Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Responds to Exploit

Posted by pudge on from the feature-not-bug dept.

Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.

18 of 351 comments (clear)

  1. Re:Quick fix, just not easy for Mac users.. by tgibbs · · Score: 4, Informative
    Yes that should be obvious to Mac users
    It's very complicated. You run Directory Access and a window comes up with a series of checkboxes. Then you have to uncheck the ones Apple says to uncheck.
  2. Re:Home vs. Work by wolrahnaes · · Score: 5, Informative

    Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

    I have mod points, but I had to respond.

    This is so true. Many organizations beyond a few (10-20 or so) computers do not have good physical security. Anyone can easily place a rogue node on a network and wreak havoc.

    This happened recently at my school. Someone setup a DHCP server that responded faster than the school's Netware systems could. This seemed to be accidental because the configuration was all over the place, and didn't work at all. The techs have been investigating this for a few weeks and I'm not sure if they have found it yet.

    While my above example didn't cause any harm, imagine if someone was to setup a DHCP system and also took advantage of IE's "autodetect proxy settings" feature. They could be almost undetectable, yet be able to log all Internet traffic by redirecting the proxy and default gateway through their box.

    --
    I used to get high on life, but I developed a tolerance. Now I need something stronger.
  3. Re:It's still an exploit by jimi1283 · · Score: 3, Informative
    Novell's directory service has this problem too. It does not have a "minimum uid" setting, so it will gladly accept a uid of 0...

    Which is why we don't use it at my company.

    --
    because what hunting rifle has a bayonet lug
  4. Re:Speaking of Apple bugs... by Aliencow · · Score: 2, Informative

    I just tested it on panther and at least 2 or 3 chars of the password get passed on to a window behind...

  5. What's the difference? by penguin7of9 · · Score: 3, Informative

    This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services.

    That is a root vulnerability. You could perhaps trust LANs 20 years ago, you absolutely cannot trust them today, and any vendor that ships software that, by default, trusts the LAN is shipping software with severe security problems.

  6. Re:No worse than DHCP itself by jcr · · Score: 5, Informative

    THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

    Not exactly. They'd still need either 1) physical access to your machine to log in, or 2) for you to have turned on incoming ssh access (the default configuration doesn't allow remote login.)

    So, this is a problem if someone's able to get to your subnet and set up a rogue LDAP server, *and* you've turned on a service that isn't on by default. It's not a way for j.random script kiddie in Oklahoma to own you.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  7. Re:Wireless attacks on local networks by Anonymous Coward · · Score: 2, Informative

    I am not so sure that I buy the whole... wireless dhcp server being that huge.

    First, if someone can jack into my ethernet with a machine and place it on my same subnet... they deserve to h4x0r my boxen.

    Now... if they get on my wireless network, what are the chances that my wireless machine will leave an already established lease to jump ship and run to another dhcp server especially if my base station is also my wireless dhcp server. And lets not forget the whole problem of "ssh" is not on by default. If it is on then obvsiouly we are not dealing with a simple novice and any open wireless network, misconfigurations, and lack of knowing when someone reboots your machine to take it over... is partly their own fault. Out of the box, you are safe.

    Sure, this is an exloit, but it requires physical action as opposed to a few keystrokes or automated script. It is the same thing with the floppy or cd trick for linux. If you keep the power button, floppy or cd-rom exposed your just as vulnerable to getting rooted.

  8. Two workarounds, both annoying by Anonymous Coward · · Score: 1, Informative

    1. Don't use .local for your subdomain
    2. Disable Rendezvous' broadcast-based resolver by hacking on the stuff in /etc/named/ (which effectively disables a large chunk of Rendezvous)

  9. Re:New bugs, ease breaking havoc on your LAN by Spy+Hunter · · Score: 3, Informative

    mDNS isn't crap, it's cool, something like it been needed for a long time, and it's going through the IETF standards process. Apple's not "hijacking" anything. If you believe that using .local is a mistake, then you can bring up your concerns on the appropriate IETF working group. The IETF standardization process is completely open; anyone can join the mailing list and voice their concerns and get things changed. Look here for info on mDNS and the related IETF working groups you can join.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  10. Re:It's an old argument by RzUpAnmsCwrds · · Score: 5, Informative

    "For example, the messenger service isn't used by anyone by spam senders"

    System administators have used it for years. It's only recently that the spammers have decided to use it. That's why Microsoft is disabling the service by default in XPSP2.

    "fragile, naked file system"

    I don't honestly know what you are talking about. NTFS is a journaling filesystem with some very strong features. Metadata for every file, unlimited alternate data streams (Microsoft's version of the HFS data/resource forks, but you can have as many as you want), strong security permissions that even the OS obeys that can be applied on a per-user basis with inheritance and an allow/don't allow/deny system. NTFS one of the strongest attributes of Windows. Now, the permissions aren't set strict enough out of the box (and most users make their account part of the Administrators group - just like running as root all of the time).

    Imagine how a Linux system would hold up under the following situation:
    - User always running as root, even when they don't have to
    - User downloading and executing unknown code from random locations (screensavers, shareware, warez)
    - User installing software that is bundled with programs that spy on them / mess up their system
    - User never patching their system, even though the OS can do it automatically
    - User not using a password on their system in many cases
    - User downloading and executing unknown code (in email attachments) even though system warns of extreme security risk
    - User not using firewall even though it is built into the OS

    Now, Microsoft could do more:
    - No mail client should even be able to execute attachments. Even with a security warning. I do believe that Outlook Express now prevents you from executing attachments at all unless you uncheck a box hidden in some configuration dialog.
    - The firewall should be on by default. XP SP2 fixes this.
    - Users shouldn't run as root all of the time. Perhaps a warning when they log on would be helpful. The setup wizard already creates non-root users, but most people don't use them. I don't think users are adequtely informed of the security risks of running as root.
    - Windows should come with an antivirus solution. Something integrated and transparent. Sometimes, you need to run untrusted code, and an good antivirus program can help reduce the threat.
    - Windows should have more restrictive permissions by default. Currently, non-root users can write to "program files" and potentially destroy software (although not the OS).

    Finally, some things that are good:
    - As I said before, the permissions system is very good
    - Windows File Protection is good for those stupid installers that try to overwrite system libraries
    - Systm Restore is nice for those people who are too cheap or lazy to have a real backup solution
    - Automatic updates are nice - if only people would use them
    - Driver rollback is nice for nuking "crap rev" drivers

    "I guess the point of this is that if I have to re-install windows or edit the registry again before Christmas"

    If you do the following things, you won't have to:

    - Don't run as root (administrator) unless you absolutely must
    - Don't download and execute unknown code unless you have scanned it with an antivirus. Don't run it as root unless you absolutely must (many programs will install as nonroot)
    - Turn on the XP firewall
    - Run a spyware detection tool such as ad-aware or spybot to get rid of the crap
    - Install the latest patches and service packs

    Basically, use common sense. If Windows users would realize that, no, your computer *is not* a toaster and it *does* require a bit of work to keep it secure, there would be many fewer viruses and worms.

    Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

  11. Re:In other words... by uroshnor · · Score: 3, Informative

    If remote setup is spin, why is it in the documentation that was released for Panther when the OS was released ? See the server administration pdfs.

    This isn't a new "exploit" - all previous versions of MacOS X and NeXTStep had this with NetInfo by design - thats for nearly 15 years. However, it requires specific non-default configuration to work ( the network directory does not have precedence over the local directory by default - what is claimed in the original web page announcing the exploit is wrong )

    For this to work, someone with local access to the machine has to go and change the directory lookup order for authentication, so that the network directories override local.

    This is one of a long list of "exploits" that fall into the category of "If I have local administrator/root access and misconfigure something in a specific way, then I am potentially remotely exploitable" .

    The UI in MacOS should definately warn you if you tried to make the change, but this really isn't the sort of thing you'd work people day and night to fix.

  12. Re:Read the IETF documents before posting! by rduke15 · · Score: 2, Informative

    Before misleadingly filling your comment with "IETF", maybe you should read a few IETF documents and join their working groups yourself.

    I will gladly admit that mDNS doesn't have to be crap in itself, and may be cool, but Apple's proposed implementation is NOT going through the IETF standards process.

    And Apple IS hijacking the .local tld, and not only did the IETF never recommended that it be reserved for Apple's Rendezvous, but in fact, had "concerns about multicast storms resulting from site-wide mDNS usage, as well as concerns about cache pollution" (among others).

    What they eventually adopted in the standards track is LLMNR.

    LLMNR also doesn't require suddenly taking over a widely used tld.

    Also: "Rendezvous is an individual submission that is not a work item of any IETF working group, and is currently not an IETF standard. While it is possible for an individual submission to become an IETF standard, this is unlikely in this case because an existing WG (DNSEXT) is already working on a competing protocol (LLMNR), which has just completed DNSEXT WG last call."

    See the LLMNR FAQ.

  13. Re:It's an old argument by ernst_mulder · · Score: 3, Informative

    Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

    That is simply so wrong. There are so many applications that require the user to edit their registry. Not by design of course but because of software bugs.

    Some simple cases to illustrate my point.

    Exact Globe 2000 (administration software) suddenly won't properly print anymore. Call helpdesk. Remove some keys and voila printing works again.

    Windows XP won't remember Outlook Express' password. Look problem up on microsoft.com. Advice: remove some keys and voila problem solved.

    I could go on, I won't.

    Editing the registry has become such a common solution to all kindsof problems. Not necessarily because the USER does something wrong (unless using Windows in the first place is considered WRONG :-) ).

    Ernst Mulder

  14. Re:It's an old argument by HSpirit · · Score: 2, Informative

    so I guess I'll also have to script some gadget talking to messenger to keep them happy.
    Very easy to do, all you need to do is install smbclient and the samba codepages on your *nix server, and then use smbclient's -m switch.

    I have an OpenBSD gateway on a dial-up connection serving my small office network, and I use this solution to inform the users when the dialup connection goes down/up.

    Saves me many calls of the type: "Hey, is the internet down?!"

  15. Re:Well, it's not the only security problem. by argent · · Score: 2, Informative

    If it launched IE, it was recognising FTP but IE had over-ridden the default handler. You can use MisFox

    http://www.clauss-net.de/misfox/misfox.html

    or IC-switch

    http://flip.macrobyte.net/software/ic-switch_en

    to change these settings. I've taken to using Cyberduck for FTP.

    http://icu.unizh.ch/~dkocher/cyberduck/

  16. shadow passwords by hayne · · Score: 2, Informative

    If you have a user account that was present in 10.2, it stays as it was in 10.2 - i.e. the password is world readable and limited to 8 significant characters. If you make a new account in 10.3 or even change the password of an existing account that was brought over from 10.2 to 10.3, then the new password handling will take effect: shadow passwords and a larger number (I don't recall how many) of significant characters.

  17. Important wrinkle by awtbfb · · Score: 2, Informative


    What is not fully documented is that if you have multiple network locations, you have to deselect this checkbox for each location. Fortunately, this is straightforward since there is a network location pull down menu right above the checkbox.

    Note that this means you can leave it checked for trusted networks but uncheck it for untrusted networks.

  18. Re:Do I Need Any Of Them On? by RAMGarden · · Score: 2, Informative

    If that's the only computer on your network, turn it all off. Rendezvous is for other apples and SMB is for looking at windows file shares.

    --
    --- Nothing is secure.