Slashdot Mirror
Screensaver Bug in Mac OS X
dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."
Is it always buffer overflows? :/
I was the one that posted about the address bar in Safari. I am using 10.2.6. This is a problem for ALL cocoa apps.
It'll probably be trivial for Apple to fix, though. So I'm just waiting for the patch to arrive.
*taps finger on desk*
A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.
I have no tag line
using 10.2.6 - not saying it's not a real bug, just can't get it to crash my screen-saver.
*** For a better tommorow, change your life today ***
First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it. It's not pretty. I really hope apple takes heed to this bug and fixes it at the core. Unfortunately the original bug report was.... well... not too elegantly written. We'll see what happens.
In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine. That way you prevent people from logging in using single user mode. Hit command+O+F during boot to get into open firmware, then type in password. After that type reset-all. You should be good to go. And don't forget the password or you will be totally screwed!
100% Crunchier
....that it's remotely exploitable.
Any machine you can get physical access to is insecure.
It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).
This is nothing to be upset about. Heck, windows users have had this feature since windows 95. 3-finger salute and end the screen saver task :)
:)
Security via screensavers should never be trusted. I'm not quite sure why its still being put in place. WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k
Now, if this can be used as a buffer overflow attack as stated in the second link, that can be a problem. Not so much that a local user will overflow thier own system and gain local root, but the fact that this is the same throughout multiple cocoa apps shows the possibility of one of those being remotely exploitable.
Of course that's only for the 4 people running OSX as a server.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Someone with physical access to your machine can access it!! WHO KNEW?! Call in the army reserve and physically secure access to all your machines!
This was fixed July 16, 2002. Old news. Move along.
(It wasn't even that bad of a vulnerability, as it required end-user cooperation to exploit and also excellent timing/sustained penetration of the target network (software update runs once a week by default-- you need to guess when to arpspoof/dnsspoof properly. Still, it's not a good thing, and Apple fixed it promptly).
It's no wonder why Apple didn't reply, look at the subject of the email sent to Apple: "forgot your screensaver password ?? Hackit anyway." Must have been Jeff K reporting the bug.
In other news, a similar bug has been an issue on the Mac OS X version of Folding@Home. The screen saver crashes when lock screen is activated, and it's been months since I first noticed it, and I've seen it mentioned on the Folding boards, and it still hasn't been fixed. I agree with some of the people on the Macslash forum: Don't rely on screen savers if you have truly sensitive data within in reach of scrupulous characters.
can hop up on the desk and crack OS X?
About a message containing:
Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
He's Portuguese. Could you have written that report as well in his language? I'm all for basic literacy, but I can speak English and a tiny bit of Spanish. I think anyone who can communicate in a language other than their native one is doing pretty well, even if the readers do have to struggle a bit.
I just pasted about 2.7MB of text into Safari's address bar, and it didn't crash at all. I pressed return, and it attempted to load the page; Squid aborted the connection but Safari's still trying to load it. I'm typing this in another Safari window. No problems. Process Viewer shows Safari is using 25% of my RAM.
This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.
I also tried crashing the screen saver login window. It hung with the SPOD trying to manage that much data being pasted all at once, but it did not crash. After several minutes, I killed the processes remotely, but even killing the process did not return me to the desktop - I just got another login prompt, and was able to log in.
I'm running 10.2.6, the latest available version.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I saw this "exploit" on full-dis, where it started a rather large thread, given how silly this bug actually is (a screensaver breaker...ooooh now I'm quaking in my boots). I thought it was excessive that -anyone- responded to his thread, and now it got posted on /. ? What gives?
;)
Probably going to get modded down for troll, but I had to vent. Excuse me.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Any machine you can get physical access to is insecure.
Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.
Will I retire or break 10K?
If I am not mistaken, this was on Slashdot a while back. Apple was quick to correct this.
The only problem(an ironic one) is that they updated the flaw through Software Update =)
tilTrue.info contechtext.info prettypowerful.info twitter.com/frets fb.com/prosody
But in X at least on slackware when the screensaver is on I can Ctrl-Alt-F1 and Ctrl-X to kill X windows and get myself to prompt.
Unless you're using xdm/kdm/gdm, which will automatically start X without you logging into the console first. If you kill X, it'll just restart X for you, and give you a graphical login prompt.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Hah! I knew it! Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!
Actually, the thing that surprises me is that they managed to trim emacs down so it's only an operating system.
...you can probably just boot using a CD or external hard drive, which results in a much worse security problem, since it'll give you access to Mac OS 9. You can use that to trash the Mac OS X system, since you can destroy all the normally hidden files and not worry about permissions.
It doesn't seem to work for me.
You sure it's real? Have you verified it?
I'm running 10.2.6 on a 933MHz Quicksilver with SuperDrive
Tried entering another users's login and password at the screensaver prompt and could not get access.
When I used Folding@Home, however, I *could* crash the screensaver, and thus forcing the user back into the desktop, but that has nothing to do with the bug you're mentioning, but with the fact that Folding@Home crashes.
GPL Deconstructed
Okay now...Apple is swiftly closing the gap with Microsoft in the amount of holes it has.
Compare:
Microsoft
Apple
Notice how many of Apple's security holes are actually holes in things like Sendmail, BIND, Samba, Apache and CUPS, all of which are off by default, and affect Linux and FreeBSD as well.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I can't remember if ctrl-alt-del worked to bypass the screen saver in Win95 (though I doubt it), but I know it never worked in Win98. The more effective way to do it is to burn a CD with a simple program that kills the screen saver. Unless the user actively searched out and disabled autorun, which is a much bigger safety/security hole that comes enabled on all Windows systems, it works flawlessly.
Of course, as others have mentioned, if you've got physical access to a machine, it's insecure. While I'm thinking about it XP and 2k have autorun enabled by default; I wonder how they handle autorun security when the computer is locked.
It's been discovered that someone with physical access to your computer can access it.
My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd... I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A.. Lilo lets you enter single user mode with just a kernel parameter to linux... You can overwrite the password files in Windows, etc.
You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.
I was able to reproduce it on my Powerbook. Here is the crash log.
/Users/jonathan/Library/Logs/CrashReporter/ScreenS averEngine.crash.log
2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0) Jul 6 00:10:42 localhost crashdump: Crash report written to:
-You may license this sig for only $6.99.
Was so immature, its no wonder it got ignored. :)
I would be surprised if the mail didnt get deleted after just looking at the subject of it
Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.
This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.
Best. Webhost. Ever. Dreamhost.
New? The undated linked article appears describe a vulnerabilty that was promptly patched nearly a year ago.
The buffer exploit is a Quartz problem, and entirely local.
There is an X implementation for OSX - it runs on Quartz, like Exceed or CygX run on Win GDI. It may be possible to send events to Quartz via the Aplle X server - but this is not shipped by Apple as a production code, and won't be until Panther. That is several months and many bug-fixes away!
"Flyin' in just a sweet place,
Never been known to fail..."
Oh you dont want to change the password? well then boot in single user mode and you dont need one. Ta Da
Oh they left open firmware on?. open the case and remove one of the memory cards. reboot. ta da!
Some drink at the fountain of knowledge. Others just gargle.
that's how Mystique hacked into that government computer in Xmen 2 -- and I'm pretty sure that's how Jeff Goldblum hacked into the alien ship too - only we didn't know it at the time because os X was only released to celebrites at that time.
(and that's why he did those commercials too!)
cyberRodent
Talk is cheap. Supply exceeds demand.
It probably didn't work for you because you didn't type enough stuff. Go buy a drinking bird.
On any computer using OSX, it is possible to change the root password with 6 easy steps:
/"
Reboot the computer
Hold down appl ctrl + S
Type "mount -uw
"su" (it dosen't ask for a password)
"/sbin/systemstarter"
"passwd"
Just FYI Panther seems immune to this exploit.
Tried doing the procedure ~10 minutes in the Screen Saver and nothing happened. Then tried again in few other cocoa apps. Still nothing. Just worked like normal(for once this is a good thing).
My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.
And yes, I realize most people can't just upgrade to Panther yet to fix this rather major oversight on Apple's part.
Yea and I think that you should be able to use Exposé as a screensaver =)
tilTrue.info contechtext.info prettypowerful.info twitter.com/frets fb.com/prosody
I got drunk last night and passed out at the keyboard and came 'round *six hours later* - a lot longer than the 5 minutes needed for this "exploit" and I STILL couldn't get into my Mac OS X box.
Couldn't find any more beer, and I couldn't find my pants, either.. but that's another story.. grrr
You could always set an Open Firmware Password, if you're afraid of people rebooting your system to exploit it.
For the purposes of this post, I'll assume that we are including unix work alikes like Linux under the umbrella of Unix
/etc/inittab on any other Unix and comment out all of the lines that start virtual terminals except one, that doesn't stop it from being a Unix system, nor does it stop it being multiuser.
3 /c ocoa_history_one.htmlm /pub/a/mac/2002/05/10/c ocoa_history_two.html
I don't think you understand much about this subject. Mac OS X is a multi user system from the ground up, as much as any other Unix system, the only thing that is NOT multi user about it at the moment is the GUI.
If you go into
You are confused about what makes a system into a Unix system. The architecture of Mac OS X is a lot like every other Unix system (but for a few technical changes to abstract the OS from the hardware, and make it easier to write low level OS plugins, and binary device drivers) until you reach the GUI level.
If I take Linux or BSD or Solaris or HP/UX or AIX or Tru64 and put a GUI on it that is not the X Window System, it doesn't stop being a Unix machine.
It seems like you think Apple took Mac OS 9, stuck a Unix layer like Cygwin on top and are trying to call it a Unix system, This is not the case. If anything, compatibility with Mac OS 9 is the thing that is tacked on and "not supposed to be there".
If you want to read all about Mac OS X's history, so that you can fully understand it, and not seem like an idiotic troll when posting on the subject try reading something like these two O'Reilly articles on the history of Mac OS X.
http://www.macdevcenter.com/pub/a/mac/2002/05/0
http://www.macdevcenter.co
Anyway, rest assured that Apple didn't take their old OS and tack on new features to make it Unix, they took Unix, and tacked on new features to make it compatible with Mac OS.
This exploit requires physical access to the machine, and if you have physical access, it's a lot simpler to just kill the power, and reboot while holding command-S.
I haven't been able to reproduce it on my machine, but even assuming that the original report is completely accurate, it's still not a big deal.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Any host that can ask for a login window on the machine can then use the buffer overflow exploit to potentially pass executable code to the server, to be executed as root.
Time to check your Xaccess file and make sure it doesn't allow any remote hosts, whether by query or broadcast.
Dude, none of this pertains to Mac OS X. There is no way for any other host to "ask for a login window" on a mac OS X host.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."