New Remote Root in Mac OS X

Cysgod writes "I've released a security advisory detailing a new remote root vulnerability in Mac OS X 10.3, 10.2 and possibly earlier versions." The main thrust is that it exploits a problem in the DHCP client, to gain root access, and turning off various services can prevent attack. It is unclear why an exploit was made public before Apple resolved the problem. Apple's fix is apparently scheduled for a December release.

i thought i would never say this

thank goodness iam running Windows

Re:i thought i would never say this

[toastmaster]

because windows never had any security issues...

Re:i thought i would never say this

[wo1verin3]

NO! It's because we are safe, windows doesn't have a root user. :0

Re:i thought i would never say this

[JeffTL]

Well, actually, on most Windows boxen, EVERYONE is root.

Exploitability Questionable

[marsipan]

"In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)"

This definitely makes the exploit less likely...

Re:Exploitability Questionable

Ha, you people are all ignorant.

If you were a Mac person, you would know that Mac people never shut their laptops down, only put them to sleep. Why go though a slow boot on your iBook when it wakes up as soon as the lid is up?

As many moderated up quotes from the article tell us, this problem is only a problem when the services are started, which is on boot. Which is not on wake-from-sleep.

I do not mean to trivialize this hole. To me, it seems obvious why it is there. Apple wants LDAP-enabled, OSX Server managed networks to work out of the box. This includes the ability to mount shares anywhere on the client system, which is insanely powerful and useful in a trusted setup.

Trusted is, of course, the operative term there. Apple needs to fix this or disable the services by default. People who need it can enable it themselves.

Call me an Apple Apologist, but..

[grub]

OK, there's a hole. Still, when Apple (or OpenBSD) have a security hole it's newsworthy rather than just Business As Usual.. unlike other companies which promise security but can't deliver.

Damn

[JHromadka]

It seems pretty irresponsible to release details on an exploit when the vendor has already acknowledged the issue and has a date planned on when to release the fix. Now if Apple was ignoring them, that would have been a different story.

Re:The Reason the exploit was made public..

[abde]

also there's this timeline of events, which is quite revealing:

History of this Advisory & Vendor Contact Log
2003-10-09 Initial version of this advisory
2003-10-09 Apple Computer notified
2003-10-09 Apple Computer confirmed receipt and forwarded to eng. team
2003-10-11 Minor edits, also added "Philosophical Issues" and "Path to Root"
2003-10-14 Apple Computer assigns specific point of contact
2003-10-14 Requested confirmation of issue with Apple Computer
2003-10-15 Apple Computer confirms issue
(2003-10-24 Original deadline given to Apple for acknowledging issue)
(2003-10-24 Mac OS X 10.3 is released with this known issue)
(2003-10-28 Mac OS X 10.3 Security Update released, does not address issue)
2003-10-28 Requested update of fix status from Apple Computer
2003-10-28 Apple Computer proposes Nov. 3 fix date
2003-10-29 Apple Computer reneges on Nov. 3 date
2003-10-29 Requested fix in "2 or 3 weeks" from Apple Computer
(2003-11-04 Mac OS X 10.3 Security Update released, does not address issue)
(2003-11-15 Mac OS X 10.3.1 is released with this known issue)
2003-11-17 Requested update of fix status from Apple Computer
2003-11-18 Requested update of fix status from Apple Computer
(2003-11-19 Mac OS X 10.3.1 Security Update released, does not address issue)
2003-11-19 Apple Computer replies "scheduled to go out in December's update"
2003-11-19 Deadline of Nov. 26 given to Apple Computer
2003-11-25 Minor edits, made "Path to Root" a little more work for the script kiddies
2003-11-26 Advisory issued (48 days after initial vendor notification)

Re:Default?

[Darth_Foo]

I don't beleive it is in the client versions of OS X but it almost certainly is in OS X Server (which is also subject to the published vulnerability).

Re:The Reason the exploit was made public..

[GigsVT]

I do agree that's plenty of time, but it's still questionable to release the exploit at this stage. He could have disclosed, and then if Apple downplayed it saying it wasn't exploitable, then released the exploit.

Slashdotting to the rescue!

[SuperBanana]

It is unclear why an exploit was made public before Apple resolved the problem

Slashdotting to the rescue! Apple has at least a few more hours now.

Re:What is telling

[Boing]

Any unix-os is a friend of mine

He's a friend of SCO! Burn him!

why?

[silicongodcom]

"It is unclear why an exploit was made public before Apple resolved the problem."

no SCO news!

Re:Local insecurity

[Commykilla]

If you have physical access to a machine, security is compromised anyway. You can rip out the hard drive and take/modify the bits by force if you want. If the machine is locked in a box, then you can't reboot it without being root, so the exploit doesn't work and you're still safe.

Background info

[krisbrowne42]

This is hardly a vulnerability, it's an ease of access feature that NeXT people have known about for almost a decade. The idea of this is, you take a computer out of the box, put it on your network, and it's working. Everything configured, users setup, etc. That should probably be shipped off by default, but I can understand the way they've done it in the past. It should also be noted that unless you've got a OS X server floating around, physical access to the network and management access to the existing DHCP server, this would be awefully hard to exploit.

Re:The Reason the exploit was made public..

[Greedo]

I have to say, I looked down that timeline as well and thought "Well, at least Apple is looking into the problem and has given a timeframe for an update (December)."

Then, 5 days before December, they release the advisory.

I don't think it's unreasonable for Apple to take some time confirming the exploit, and planning an update. Remember when they released an update that broke things?

I *do* think it's unreasonable for Carrel to demand deadlines to Apple ... or anyone, really ... to fix their stuff. Especially when Carrel knows it's going to be fixed. Not much better than blackmail, if you ask me.

Re:Default?

[Cysgod]

Hi there.

It is important to note that having all your services turned off is *not* protection against this bug.

The malicious LDAP server also gets to dictate your mountpoints to you. This means malicious executables can be mounted anywhere in your filesystem. Including places where they can be expected to be executed.

A trivial exploit of this would be to replace the directory with crontabs and set up a crontab and an executable to run as root. Suddenly sshd *is* enabled.

I'll try to answer other questions as I can. This got posted when I was horseback riding, I submitted it at 9am....

Just use an Open Firmware password.

[netsrek]

Set an Open Firmware password on your machine.

You will then need to enter this password to enter single user mode or boot from a CD.

Note that this still doesn't fully secure your machine unless it's physically secured, as someone can simply reset the OF password by changing the amount of RAM in the machine, then zapping the PRAM.

Makes securing a powerbook pretty much impossible, but otherwise...

Show-boating, grand-standing

[macdaddy]

IMHO this guy is show-boating. It is not unreasonable for an operating system company to take a non-critical but serious bug and spend 1.5 months developing and testing a fix. How many times have we seen a vendor rush to fix something only to seriously break things by not testing the fix thoroughly? Do we really want them to break something else? This isn't a minor piece of software like an FTP server where a security hole can be fixed in a morning, tested in an afternoon, and release the next day. I contend that even a piece of software as complex as Sendmail can be fixed and tested in a small amount of time and is really a minor piece of the puzzle when you're talking about an entire operating system.

This exploit means nothing to very little the average user simply because no remote services are enabled by default. I'm using a 10.2.8 box right this minute and I had to enable Remote Login and Personal File Sharing.

I really don't know where to start talking when it comes to the idiocy of releasing an exploit, not just a proof of concept, prior to the vendor releasing a fix. Apple wasn't dragging their heels. The whole timeframe is under 1.5 months. It is certainly not unreasonable to expect their programmers to spend time working on a bug fix. Hell the development cycle alone is more than a month if not two. So they didn't make the November 3 date. That's less than a month from the date the bug was reported. That's no surprise. I'd hate to rush a fix out that fast too. So the 10.3 Security Update and 10.3.1 Security Updates didn't fix it. Does he not realize that they were in the pipeline for testing back at the beginning of October? They aren't going to insert another code change in the middle of testing.

IMHO this guy is show-boating, grand-standing, and showing that he has unreasonable expectations. The security vulnerability isn't that great. It's a hole, yes. It's not nearly as serious as a security hole in IE in which ALL IE installations are affected by "default." I think this guy should seriously be flogged for releasing an exploit at the same time as the advisory. That's just plain ridiculous. IMHO that alone speaks wonders about this guy. It's idiotic acts like this that seriously make me wonder about full disclosure. Anyhow, I've said my piece. Move along.

AUTHOR: FAQs answered

[Cysgod]

Thought I'd field some of the more mentioned questions and misconceptions here...

Is my machine safe if I have the root account "turned off"?
No. The account attacking can be uid 0 and have any other name in the universe that is a valid account name.

Is my machine safe if I have all remote access services "turned off"?
*NO*, and please quit saying it is. This exploit allows malicious people full control of where things are mounting on your system. They can mount malware anywhere. Including places that can virtually guarantee executiong of their target code. For example, an attacker could cause their evil data to be mounted in place of crontabs and have their fake root's crontab point to an evil executable mounted there or somewhere else.

Why did you release this when you did?
This was an exploitable remote root vulnerability. After Apple reneged on the Nov. 3rd release date I gave them 2-3 weeks. After the 2-3 weeks were up, I asked for the status and they said "December". Meanwhile, users are left exposed and independent rediscovery seemed fairly likely. And maybe by someone less scrupulous than myself. I felt I was being strung along and that the issue may never get properly addressed so I set a hard deadline at that point. They didn't meet it, and I issued my advisory.

It would not be fair of me to let Mac users hang out in the breeze for more than 2 months on an issue of this magnitude. You may disagree, but I have no regrets about my actions and feel that I was more than fair to Apple Computer and its users.

(As I mentioned in a previous post, I was out horseback riding by the time /. got around to finally posting the article. Sorry it has taken me so long to respond.)

No panic, just reconfigure

[ApocryphX]

Just in case anybody missed it: the solution is easy!
Just open the Directory Access tool and deselect:

LDAPv3, NetInfo, SLP

done!

I.M.H.O., Apple made the same mistake as MS in this case: Enable everything in case someone might need it. And don't worry about the bad guys ......

Re:What does this mean to the average home user?

[EverLurking]

The theoretical risk if you use alot of public or unknown WAP's and can't account for how responsible/evil the owner of the WAP might be (who knows what nefarious acts those public WAP operators providing free broadband are up to...yeah, unlikely) is high as they could get root access and mount a directory with a new crontab that will start up a remote SSH daemon to access your computer with later. Hard to think someone would go through the trouble but you never know nowadays. Apple should have had a fix for this sooner or at least issued a Knowledgebase article.

The fix is rudimentary, just go into your /Applications/Utilities folder, fire up the "Directory Access", uncheck a couple of boxes (the LDAP and NetInfo services)and you're done. Takes like 10 seconds to do, no reboot required, no other reconfiguration, no problems (under WinBlows, would have taken like 30 minutes of fruitless hunting around and a couple of reboots/patches and reconfiguration afterwards probably). Well, it would have taken 10 seconds if I hadn't already had these two services unchecked b/c some at www.OSXHints.com suggested that disabling unused directory services sped up your startup a little bit.

If you need configuration information from a LDAP or NetInfo server (ie. at work), you could always create a new Location under your Network system preferences panel and go back to Directory Access, disable the relevant LDAP and NetInfo services on all your other locations except your work location. If you can't trust your work not to try to hack your computer with this exploit, you've got bigger fish to fry.

For most home/SOHO users who are behind their own home router/firewalls and have otherwise trustworthy family members/roomates/co-inhibitants, this is a non issue (then again, if the people who live with you are trying to hack you are living with you, you have another far greater problems to deal with than this exploit : ). People on a shared subnet (like Cable Modem users) at risk if you're not behind a local/home hardware router/gateway device and someone else on your subnet wants to play "Hack the neighbor's Mac" with this exploit. I think you should be able to trust the DHCP information being handed to you by your DSL provider (again, if you can't then your problems go WAAAAAY beyond this exploit), no big deal. Correct me if I'm wrong but, I'm pretty sure my off the shelf LinkSys router doesn't know what to do with LDAP or NetInfo configuration info handed down by my ISP even if they did hand out any, and it certainly isn't set to pass it through to my internal subnet.

But then again, what are you thinking NOT being behind at least a inexpensive (they're what, like under $100 now even with 802.11g?) NAT/SPI firewall that's up and running 24/7 regardless of how your computer is configured if you're on Cable Modem or DSL at home?

In short, a easy fix and not really a problem for most home/SOHO users. You can breath easy now.

DaveC

Oh please, spare us your generalizations!

You said: "Maybe so it wouldn't be swept under the carpt, like ALL other Apple security problems."

Give me a break. That is anything but a true statement, and one born of prejudice. Apple, Microsoft, those hardworking folks making Linux better all recognize that flaws exist in software and work hard to do something about it. Software by nature is large and complex, the product of human efforts. And as such, it will not be perfect. For all the hard work of programmers throughout the world, mistakes will happen. But companies like Apple work hard to correct them quickly. If you develop software like I do, you will understand that you can't just issue a patch and expect the problem to stop. You have to test the patch thoroughly to make sure that it does not create unintended problems of its own. To say that Apple sweeps security flaws under the rug is an insult, not only to Apple, but to any developer that has to correct the problems of an exploit. Save your venom instead for the jerks and script kiddies who are the real problem, not Apple.

Re:I remember this guy.

[Cysgod]

I've been pretty low-key about this until today, so I'm not sure what you're talking about. I'd be very interested to see links to the comments you refer to.

I may have reason to believe that the seeded copies of 10.3.2 are, in fact, still vulnerable to this bug by default. But I can't say for sure because if I did know for sure, that would mean that someone violated their NDA and that would be bad news for someone. Live in fear of Apple Legal.

It's not a real happy conundrum. I found out one week ago that Apple was planning to release in December after having previously agreed in principle to a date sometime in November. I felt that I was being strung along like a ball of yarn, but I didn't want to be unreasonable so I gave them 1 more week. They never replied and cut off all contact with me. And here we are.

And FWIW, since it's been mentioned, I'm not an Apple hater, I love my PowerBook. :-) Thanks for writing.