ehenning writes "SecuriTeam has posted a paper on some known vulnerabilities in Mac OS X. It lists methods for developing shellcode based on the PowerPC architecture. They note that there are similar vulnerabilities in Mac OS X and Darwin as in IA32 machines."
No actual security issues here, just "shellcode" -- compiled assembly -- to do things like print messages, run/bin/sh, or reboot the machine. Unimpressive.
--
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
Re:Boooring...
by
andfarm
·
· Score: 2, Informative
Nope. Not unless apache/ftpd/sshd runs as root. (Though, admittedly, sshd does... then again, it's been a while since the last exploitable hole there.) And anyway, anybody could put these bits of "shellcode" together with gcc and 5 minutes -- myself included.
--
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
Re:Boooring...
by
gabebear
·
· Score: 2, Informative
actually this won't let you elevate your privleges, it will let you start bash or anything else as root if you can get this to execute from a buffer overflow from a program that ALREADY is running as root.
The easiest way to get bash/tcsh running as root is to type "sudo su root" and then type your password, then if you want to change roots password you can type "passwd" and viola. This also works on other UNIXs that let you use sudo to execute anything.
The paper isn't talking about specific OSX vulnerabilities. It is just an exploration of writing shellcode for the Darwin OS on the PPC architecture, which hasn't gotten much coverage up 'til now.
So far, we OSX users have been able to rely on security via obscurity.. Thanks to fink etc. we have the same vulnerabilities as other unix software, but the stock exploits (which are all sun/x86 targeted) just bounce off. B-root took the time to figure out some of the more fun snafus of PPC shellcode (lots of NULs due to the 32-bit alligned instructions mainly.)
Because when theres an exploit out that lets you 'run code as root', theyre usually talking about shellcode. feed it this and you get a rootshell.
-- Pain lasts, kid. Its how you know you're alive.
Sometimes I think this growing up thing is just pain management-TheMaxx
I don't see why this made Slashdot
by
ZackSchil
·
· Score: 5, Informative
I guess Slashdot is just about as sensationalist as your average Dateline or 20/20. The truth of the matter is as follows for all of you who read the article but still didn't get it.
The document contained bits of assembly code that do all sorts of nasty things once slipped into a system. The code could elevate privileges, stat/stop processes, or reboot the machine. It's scary stuff but nothing you should be alarmed or surprised about. Anyone could harm a machine by writing code, that part isn't difficult at all. I could make an Applescript that wipes out your home directory or masks its self as another application, asks for an admin password, then proceeds to wipe your whole HD and overwrite it with ASCII garbage. Creating malware isn't the problem at all. Do you follow me?
What this guy did was create malware that could be slipped into a system remotely through another security exploit, a buffer overflow for example (a buffer overflow is the same type of bug that caused that whole OS X screensaver crashing nonsense a while back that was promptly fixed by Apple). The reason the article is not a reason for concern is that there isn't currently a well know exploit of this nature for someone to use the code featured in this article. The same "security flaws" exist in almost any modern computer system. The thing is, the code isn't the security flaw, an exploit that allows the code would be. The article names no such new exploit.
Re:Am I missing something?
by
Anonymous Coward
·
· Score: 1, Informative
Yes, you are missing something, probably because the synopsis wasn't exactly clear on it.
What the author covers in this document is how to leverage buffer overflows on the PowerPC architecture. Sort of a "see, you can do this on PowerPC too".
Surely, no self-respecting geek presumed that buffer overflow exploits on OS X were not possible, but this is the first proof that they do exist.
So what's the big deal about this news? Well consider that I could go and write a version of "Safari Enabler" which does little more than trojan as a utility that turns on the Safari debug menu. During installation, I require that you provide your admin password.
I use those escalated procedures to install this program as setuid root. Maybe even on accident.
Then some other clever person, who finds this root-owned, suid program (developed by some perhaps naive Carbon developer who does not know what suid means?) on your computer, uses these simple exploits to convert the time you typed your admin password to install the trojan to get full-blown root on your OS X box.
At the risk of repeating myself, this document simply illustrates that OS X users are not immune to buffer overflow attacks, and that it is good advice to get a full accounting of all setuid-root apps on your system and be certain to ensure that they actually need suid(0) and that if they do, they don't have any buffer overflows.
There are Two Better Ways of Doing It
by
Llywelyn
·
· Score: 3, Informative
You can also enable root from the GUI by opening/Applications/Utilities/Netinfo Manager From there, go under the "Security" menu, authenticate and then select "Enable Root User."
If you prefer the command line then "sudo passwd root" should do the trick and is somewhat more elegant:-)
Re:For the Un*x junkies out there
by
PasteEater
·
· Score: 2, Informative
"WITHOUT being asked for a password. Good luck.:)"
No sweat. Since I have access to the machine (per your last exploit) I insert the Mac OS X install disk, reboot from the CD, and select "Reset Password" (paraphrasing here) to change the password for the admin accounts. It might even set the root password if enabled. If root isn't enabled, I boot back into the system I just cracked, enable root, and set the password. Even if you just have an admin password, you can install anything you want anywhere you want, delete files, etc.
I love me some OS X, but let's be real here. If someone knows what they are doing and has the desire, there is at least the possiblity they can get what they want (whatever that may be). It's a different story when they are trying to do it from accross the country, but if someone has physical access to the machine, you're pretty much cooked.
Just a thought.
-- There are two kinds of people in the world: those with loaded guns, and those who dig.
Re:Well what do you expect from a Troll
by
b1t+r0t
·
· Score: 2, Informative
because X Windows doesn't run OS 9 apps
Aqua doesn't either. Classic does. It's just an app that happens to run under Quartz/Aqua. Way back in the day (System 7 era), there were environments (even one from Apple, I think) that emulated a Mac on a Unix box. And of course they ran under X Windows.
--
-- "Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Slashdot Mirror
Here's a link to the original article.
No actual security issues here, just "shellcode" -- compiled assembly -- to do things like print messages, run /bin/sh, or reboot the machine. Unimpressive.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
The paper isn't talking about specific OSX vulnerabilities. It is just an exploration of writing shellcode for the Darwin OS on the PPC architecture, which hasn't gotten much coverage up 'til now.
So far, we OSX users have been able to rely on security via obscurity.. Thanks to fink etc. we have the same vulnerabilities as other unix software, but the stock exploits (which are all sun/x86 targeted) just bounce off. B-root took the time to figure out some of the more fun snafus of PPC shellcode (lots of NULs due to the 32-bit alligned instructions mainly.)
Because when theres an exploit out that lets you 'run code as root', theyre usually talking about shellcode. feed it this and you get a rootshell.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
I guess Slashdot is just about as sensationalist as your average Dateline or 20/20. The truth of the matter is as follows for all of you who read the article but still didn't get it.
The document contained bits of assembly code that do all sorts of nasty things once slipped into a system. The code could elevate privileges, stat/stop processes, or reboot the machine. It's scary stuff but nothing you should be alarmed or surprised about. Anyone could harm a machine by writing code, that part isn't difficult at all. I could make an Applescript that wipes out your home directory or masks its self as another application, asks for an admin password, then proceeds to wipe your whole HD and overwrite it with ASCII garbage. Creating malware isn't the problem at all. Do you follow me?
What this guy did was create malware that could be slipped into a system remotely through another security exploit, a buffer overflow for example (a buffer overflow is the same type of bug that caused that whole OS X screensaver crashing nonsense a while back that was promptly fixed by Apple). The reason the article is not a reason for concern is that there isn't currently a well know exploit of this nature for someone to use the code featured in this article. The same "security flaws" exist in almost any modern computer system. The thing is, the code isn't the security flaw, an exploit that allows the code would be. The article names no such new exploit.
Yes, you are missing something, probably because the synopsis wasn't exactly clear on it.
What the author covers in this document is how to leverage buffer overflows on the PowerPC architecture. Sort of a "see, you can do this on PowerPC too".
Surely, no self-respecting geek presumed that buffer overflow exploits on OS X were not possible, but this is the first proof that they do exist.
So what's the big deal about this news? Well consider that I could go and write a version of "Safari Enabler" which does little more than trojan as a utility that turns on the Safari debug menu. During installation, I require that you provide your admin password.
I use those escalated procedures to install this program as setuid root. Maybe even on accident.
Then some other clever person, who finds this root-owned, suid program (developed by some perhaps naive Carbon developer who does not know what suid means?) on your computer, uses these simple exploits to convert the time you typed your admin password to install the trojan to get full-blown root on your OS X box.
At the risk of repeating myself, this document simply illustrates that OS X users are not immune to buffer overflow attacks, and that it is good advice to get a full accounting of all setuid-root apps on your system and be certain to ensure that they actually need suid(0) and that if they do, they don't have any buffer overflows.
You can also enable root from the GUI by opening /Applications/Utilities/Netinfo Manager From there, go under the "Security" menu, authenticate and then select "Enable Root User."
:-)
If you prefer the command line then "sudo passwd root" should do the trick and is somewhat more elegant
Integrate Keynote and LaTeX
"WITHOUT being asked for a password. Good luck. :)"
No sweat. Since I have access to the machine (per your last exploit) I insert the Mac OS X install disk, reboot from the CD, and select "Reset Password" (paraphrasing here) to change the password for the admin accounts. It might even set the root password if enabled. If root isn't enabled, I boot back into the system I just cracked, enable root, and set the password. Even if you just have an admin password, you can install anything you want anywhere you want, delete files, etc.
I love me some OS X, but let's be real here. If someone knows what they are doing and has the desire, there is at least the possiblity they can get what they want (whatever that may be). It's a different story when they are trying to do it from accross the country, but if someone has physical access to the machine, you're pretty much cooked.
Just a thought.
There are two kinds of people in the world: those with loaded guns, and those who dig.
Aqua doesn't either. Classic does. It's just an app that happens to run under Quartz/Aqua. Way back in the day (System 7 era), there were environments (even one from Apple, I think) that emulated a Mac on a Unix box. And of course they ran under X Windows.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft