting the bug.
In other news, a similar bug has been an issue on the Mac OS X version of Folding@Home. The screen saver crashes when lock screen is activated, and it's been months since I first noticed it, and I've seen it mentioned on the Folding boards, and it still hasn't been fixed. I agree with some of the people on the Macslash forum: Don't rely on screen savers if you have truly sensitive data within in reach of scrupulous characters.
can hop up on the desk and crack OS X?
Wintel fanboys/Apple haters who are having your fun because (finally!) there's a security hole in Mac OS X, take note: This bug requires PHYSICAL ACCESS TO THE COMPUTER to exploit. Compared to the network security holes Windows is famous for Nimda, Code Red, IE-buffer-overflow-of-the-week, this bug is about a serious as a typo in a dialog box.
About a message containing:
Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
He's Portuguese. Could you have written that report as well in his language? I'm all for basic literacy, but I can speak English and a tiny bit of Spanish. I think anyone who can communicate in a language other than their native one is doing pretty well, even if the readers do have to struggle a bit.
It's always found this mildly annoying but since I've never had that much to protect and the people around me really arent that smart anyway I haven't gone in search of the fix.
But in X at least on slackware when the screensaver is on I can Ctrl-Alt-F1 and Ctrl-X to kill X windows and get myself to prompt.
I just pasted about 2.7MB of text into Safari's address bar, and it didn't crash at all. I pressed return, and it attempted to load the page; Squid aborted the connection but Safari's still trying to load it. I'm typing this in another Safari window. No problems. Process Viewer shows Safari is using 25% of my RAM.
This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.
I also tried crashing the screen saver login window. It hung with the SPOD trying to manage that much data being pasted all at once, but it did not crash. After several minutes, I killed the processes remotely, but even killing the process did not return me to the desktop - I just got another login prompt, and was able to log in.
I'm running 10.2.6, the latest available version.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
If this is a buffer overflow, in theory it could let you run any code (though you would have to type it, restricting the instructions you can use...).
Running code with the screensaver privileges is not very interesting, but isn't the loginwindow runned as root ?
Defeats openfirmware password protection...
It sounds as if all you need to do I type in enough charaters in to the imput field fast enough, and bamm the screensaver or whatever app "crashes" and now you're as the desktop or in single user mode. I thought a true buffer overflow attack was something different than this.
||| I still can't believe Parkay's not butter.
I saw this "exploit" on full-dis, where it started a rather large thread, given how silly this bug actually is (a screensaver breaker...ooooh now I'm quaking in my boots). I thought it was excessive that -anyone- responded to his thread, and now it got posted on /. ? What gives?
;)
Probably going to get modded down for troll, but I had to vent. Excuse me.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Any machine you can get physical access to is insecure.
Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.
Will I retire or break 10K?
I believe this to be the first "public" exploit of OS X, or any OS 9, in quite some time....
Apple Security Updates
There have been more than you think. Apple, however, does release patches fairly quickly, and many of the holes are in 3rd-party code (e.g. OpenSSL) which affects Linux users too.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
If I am not mistaken, this was on Slashdot a while back. Apple was quick to correct this.
The only problem(an ironic one) is that they updated the flaw through Software Update =)
tilTrue.info contechtext.info prettypowerful.info twitter.com/frets fb.com/prosody
Hah! I knew it! Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!
Actually, the thing that surprises me is that they managed to trim emacs down so it's only an operating system.
...you can probably just boot using a CD or external hard drive, which results in a much worse security problem, since it'll give you access to Mac OS 9. You can use that to trash the Mac OS X system, since you can destroy all the normally hidden files and not worry about permissions.
There is MonitorerX Pro
It doesn't seem to work for me.
You sure it's real? Have you verified it?
I'm running 10.2.6 on a 933MHz Quicksilver with SuperDrive
Tried entering another users's login and password at the screensaver prompt and could not get access.
When I used Folding@Home, however, I *could* crash the screensaver, and thus forcing the user back into the desktop, but that has nothing to do with the bug you're mentioning, but with the fact that Folding@Home crashes.
GPL Deconstructed
Okay now...Apple is swiftly closing the gap with Microsoft in the amount of holes it has.
Compare:
Microsoft
Apple
Notice how many of Apple's security holes are actually holes in things like Sendmail, BIND, Samba, Apache and CUPS, all of which are off by default, and affect Linux and FreeBSD as well.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
It's a screensaver. It's not a lock-out mode. Hopefully, though, the new switch-user thingie in Panther will be what you're all thinking the screensaver is.
I can't remember if ctrl-alt-del worked to bypass the screen saver in Win95 (though I doubt it), but I know it never worked in Win98. The more effective way to do it is to burn a CD with a simple program that kills the screen saver. Unless the user actively searched out and disabled autorun, which is a much bigger safety/security hole that comes enabled on all Windows systems, it works flawlessly.
Of course, as others have mentioned, if you've got physical access to a machine, it's insecure. While I'm thinking about it XP and 2k have autorun enabled by default; I wonder how they handle autorun security when the computer is locked.
It's been discovered that someone with physical access to your computer can access it.
My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd... I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A.. Lilo lets you enter single user mode with just a kernel parameter to linux... You can overwrite the password files in Windows, etc.
You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.
I crashed both the login panel and the screensaver. I typed in some characters, ctrl-a/ctrl-k/ctrl-y, hold it down for a few seconds, then repeat the process. The text control fills up pretty quickly. Hit enter, and the application crashes.
For the login panel, it dropped me into console mode, but I wasn't logged in. Crashing the screensaver took me to the desktop. Not a big deal, in either case, but it could be a big deal with a different application.
Weird how some people can reproduce this and others can't. I have a PowerMac G4 (mirrored drive doors) running 10.2.6.
Mortal enemy of the Mastodon!
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I was able to reproduce it on my Powerbook. Here is the crash log.
/Users/jonathan/Library/Logs/CrashReporter/ScreenS averEngine.crash.log
2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0) Jul 6 00:10:42 localhost crashdump: Crash report written to:
-You may license this sig for only $6.99.
Oh, and OT, but this idiot can't write a sentance, there's no doubt he discovered this after falling asleep on the keyboard.
Once again, our intrepid hero, known to his legions of fans as "Slashdot Grammar Nazi", fails to check his own grammar and spelling as he ruthlessly tears apart another post for...poor grammar and spelling.
Was so immature, its no wonder it got ignored. :)
I would be surprised if the mail didnt get deleted after just looking at the subject of it
Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.
It's a feature!
/. reported a samba security hole about three months ago that I had patched about an hour before the article was even posted, thanks mainly to Mandrake's Security Update.
Seriously, all software produces exploits of some kind, even the beloved Linux and its considerably more stable cousin OpenBSD. The difference between an open source project like Linux or OpenBSD and more proprietary software like Cocoa and Windows is that more often than not if there's an exploit, the sooner it's discovered the sooner someone patches it, and as a result the sooner it gets fixed. I remember
Karma: Non-Heinous
This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.
Best. Webhost. Ever. Dreamhost.
The buffer exploit is a Quartz problem, and entirely local.
There is an X implementation for OSX - it runs on Quartz, like Exceed or CygX run on Win GDI. It may be possible to send events to Quartz via the Aplle X server - but this is not shipped by Apple as a production code, and won't be until Panther. That is several months and many bug-fixes away!
"Flyin' in just a sweet place,
Never been known to fail..."
Oh you dont want to change the password? well then boot in single user mode and you dont need one. Ta Da
Oh they left open firmware on?. open the case and remove one of the memory cards. reboot. ta da!
Some drink at the fountain of knowledge. Others just gargle.
that's how Mystique hacked into that government computer in Xmen 2 -- and I'm pretty sure that's how Jeff Goldblum hacked into the alien ship too - only we didn't know it at the time because os X was only released to celebrites at that time.
(and that's why he did those commercials too!)
cyberRodent
Talk is cheap. Supply exceeds demand.
It probably didn't work for you because you didn't type enough stuff. Go buy a drinking bird.
On any computer using OSX, it is possible to change the root password with 6 easy steps:
/"
Reboot the computer
Hold down appl ctrl + S
Type "mount -uw
"su" (it dosen't ask for a password)
"/sbin/systemstarter"
"passwd"
Just FYI Panther seems immune to this exploit.
Tried doing the procedure ~10 minutes in the Screen Saver and nothing happened. Then tried again in few other cocoa apps. Still nothing. Just worked like normal(for once this is a good thing).
My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.
And yes, I realize most people can't just upgrade to Panther yet to fix this rather major oversight on Apple's part.
Yea and I think that you should be able to use Exposé as a screensaver =)
tilTrue.info contechtext.info prettypowerful.info twitter.com/frets fb.com/prosody
Kernel? No, that would be Mach. FreeBSD 4.4 is the reference platform for the rest of the command line environment, however.
Yeah, four years ago when the "Yellow Box" environment was renamed that I thought it was funny for maybe a day or two.
Right, because, you know, OS X uses X11 as its windowing system and to log in users.
I almost forgot.
STFU, n00b. You're way out of your league on this one.
OMG OMG LUNIX OMG
But everytime I try and type it into my Mac Steves head fills my 23" cinema display and tells me I need to listen closer to the next keynote. I think it's a security feature.
People who bite the hand that feeds them usually lick the boot that kicks them
I got drunk last night and passed out at the keyboard and came 'round *six hours later* - a lot longer than the 5 minutes needed for this "exploit" and I STILL couldn't get into my Mac OS X box.
Couldn't find any more beer, and I couldn't find my pants, either.. but that's another story.. grrr
You could always set an Open Firmware Password, if you're afraid of people rebooting your system to exploit it.
This exploit requires physical access to the machine, and if you have physical access, it's a lot simpler to just kill the power, and reboot while holding command-S.
I haven't been able to reproduce it on my machine, but even assuming that the original report is completely accurate, it's still not a big deal.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Any host that can ask for a login window on the machine can then use the buffer overflow exploit to potentially pass executable code to the server, to be executed as root.
Time to check your Xaccess file and make sure it doesn't allow any remote hosts, whether by query or broadcast.
Dude, none of this pertains to Mac OS X. There is no way for any other host to "ask for a login window" on a mac OS X host.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Invest in a safe. The only way to properly control access to a computer is to airgap it, lock it in a container, then post several rabid animals to guard the container. Even then, this is no guarantee, but the annoyance factor should be high enough to protect grandma's secret cookie recipe.
Weapons of Mass Analysis
You guys keep saying that since people have physical access they can rest the password anyway... that is not the issue. I have tons of apps that are open at the same time at work. (Photoshop, quark, Golive) Golive is linked to more than 4 network servers mounted on the desktop. When I log in it takes more than 5 minutes to load all apps and files. I can t log off everytime I go to grab some water or leave my desk for a meeting. Our webserver has more than 25 thousand pages and they all need to be loaded/parsed by Golive on launch. What I need is to protect the machine from temporary access from co-workers/consultants etc. looking for personal/confidential stuff. They will not reset the password because that would raise eyebrows, what they need is stealth. This needs to be fixed very very quickly since login out all the time is NOT an option for me.