Slashdot Mirror
New Remote Root in Mac OS X
Cysgod writes "I've released a security advisory detailing a new remote root vulnerability in Mac OS X 10.3, 10.2 and possibly earlier versions." The main thrust is that it exploits a problem in the DHCP client, to gain root access, and turning off various services can prevent attack. It is unclear why an exploit was made public before Apple resolved the problem. Apple's fix is apparently scheduled for a December release.
thank goodness iam running Windows
"In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)"
This definitely makes the exploit less likely...
and on any network provided service, including ssh (which is turned on by default in certain versions of the affected software).
I'm not aware that SSH was enabled by default in any version of Mac OS X.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
OK, there's a hole. Still, when Apple (or OpenBSD) have a security hole it's newsworthy rather than just Business As Usual.. unlike other companies which promise security but can't deliver.
Trolling is a art,
Assuming two scenarios:
/. reader, is this vulnerability something to be seriously concerned about?
1. A home user with dialup, running no external services, with the firewall turned on.
2. A home user with DSL/CABLE, running behind NAT. And for fun, let's add Airport. Also not running any services, firewall on.
For the non-technical
The exploit was made public before the official fix is that Apple had 48 days to fix the issue. Also, by releasing information about the exploit, Apple Sysadmins can make a minor change to their setup to prevent this exploit from occuring...
Just because the exploit isn't public, doesn't mean that somebody else doesn't know!
Doh!
Apple are about to catch up on Microsoft!
It seems pretty irresponsible to release details on an exploit when the vendor has already acknowledged the issue and has a date planned on when to release the fix. Now if Apple was ignoring them, that would have been a different story.
"The objective of securing the safety of Americans from crime and terror has been achieved." -- John Ashcroft
Looks like this guy is making the rounds. A more detailed post is at MacSlash. The highlight of conversation there is "Root is disabled by default, and SSH is off by default. Therefore the default settings don't make you vulnerable."
Apparently, it took 48 days from the time he informed Apple until now. Looks like he was itching to post something. There's his 15 minutes of fame.
It's already slow and it may get slashdotted soon, so here it is:
[blank.gif] [1]Carrel.ORG > Important Mac OS X Security Advisory
Mac OS X Security Advisory
Vulnerability:
Malicious DHCP response can grant root access
Affected Software
Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X
Abstract
A series of seemingly innocuous default settings can cause an affected
Mac OS X machine to trust a malicious machine on a network for user,
group, and volume mounting settings.
What does this mean to the average user
Anyone who can gain access to your network can gain administrator
(root) access to your computer and therefore steal your data or launch
attacks upon others as soon as you reboot your machine. System
administrators and users of affected software should read the section
"Workarounds" for immediate actions to protect their machines. It is
important to note that WEP security in 802.11b/g (AirPort/AirPort
Extreme) wireless networks is generally not sufficient to protect your
network from access by an attacker.
Vendor Patch
Apple Computer has been notified of this issue and may be working a
fix at this time. At the time of this writing, a fix is not available
from Apple.
Workarounds
There are a variety of avenues to avoiding this vulnerability...
1. Disable any network authorization services from obtaining settings
from DHCP:
+ in Directory Access, select LDAPv3 in the Services tab, click
"Configure...", uncheck "Use DHCP-supplied LDAP Server"
+ in Directory Access, select NetInfo in the Services tab,
click "Configure...", uncheck "Attempt to connect using
broadcast protocol" and "Attempt to connect using DHCP
protocol"
+ in Directory Access, uncheck LDAPv3 and NetInfo in the
Services tab, if you don't intend to use them
2. Turning off DHCP on all interfaces on your affected Mac OS X
machine can also keep you from being affected.
For added security, be sure to disable any unused network ports:
* turn the AirPort card off or remove it, if it is not being used.
Configuration Awareness
If a user should need any of these settings turned on due to the
network and authorization system they are currently using, they should
be aware that they could fall prey to a malicious individual using the
techniques outlined in this advisory. Steps to mitigate this concern
could be as simple as manually configuring the directory server
settings on the affected machine.
Technical Details
By default, the affected versions of Mac OS X attempt to negotiate
DHCP on all available interfaces. In the event that an Airport card is
installed but there is no network nearby, they also default to
associate with any network that might appear and then use DHCP to
obtain an address. The system will also use DHCP provided fields, if
available, to connect to an LDAP or NetInfo server on the network.
The default settings in "Directory Access" on affected systems will
cause the system to place the network LDAP or NetInfo server ahead of
the local user info for any given account, and will implicitly trust
the LDAP or NetInfo server to provide correct information.
Furthermore, nothing in the system prevents a login as a user with uid
0 (zero) with any login name. For example, an LDAP or NetInfo source
with an account username "bluemeanie", uid 0, would be perfectly valid
and usable for login at the login window and on any network provided
service, includi
Carrel.ORG > Important Mac OS X Security Advisory
Mac OS X Security Advisory
Vulnerability:
Malicious DHCP response can grant root access
Affected Software
Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X
Abstract
A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.
What does this mean to the average user
Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.
Vendor Patch
Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.
Workarounds
There are a variety of avenues to avoiding this vulnerability...
Disable any network authorization services from obtaining settings from DHCP:
in Directory Access, select LDAPv3 in the Services tab, click "Configure...", uncheck "Use DHCP-supplied LDAP Server"
in Directory Access, select NetInfo in the Services tab, click "Configure...", uncheck "Attempt to connect using broadcast protocol" and "Attempt to connect using DHCP protocol"
in Directory Access, uncheck LDAPv3 and NetInfo in the Services tab, if you don't intend to use them
Turning off DHCP on all interfaces on your affected Mac OS X machine can also keep you from being affected.
For added security, be sure to disable any unused network ports:
turn the AirPort card off or remove it, if it is not being used.
Configuration Awareness
If a user should need any of these settings turned on due to the network and authorization system they are currently using, they should be aware that they could fall prey to a malicious individual using the techniques outlined in this advisory. Steps to mitigate this concern could be as simple as manually configuring the directory server settings on the affected machine.
Technical Details
By default, the affected versions of Mac OS X attempt to negotiate DHCP on all available interfaces. In the event that an Airport card is installed but there is no network nearby, they also default to associate with any network that might appear and then use DHCP to obtain an address. The system will also use DHCP provided fields, if available, to connect to an LDAP or NetInfo server on the network.
The default settings in "Directory Access" on affected systems will cause the system to place the network LDAP or NetInfo server ahead of the local user info for any given account, and will implicitly trust the LDAP or NetInfo server to provide correct information. Furthermore, nothing in the system prevents a login as a user with uid 0 (zero) with any login name. For example, an LDAP or NetInfo source with an account username "bluemeanie", uid 0, would be perfectly valid and usable for login at the login window and on any network provided service, including ssh (which is turned on by default in certain versions of the affected software).
In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)
By taking advantage of these default se
is that this is news. Ok, it's not a vanilla BSD, but it is based on BSD, which has a fantastic record on security. What will be interesting to find out is where the bug came from - Apple or some third party ...
:-)
I'm pretty sure it was Apple that could boast of no exploits against them (this was OS9 days). Sad to see that go, if it's true. Any unix-os is a friend of mine
Simon
Physicists get Hadrons!
in the last few weeks security fixes for 10.2.x and 10.3.x have shown up.... Apple is still supporting users not running 10.3, but who knows for how long that will continue?
as far as people running 10.1.x and not upgrading to at least 10.2, i don't know.
if you are waiting for a 9.x update.... um.... yeah..... bye!
not really since a fix for the last vulnerability was sent out for jag last week.
"Slashdot, where telling the truth is overrated but lying is insightful."
Apple is on record saying they will provide security fixes for all versions of OS X. In some cases, the press has not caught up with this fact.
So, we have yet another security hole. No surprises there - they will come up eventually. It sounds as if the patching is reasonably prompt (though next month doesn't sounds that fast - hopefully that means it is well tested and it won't break anything like MS patches can). Ultimately though, we don't see many holes for MacOS X. Yes, I'm sure they exist, but they are a lot less frequent than some.
For instance, there's still this unpatched hole in IE that MS doesn't seem inclined to do much about right now. So much for their "on average a patch in 24 hours" policy they were claiming. Looks like they'll get their patch out around the same time Apple does. I guess we hope that means that they've tested it this time...
Jedidiah
Craft Beer Programming T-shirts
Yes, all we have to go on is Apple's past record of continuing to provide security fixes for previous versions of OS X and OS 9.
Obviously, the fix is not quite so easy: instead of just updating a binary or two, Apple needs to devise a program/an advisory that will alert users to the problem, and that also makes sure people don't shoot themselves in the foot (turn option off, suddently you can't log in anymore).
Devising such a thing, and testing it in a wide variety of environments will take time, so I wouldn't blame Apple for "reacting slowly" just yet.
..then why are we posting a link to it and making it even more public?
Apple has essentially made the design choice to default to a system which trusts the local dhcp server. Which is problematic much of the time, but convenient if you'd like to just unbox a new shipment of macs for your lab and plug them in, without needing any further client-side config.
This means that the dhcp server can provide authoritative information about anything ldap handles, including user accounts. So Mallory can use a rogue dhcp server to give herself a root account on your system.
But unless I'm mistaken, the default configuration still doesn't allow her to do anything with it. sshd and afpd are turned off by default, so even having a root account doesn't get you anything unless you physically sit down at the box and log in locally.
I think I'd prefer that the system defaulted to not trusting other hosts for anything beyond network numbers, but I don't think that issue will lead immediately to a rash of rooted osx machines.
Why should it be any different for Macs?
os 9 has no vulnerabilities that need patching you retard.
OS9 has NEVER had any exploits possible according to bugtraqs entire database history.
Slashdotting to the rescue! Apple has at least a few more hours now.
Please help metamoderate.
Now I can finally login as root on OSX. Considering all my friends running OsX have no idea what their root password is, or for that matter what root is, this seems like a blessing.
Let's assume that somebody is sitting outside of my apartment with all of this wireless hijacking configured, and we'll further assume that I've got all of the exact configurations required for my machine to be vulnerable. One would presume that this person is after the data in my machine, or wants to cause problems for me. Why else would they be trying to break in and gain root access? (btw, don't I need to have enabled the root account for this person to get root access, since root is not enabled on OS X by default?)
I might be going out on a limb here, but I would venture to say that there's a much bigger threat because the dude could just kick my door down and take my entire computer away with him. Then he can have all my data, and all of my applications, and my hardware too. Meanwhile, some other loser nerd is still mucking around trying to get this "hack" to work, but the guy who jacked me is walking away with my machine.
I understand this security issue is a threat and all, but I just don't see why anyone should be overly concerned. People seem to come up with scary stories like this about all kinds of things, hyping the facts up to make it seem like everyone who owns a Mac today is going to have a nerd take over their machine and steal all of their stuff. It reminds me of the pains people will go to in order to "secure" their machines, but then do something completely insecure like walk away from their desk for 10 minutes without password-protecting their machine.
Why does it matter that the exploit was released before a patch had been made public? The RFP policy is not anything which matters. It is just one security consultants stance on the topic, which has been adopted by a fair number of people in the security community. It does not by any means have to be followed by anyone.
Perhaps the exploit has been floating around in the underground for a few weeks or months?
Typical comment by someone not in the scene.
"It is unclear why an exploit was made public before Apple resolved the problem."
no SCO news!
You can "physically sit down to any Mac OS X machine and log in as root locally" by doing this:
1. Shut down machine, or power it off if you can't shut down.
2. Hold down Command-S while starting up the machine.
You're in as root, no login required, and it even tells you how to mount local filesystems writable.
You can also reset the password by booting from a Jaguar or Panther installation CD with the "C" key down, and resetting the password from the Installer menu.
I love my Mac, but Mac OS X is not a secure OS.
I've reported this bug before, and Apple sees it as a feature.
http://www.pbp.net/~jnichols/dhcp-vuln.html
Link for the extra-lazy: here
here is the clicky-link
given the typical mac user, it would be helpful if he'd specified /Applications/Utilities/Directory Access
Yeah? well I heard "apple is on record as saying they WON'T patch anything but the latest version." Cite me a source.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Everybody knows in the sticks that when you get a worm in your apple it just means you are getting a little extra protein in your snack.
"I say we take off and Nuke the entire site from orbit. Its the only way to be sure."
I suspect the reason why this info was released was simple: Apple went and released the 10.3 upgrade with a known remote-root vulnerability in it after having acknowledged the existence of the vulnerability.
To me, knowing that this vulnerability exists would be critical. I don't run a Mac, but I attach to possibly hostile networks routinely. Normally I can firewall my machine to block attacks, but I can't firewall off DHCP and still use the network. Were I using a Mac and OSX, I'd very much want to know that I needed to take immediate steps to avoid giving someone the keys to my machine just by plugging in at the local coffee house.
Release of this information may constitute a problem for Apple, and may mean a lot of fast work for OSX users. Not releasing it, though, would mean a lot more work for OSX users who get their machines rooted, and a lot more work for the rest of us who have to fend off attacks and other crud routed through those rooted boxes.
How many times does a vendor need to promise a fix, then delay it, before it's time to release it?
This is hardly a vulnerability, it's an ease of access feature that NeXT people have known about for almost a decade. The idea of this is, you take a computer out of the box, put it on your network, and it's working. Everything configured, users setup, etc. That should probably be shipped off by default, but I can understand the way they've done it in the past. It should also be noted that unless you've got a OS X server floating around, physical access to the network and management access to the existing DHCP server, this would be awefully hard to exploit.
"It is unclear why an exploit was made public before Apple resolved the problem. Apple's fix is apparently scheduled for a December release."
i'm amazed that i survived - an airbag saved my life.
Modded down twice? Zealots...
Ummmm.... ssh is enabled. sshd isn't. (by default). What were you saying about my face again? You're a dumass. N/T
If this is interesting to you, please join our mailing list and/or e-mail me via jay AT bastille HYPHEN linux DOT org.
Microware's OS-9 Kicked ass....
For those who don't know anything about it:
Imagine a windowed UNIX-like, pre-emptive multitasking OS with all the goodies: swap files, networking, hot-swap devices, assembler, shell scripting, a pcode language.
Running in 1982....
On a $500 computer.....
I'll let that sink in. OS-9 really was cool.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Who's the one who writes N/T after their text? Huh? Who's the dumbass now? :p I mean, in any version of OS X client (I don't know about Server), SSH is definitely off. If you go to your 'Sharing' system pref, services tab, "Remote Login" is unchecked by default. This checkbox turns on the SSH daemon (aka SSHD). Dumbass.
"I like systems, their application excepted", George Sand (French)
Set an Open Firmware password on your machine.
You will then need to enter this password to enter single user mode or boot from a CD.
Note that this still doesn't fully secure your machine unless it's physically secured, as someone can simply reset the OF password by changing the amount of RAM in the machine, then zapping the PRAM.
Makes securing a powerbook pretty much impossible, but otherwise...
i don't read slashdot anymore.
It is unclear why an exploit was made public before Apple resolved the problem.
Didn't you know that corporations like Microsoft and Apple do not act responsibly when confronted with these security issues. Given the fact that Apple doesn't fix the vulnurabilities in the earlier versions of its OS, it is very natural to release this vulnurability to protect the users.
Also had a C compiler for $60.00 (2 disks - bought it along w. the 2-disk pascal compiler - same price).
I remember using one of these while Gates was saying that you would need "at least 1.5 meg" to multitask.
"It is unclear why an exploit was made public before Apple resolved the problem.
Dude this happens almost every time. It doesn't matter the vendor, if it's MS, Oracle, RedHat, or Apple...no matter. Exploit warnings always preceed the patch. It's how it is.
Kind of like a car race with the finish line at the edge of a cliff.
if you are waiting for a 9.x update.... um.... yeah..... bye!
There is no way this splot can affect Mac OS 9 users. There is no command-line for Mac OS 9, nor is it even a true multi-user system. Remote access in Mac OS 9 is minimal and disabled in the first place. If you want an insanely secure server, get a box with Mac OS 9 and run WebStar, Rumpus, FileMakerServer, and/or QuickDNSPro.
Comparing Mac OS 9 to Mac OS X is like comparing DOS to NT.
It is unclear why an exploit was made public before Apple resolved the problem. [Link to RFP's policy]
Probably because the person who released the exploit wasn't RFP, maybe? Just a guess.
http://news.com.com/2100-1002-5109969.html
If I set Directory Access (located in the Utilities folder) to authenticate against 'local directory' rather than 'Automatic' then I am safe right? If this really is the case, could someone please make this work around explicitly clear so that all the iMac Users of the world can do it (and yes I know they don't have ssh up and running anyways but, just incase...)
This exploit means nothing to very little the average user simply because no remote services are enabled by default. I'm using a 10.2.8 box right this minute and I had to enable Remote Login and Personal File Sharing.
I really don't know where to start talking when it comes to the idiocy of releasing an exploit, not just a proof of concept, prior to the vendor releasing a fix. Apple wasn't dragging their heels. The whole timeframe is under 1.5 months. It is certainly not unreasonable to expect their programmers to spend time working on a bug fix. Hell the development cycle alone is more than a month if not two. So they didn't make the November 3 date. That's less than a month from the date the bug was reported. That's no surprise. I'd hate to rush a fix out that fast too. So the 10.3 Security Update and 10.3.1 Security Updates didn't fix it. Does he not realize that they were in the pipeline for testing back at the beginning of October? They aren't going to insert another code change in the middle of testing.
IMHO this guy is show-boating, grand-standing, and showing that he has unreasonable expectations. The security vulnerability isn't that great. It's a hole, yes. It's not nearly as serious as a security hole in IE in which ALL IE installations are affected by "default." I think this guy should seriously be flogged for releasing an exploit at the same time as the advisory. That's just plain ridiculous. IMHO that alone speaks wonders about this guy. It's idiotic acts like this that seriously make me wonder about full disclosure. Anyhow, I've said my piece. Move along.
it completely hosed ssh services for me.
With this exploit, the compromised system gets and uses a root password which would then allow logging in, I believe.
Luckily OSX doesn't have any network services (sshd, ftpd, afpd, smbd, etc) turned on by default, so the only way to gain access would be to have physical access to it for the general home-user, unless they have file sharing turned on, which would allow for a user to gain access to any file on any one of the computer's drives.
The way I see it, the most significant target would be schools and offices where the users want root access.
...spike
Ewwwwww, coconut...
Even were they to use the specified procedure to change your machine's auth info, they couldn't log in unless you have SSH enabled.
There are very few reasons to have sshd enabled on a portable machine. Can you name some?
Slashdot. It's Not For Common Sense
Anyone giving odds on the Tech TV Mac lovers saying absolutely nothing about this tomarrow, much less today.....? My guess is they can't do a story on this one without at least pointing to something Microsoft.
if so this is pretty much a non-bug since it would require some idiot to both be doing remote authentication and be plugged into a dhcp network. For that matter one could just pretend to be a known authtication host and provide bogus authentication regardless of the dhcp status.
what am I missing here. or is this thing on by default?
Some drink at the fountain of knowledge. Others just gargle.
ROFL You retard, SSHD is the SSH daemon, as in the service that enables SSH. I think he said something about fucking your face. Fuckwad! BTW, N/T means No Text.
Thought I'd field some of the more mentioned questions and misconceptions here...
/. got around to finally posting the article. Sorry it has taken me so long to respond.)
Is my machine safe if I have the root account "turned off"?
No. The account attacking can be uid 0 and have any other name in the universe that is a valid account name.
Is my machine safe if I have all remote access services "turned off"?
*NO*, and please quit saying it is. This exploit allows malicious people full control of where things are mounting on your system. They can mount malware anywhere. Including places that can virtually guarantee executiong of their target code. For example, an attacker could cause their evil data to be mounted in place of crontabs and have their fake root's crontab point to an evil executable mounted there or somewhere else.
Why did you release this when you did?
This was an exploitable remote root vulnerability. After Apple reneged on the Nov. 3rd release date I gave them 2-3 weeks. After the 2-3 weeks were up, I asked for the status and they said "December". Meanwhile, users are left exposed and independent rediscovery seemed fairly likely. And maybe by someone less scrupulous than myself. I felt I was being strung along and that the issue may never get properly addressed so I set a hard deadline at that point. They didn't meet it, and I issued my advisory.
It would not be fair of me to let Mac users hang out in the breeze for more than 2 months on an issue of this magnitude. You may disagree, but I have no regrets about my actions and feel that I was more than fair to Apple Computer and its users.
(As I mentioned in a previous post, I was out horseback riding by the time
Remote exploit ? Can you say subnet exploit ?! Victim gotta have DHCP and SSH turned on. So not a default client installation exploit.
You MAY say MacOS X Server got SSH turned on so will be vulnerable, but you must enter a static IP address at the system setup, that means you've no DHCP options unless you manually change it to DHCP later at "System Preference". By the way, if you do use DHCP to hand out server IP address you deserve to get rooted.
Anyway I get enough laugh out of some amateur security people today. Movie at 11.
Apple are actually being slower to patch than Microsoft. For a hole this serious - and this is about as serious as security holes get - this is unforgivable. It was a stupid design decision in the first place.
Can you imagine what will happen when the hundreds of Macs on the Internet get hacked? No, me either.
Not to be contrary, but I'm sure the Microsoft investors do buy stock in Apple on occassion, especially when they can turn around and sell that stock for profit later.
Moreover, they could record my password I suppose, but wouldn't I know something is up and reboot? If I'm suspicious, I'll just change my passwords.
I'm curious here, wouldn't you know?
And in most cases, I never reboot my machine. I move it from network to network in sleep mode. Again, I have never played with this kind of scenario, but it is my thought I'd have to reboot for this to work.
Care to answer this stuff, Todd Knarr?
Slashdot. It's Not For Common Sense
Just pull the plug if it is locked.
*book: remove battery
It's quite possible to override a DHCP server, even without intending to; the request is broadcast, and if multiple machines send a response back, the first one received wins.
I've been bitten by this myself: I have cable at home, and someone on the same subnet has (presumably) set up their NAT box backwards, so when I request a DHCP address, I get one of their internal addresses (192.168.100.x) as well as one from the ISP. Because they're on the same subnet and the ISP's DHCP server is elsewhere on the network, they consistently return a response faster, too.
I worked around that by configuring my DHCP client daemon to ignore all responses from the 192.168.100 subnet, but that's not an option if your DHCP client isn't configurable.
Are any among us innocent of wanting our 15 minutes?
The problem is that software companies do damned little to reward people that do a good job of turning up and reporting bugs properly. Frankly, if he releases before Apple, then he gets to be quoted all over the place, including mainstream media. He might get to be interviewed. If he instead sits on the problem and waits and he's lucky, he might get a brief note at the bottom of the advisory.
Microsoft and Apple should lay in a big store of T-shirts and mugs, and put a "special thanks" section somewhere in their OS to people that report crucial security holes but don't run out and release them to the public if they don't want a public release. It costs them *far*, *far* less to hand out a "MacGuardian" or somesuch T-shirt and mug and add a mention than it does to deal with the aftermath of a publically available remote root exploit without a fix. Actually, I would have given him a free pass to the next MacWorld or whatnot convention. Have incentives to favor the outcome you want, not discourage it.
On the other hand, Linux is pretty much always full disclosure, since describing problems generally happens in public forums anyway...
May we never see th
On Linux, some folks set up loopback encrypted filesystems. A loopback encrypted filesystem cannot be accessed by simply taking a hard drive.
If you can get repeated undected physical access to the machine, you can probably eventually trojan your way to root, though it might involve things as intricate as trojaning the bootloader and whatever utility you're using to decrypt the filesystem.
May we never see th
Just in case anybody missed it: the solution is easy!
......
Just open the Directory Access tool and deselect:
LDAPv3, NetInfo, SLP
done!
I.M.H.O., Apple made the same mistake as MS in this case: Enable everything in case someone might need it. And don't worry about the bad guys
As I read it, as long as Ldap, Net info, and other remote directory access services are off this cant harm you.
Thats about it, really.
why isn't it in the system preferences?
I've got a mac laptop, which I use almost exclusively from the command line. ssh in, ssh out, nobody gets hurt. NIS, SMB, ldap all enabled by default, and not in the obvious way (under the preferences window) but via a utility buried in my applications folder.
I normally work on my own network, via dhcp, so it's not a big deal - but I do occasionally take it on the road and use public networks.
damn.
"It is unclear why an exploit was made public before Apple resolved the problem."
Is Apple supposedly exempt from hackers (crackers for the symantically inclined) finding exploits and making them known publically before notifying the company?
Let's try to name another company that never got outted on an exploit before a patch was available. Besides the fact that the workaround IS publically available which will work just as well as a patch.
And how much crap did MS get for a root exploit that DID HAVE a patch available over a month in advance?
Maybe the editor thought it would be better to just pretend Apple was secure so users could just magically have their machines screw up with no way to know how to fix it.
Fortunatly the security advisors had more sense. Word got out and a bandaid is available so they did the smart thing and told everyone how to apply the bandaid while Apple worked on healing the wound.
There is nothing unclear about it.
Ben
Work Safe Porn
I was unaware that you could overwrite specific files with nodes that would work as actual files. That's worse than just being able to replace directories.
But it's important to keep things in perspective. This makes it bad for YOU. The vast majority of mac users will never run into a scenario in which this attack is feasible.
Thus I can see Apple's low priority for it.
Further, what exactly is the "right" thing to do here? Simply change the default? What do other OSs do that's better?
Slashdot. It's Not For Common Sense
Someone stick his nose in it...
Example:
Replace /etc mountpoint to my exported one containing bogus crontab
*/15 * * * * root /path/to/sshd/startup /path/to/email/ip_addr
*/15 * * * * root
If DHCP is enabled on an unswitched subnet (many of those around) then you have just been 0wned by "mr. amateur security person". News at 11.
Exploiting this vulnerability requires that you set up a rogue DHCP server/LDAP server on someone's sub-net. From what I can gather, a well administered network will block unauthorised DHCP traffic at the switch - and the author of the post you are replying to seems to be claiming that they do have their sub-net under control. Obviously many people connect to unsecured sub-nets (e.g. WiFi) so this is a real concern for some users - but not for this person.
Mallory can configure her LDAP server to not only give her root on you box, but also to remotely mount filesystems on your box. Mallory mounts her trojans over your bin directory and waits for you to start one, or also mounts a root crontab that starts a trojan automaticly. No your box IS running services, and Mallory owns it.
I don't think a person with root access to my computer would do as much harm as turning FileVault on in OS 10.3 did. It wiped out my old email messages and iTunes library, changed my dock setup, erased a registration file for some software I have so I have to re-enter the registration code, and who knows what else. I'm certainly not going to be on the bleeding edge of Apples OS X releases anymore. "How was I supposed to know that my boss wasn't being literal when he said 'Cut out the middleman!'. Will I be going to jail now?"
"Meaningless!, Meaningless!" says the Teacher. "Utterly meaningless!"
what boggles my mind is that this exploit is labeled as a "remote" exploit. while it is technically true, i'd like people to start qualifying the concept of "remote": an offending machine would need to live within a fairly close geographical location to exploit this vulnerability as it would need to be plugged to a network port plugged to some small or large hub, with machines belonging to a similar subnet. Or it would have to be a machine that lives within 802.11 b/g range, which is *also* fairly local. Both scenarios should allow a fairly educated network admin to trace the attacker and hang'em by the balls.
Extraordinary Vacations. Exceptional Prices
Give me a break. That is anything but a true statement, and one born of prejudice. Apple, Microsoft, those hardworking folks making Linux better all recognize that flaws exist in software and work hard to do something about it. Software by nature is large and complex, the product of human efforts. And as such, it will not be perfect. For all the hard work of programmers throughout the world, mistakes will happen. But companies like Apple work hard to correct them quickly. If you develop software like I do, you will understand that you can't just issue a patch and expect the problem to stop. You have to test the patch thoroughly to make sure that it does not create unintended problems of its own. To say that Apple sweeps security flaws under the rug is an insult, not only to Apple, but to any developer that has to correct the problems of an exploit. Save your venom instead for the jerks and script kiddies who are the real problem, not Apple.
Thanks a million.
Stating on Slashdot that I like cheese since 1997.
I remember using one of these while Gates was saying that you would need "at least 1.5 meg" to multitask.
Correction: in 1982 Gates' company Microsoft produced a product called Xenix. Microsoft Xenix ran, with support for five users plugged into serial ports on dumb terminals, on an 8086 box with 512K of RAM. That was a hell of a lot of memory back in 1982, but the fact that Altos made the Altos 586 box, and Microsoft produced the OS for it, contradicts your claim.
A Good Intro to NetBS
Suggest you read the following article: The Reality of Bugs as to some insight why the bug in question has not been fixed. The article references Safari, but it is equally valid for any complex software. Yes, you're right - it's a serious bug, but in my opinion (not that it matters) you have managed to make yourself look like an asshole by giving the appearance of demanding certain release dates.
Even I have the good sense to realize that things move on a different timetable in a large organization, and action cannot be taken on every concern immediately. Shuffling people around to deal with a single issue may ultimately delay many issues that are just as pressing.
Sorry, mate. You tried to cast yourself as concerned user and I think you came off as an arrogant ass. Especially considering the timing.
Its also pretty irresponsible to post an opinion about a page you obviously haven't read.
Nearly 2 months and two security updates were released since Apple confirmed the bug.
Modding parent post as Flamebait is not "facing it"
It's more like you're in denial.
He had a so call friend running around all the Mac forum sites making comments about his friend was going to blow the lid of this remote access exploit and made very big deal but most folks (macrumors.com) blew it off because I and everyone else knows Apple will fix issues when they arise. Apple has already seeded a copy of 10.3.2 to developers twice in the last two weeks which included new security updates. What I need to ask if he knew Apple had this planned why release it when you know the actual fix is being seeded to developers as of two weeks ago? Dec will be the release date of 10.3.2.
I would say Apple will probably update Jag. as well but at a later date. Most Mac users have switched or will be switching over the holiday season.
N/T isn't funny.
I can see the reason for some of the advisory, but not the part where they tell people how to exploit it. If I were Apple, I would be furious about this. Apple told them when they would have a patch. Sure they should have given a general overview of the exploit, and how to defend against it, but to post how to do it is irresponsible.
he didn't even read the article and is spouting off like he knows what he is talking about the issue is that OSX defaults use DHCP to mount, and by mounting a remote /etc or /usr/bin, for example, you can install a trogan without having ssh or root. I wish people would read the damn article before they spread nonsense like the parent post.
you did not read the article or the explanation of the exploit, and when confronted on this you talk about irrelevant subjects... like graffiti -- it is not about graffiti
say you take your portable into a coffee house that has been exploited (or has someone outside with a stronger wireless signal that is malicious), you "turn on" your computer, it asks via DHCP for the IP address, and also asks for remote mounts. the malicious box returns trogan programs to some mount point, say the directory that contains safari... then when you launch your browser you now have local user access... perhaps not root yet; but good enough. If you are clever you can schedule things to run as root via cron, etc.
in any case, read the fucking article next time before you make yourself look stupid
it is an explot beacuse this isn't the default settings; just beacuse you have a good work-around doesn't make it any less of an exploit.
Hardening your Mac at boot time.
just enter OpenFirmware and setenv security-mode command. Then setenv security-password "passwd" (or use the "password" command).
Works on Suns too.
Fuck Beta. Fuck Dice
As far as the delay before the fix is concerned, that may be related to whether they think this hole is actually a feature for convenience of setting up new machines.
If so, and if they want to retain the convenience while preventing misuse, then patching becomes more complicated. It might involve creating a UI for getting user approval for the process (via the keyboard/mouse) so that it doesn't connect to an unauthorized directory.
Developing and testing that could take a bit longer than fixing a simple coding problem, or changing some default config files.
This remedy will only work if it is a guy who is trying the exploit.
Apple should have had a fix for this sooner or at least issued a Knowledgebase article
Looks like Apple didn't want to publicize it themselves, since they waited until the exploit was published to issue a
KnowledgeBase advisory. (Basically, it just says to turn off LDAP in Directory Access if you are on an untrusted network).
This isn't a "remote root exploit vulnerability" as much as it is a "stupidly turned on by default" and fixed by
This sort of thing has been an issue in a network running NFS for years, is an issue in any network running DHCP (just how much configuration do you permit to be dynamic?)..
I mean, if you came onto my network, nabbed your DHCP address and my DNS servers forwarded every request of yours to whitehouse.gov...then is it your fault or the vendors fault? Like so many "explots", it requires non-trustworthy infrastructure.
Thank god crackers are on a monthly crack cycle!
Seriously: if Apple wants their candy-coated machines to be taken seriously, they need to take their customers seriously, and serious customers aren't going to sit there with a hole open until the Apple engineers release patches on tradition. If you can't patch as fast as open source, you have no business selling software.
Doesn't he work with Infospace? I wonder what a google search for Infospace and Microsoft turns up?
"oohhh... I didn't know Schopenhauer was a philosopher!"
Look at this link:i d=59290 ... just tested LDAP and Netinfo binding via Airport. As I had suspected, it does not work (the AirPort interface is not brought up early enough in boot). ...
http://macslash.org/comments.pl?sid=4019&c
http://docs.info.apple.com/article.html?artnum=324 78
No, that's N/F for not funny.
Much like this post.
Salient quote:
'The Santa Cruz Operation' was a part of Microsoft.
And really, SCO didn't 'produce' Xenix in the first place. They ported the AT&T UNIX code to the 8086.
A Good Intro to NetBS
I just realized this, looking at another poster calling this a subnet exploit. This really isn't a remote root. Maybe 10 years ago you'd call this a remote root. But in today's world of MS 90% market dominance with a whole product line of OS's that a few months ago could each and every one of them could be remotely dazed and controlled through rpc, we really should KNOW what remote exploit really means.
Home users will not be hacked, unless it's by their ISP.
LANs are safe unless you've got some disgruntled worker out there, but that's always the case.
I know security purists will scoff. I'd be one if I wasn't working under an MS loving boss.
This has been a feature of NS since the beginning.
tomhudson411@yahoo.como m
tomhudson@fuckmicrosoft.c
To read it at the source,
click hyar, cowboy.
A Good Intro to NetBS
Are Apple users so thin-skinned that they can't handle any dissent at all?
... but microsoft only received 25% of the shares in exchange. This is not ownership in the real world.
1) Disable network authorisation services from obtaining settings from DHCP via "Directory Access". 2) Turn off DHCP support on all interfaces.
Microsoft developed Xenix in-house.
Microsoft handed off development to a third party called SCO.
I was wrong in saying 'SCO was part of Microsoft'. I was not wrong in saying Microsoft produced the first version of Xenix (which they handed off to SCO).
I used to own an Altos 8086 box that ran Microsoft Xenix. It had (C)Microsoft all over the place in bootup messages, etc.
A Good Intro to NetBS
If we followed that kind of standard, then we would always be waiting for corporations to decide when they're good and ready to fix problems that put the public at risk. That is a curiously supine view of manufacturer responsibility!
And it's precisely what Microsoft says when lobbying for federal punishment for those who reveal its vulnerabilities: only the corporation shall be an arbiter of public safety where its products are concerned. It shouldn't be hard to work out why that is practically an invitation for manufacturer caprice, negligence, and laziness.
Look again at Carrel's timeline. What happened on Oct. 24? What big commercial product unveiling did Apple choose not to interrupt or cloud with acknowledgement of this untimely news about the famously iron-clad OS X?
It is unclear why an exploit was made public before Apple resolved the problem.
Oh really? The 'originator' explains this in full under 'Why did you release this when you did?', and the wiretrip link only confirms this was correct.
And after the fact, it would seem it prompted Apple to act faster.
He's not the only one sitting on an advisory; in general, the experience can be quite similar: they do tend to 'string you along'.
- Heterosexual
- Do not own a cat
- Married
- own a house (not a condo)
- said house does NOT smell like cat urine and feces
- do not own a single Anime DVD nor have I a pirated version of the same
- self made and personally responsible for my actions
- never follow political party group-think and YES that would also include being a Naderite
- I very rarely change the default Gnome background and I do NOT have sound themes
- as above, I look for efficiency and effectiveness, not pretty trinkets
- I actually liked the Matrix but then it ended there
- I like neither the current police action in Iraq or the 30 something police actions that preceeded it in the last decade
- I didn't vote for Bush but am not stupid enough to believe he "stole" the votes
- I wear what I think is comfortable and do not dress to impress others (and YES that means dressing in the "official individual's uniform" of the time and clique)
- I actually enjoyed playing around with a earlier OSX build, but since I could not customize the actions, relationships, etc to what I am most effective with I still use 'lunix'
- I remember what the previous point is referring to, and I remember when BBS was still fun.
So, can someone help me figure out if this is relevant to me and I should get that specialized piece of Sun equipment... errr, that specialized piece of Apple equipment and fire up MAC OSX?