Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Responds to Exploit

Posted by pudge on from the feature-not-bug dept.

Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.

33 of 351 comments (clear)

  1. It's an old argument by Space+cowboy · · Score: 4, Insightful

    but it's as valid today as it ever was. There is a dichotomy between security and ease-of-use. Hitherto it has been impossible to have the one and the other simultaneously. Choose one.

    Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.

    That's not to say it's impossible, but it needs more than the current level of effort that goes into multi-node design. Apple is taking the first steps, and they've been somewhat burnt. Let's hope that doesn't discourage them from carrying on down the path... Unix as a genre can only learn from a successful easy-to-use and secure implementation of multi-machine computing. The thing is that you only learn by trying....

    Simon.

    --
    Physicists get Hadrons!
    1. Re:It's an old argument by cgenman · · Score: 5, Insightful

      I'd find the "Microsoft security vulnerabilities are the fault of ease-of-use" argument a little more valid if Microsoft's software were actually vulnerable due to useful features.

      For example, the messenger service isn't used by anyone by spam senders, e-mail scripting was never a useful device to anyone, and a fragile, naked file system doesn't lend itself to easy usage anyway. A web browser that can be told to run arbitrary code due to a buffer overflow is not vulnerable because it is easy to use, but because it is poorly written. The autodetection of hardware and updating of drivers is very easy to use, and has (as far as I know) never been the source of an exploit.

      You can both have security and ease-of-use... Just design a closed system with very limited purposes. A Hub, for example, is extremely easy to use, and has few possible points of security vulnerability. Routers, on the other hand, are frequently a bit archaic in their setup and get hacked all of the time.

      That's not to say that your point is invalid, but that there are other factors involved... Flexibility, control, effort, etc.

      I guess the point of this is that if I have to re-install windows or edit the registry again before Christmas I'm buying myself an iMac.

      --
      The ______ Agenda
    2. Re:It's an old argument by rduke15 · · Score: 3, Insightful

      the messenger service isn't used by anyone

      A linux box here with an ISDN card sends Windows popups with "who is calling whom" info to the Windows boxes on the net. It occasionally annoys the children when they are playing a game, but we find it useful.

      In a company, the users seem to like the popup announcing them they have new mail. I intend to replace their Exchange server with a Linux box, so I guess I'll also have to script some gadget talking to messenger to keep them happy.

    3. Re:It's an old argument by Minna+Kirai · · Score: 2, Insightful

      There's no physical reason why you can't have both. Having a great UI and security is a resource allocation

      Yes, there are real, physical (derived from natural laws) conflicts between ease and security.

      An easier version of SSH wouldn't force the user to memorize passwords, which is a fundamental conflict with security. An automobile would be easier to use if you didn't need to carry around an ignition key.

      However, the post you were responding to didn't say that. It said "Hitherto it has been impossible", which is an equivocation- a statement of how things have been so far, not a claim it must remain so in the future.

    4. Re:It's an old argument by cgenman · · Score: 5, Insightful

      Good advice overall, which any computer user should abide by. However, I'd like to point out a few things.

      First of all by "file system," I had meant the organizational file heiarchy in Windows, the portion that the OS sees. You can still break all of the links to a program by, for example, re-naming a folder. Many programs fail to work if installed on something other than the C: drive... Many of these are Microsoft's programs. The Windows folder is a hodgepodge of thousands of items, some of which are protected and some of which aren't, but few of which are intelligently laid out for either the user or the programmer. I agree that NTFS is a much better file system than Fat32 was (though the fact that Windows XP doesn't support 160 GB drives out of the box is pretty shameful), but what the OS does with it is shabby.

      Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

      Actually, some programs treat registry settings like they were a preferences dialog. Zone Alarm, for example, like thousands of other pieces of software has an annoying splash screen that appears every time your computer boots, and the only place the preference exists is in the registry. Program registrations need to be backed up from and occasionally restored to the registry... It's just a bad idea to keep your copy restriction authentication and your preferences in the same structure, but that's exactly what Microsoft designed.

      As a game developer, and an out-of-work one at that, Windows does need to be reinstalled every 6 months or so... If the constant flow of test games doesn't get you, the constant flow of uninstallers will. Rolling back to restore points is useful, but A: it doesn't always work and B: it doesn't address the cumulative damage of accrued extensions.

      As an addition to your suggestions, the user needs to check what icons are in the bottom-right hand corner of their screen, and shut off what isn't needed. Many people I have spoken too don't realize that those are applications and not just quick-launch shortcuts.

      --
      The ______ Agenda
    5. Re:It's an old argument by devnullify · · Score: 2, Insightful

      You don't need the OS to protect you. All it takes is some common sense.

      So when Microsoft implements all these annoyances (for someone competent with common sense), I'll be doing something wrong by editing the registry to turn them off?

    6. Re:It's an old argument by TheCrazyFinn · · Score: 2, Insightful

      Two things I'd love to see MS steal from Apple:

      Application Bundles. Ths means that the only dynamic libraries going into the System directories are actually part of the core OS. All an applications dynamic libraries are contained in the bundle. It's a bit wasteful space-wise, but HDD space is cheap. And it solves much of the problem of Users needing to install their own software, but needing to be Admin to do so. This is much like installing software in your home directory as an unpriviledged user in other unixes. .plist files. XML-based preference and config files. Replace the damned Registry with these. For user prefs, drop them in a hidden directory in the users home directory, which also means that they are easily backed up, transfered and migrate to all OS's when the home directory is shared. And it also means that installing apps just drop their system-wide plists in a common directory, and the system maintains a third directory for system services plists. Much more robust than the Registry (which was a nice idea, but has never worked reliably for workstations or desktops). It also means that in a pinch, an admin can edit the damned plist with a text editor, or just trash it to repair/reset b0rked software.

      --
      "You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
    7. Re:It's an old argument by Dylan+Zimmerman · · Score: 3, Insightful

      NTFS has a good permission system? That's news to me. As an administrator, I created a folder that denyed other users the ability to do anything with or to it. I set every single permission to "deny", especially the "Take Ownership" permission. I then logged in as a Limited account, navigated to the folder, right-clicked it, went to "Security", it told me that I wasn't allowed to view or change the security settings and that I couldn't take ownership. I then clicked on the "Advanced" button, went to the "Ownership" tab, and gave myself ownership. I then closed the two open dialogs, right-clicked again, added myself to the permissions, and gave myself full control over the folder.

      In UNIX, I could set the permissions to 750 and not have to worry about it anymore.

      Now, I like the link idea. Having the same file in multiple locations on your directory tree can be very useful. Also, the metadata and data streams are nice. However, NTFS doesn't have "strong security permissions" by any stretch of the imagination.

      I have to edit the registry all the time. Programs like to set themselves up to autorun by putting themselves in HKLM/Software/Microsoft/Windows/Current Version/Run. Most of these are programs that I don't like such as Microsoft Messenger. I go into the Microsoft Messenger preferences and uncheck "Run this program when Windows starts", but it doesn't remove the registry entry.

  2. Who will watch the watchers? by Crypto+Gnome · · Score: 5, Insightful

    Realistically, an issue trusting the LDAP server that your DHCP server points you at?

    What is the world coming to?

    Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?

    These days, the internet is not a safe place, we all need to be more than just a little paranoid - but are you paranoid enough?

    --
    Visit CryptoGnome in his home.
    1. Re:Who will watch the watchers? by nehril · · Score: 4, Insightful

      Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?
      in a way, yes. an evil machine on your network may answer your dhcp request with, say, itself as your default route. wham, you have yourself a machine routing all your internet bound packets through itself, doing whatever it is evil people do (nice little man-in-the-middle eh?)

      it's back down to ease of use: dhcp, or have the network admin identify himself with DNA samples and personally configure each box on the network.

    2. Re:Who will watch the watchers? by Cysgod · · Score: 3, Insightful

      You trust the network (and DHCP) to tell you how to talk to the network. (IP address, netmask, gateway, DNS, etc.) And then you use things like SSL and SSH host keys to make sure you are really talking to who you think you are. You don't trust it with root access to your machine to do whatever it wants to.

      The argument I make in the "philosophical details" section of the advisory is that realistically you should not trust a network for user authentication information without at least *some* user interaction so the user is aware of what is going on. To do otherwise is irresponsible and puts end users at risk.

    3. Re:Who will watch the watchers? by ernst_mulder · · Score: 2, Insightful

      It's pretty safe to assume your company's network, into which RJ45 socket you plug your network cable, is quite secure.

      One of the fine points of this exploit however is that some users may never know they are on an untrusted network. Why? Because they have a wireless network card installed and enabled.

      So when you boot your Mac with DHCP enabled could compromise your system when a "bad person" has setup a "bad wireless network" in the neighbourhood. No physical contact to your computer required.

      The only fact that makes this exploit less likely is that computers with wireless network cards are usually PowerBooks and tht PowerBooks are hardly never rebooted. From peronal experience I can say that the only times I rebooted by iBook was after system upgrade which are usually performed while connected to my company's network (not wireless).

      Ernst Mulder

  3. It's still an exploit by Anonymous Coward · · Score: 5, Insightful

    No matter what sort of spin Apple puts on it, it's still retarded of them to trust LDAP to the point that UID=0 is trusted to be root.

    Still, I don't think that this exploit is really that easy to take advantage of... the circumstances which would lead to it are fairly limited for now (until WiFi is as pervasive as air, anyway).

    1. Re:It's still an exploit by Anonymous Coward · · Score: 1, Insightful

      I think that it should not trust the LDAP server at all for any user information or anything even remotely system-critical unless explicitly told to.

      Even without being able to get root directly, if the machine has any trust in a hostile LDAP server, there are plenty of more subtle attacks that can be mounted.

      The worst thing Apple could do is to fix this by adjusting it so that the server is trusted for some things, but not others. When an obvious trust-issue like this comes up, plugging the known-exploitable holes is not sufficient, the underlying trust-issue is what needs to be resolved.

  4. Wireless attacks on local networks by Mundocani · · Score: 5, Insightful

    In many discussions, people downplay the importance of exploits like these because the attacker has to be on your local network to take advantage of the security hole. What about all of the mis-configured (or deliberately) open wi-fi networks out there? I think that wireless networking has changed the importance of "local exploits" by allowing somebody passing by to become a local entity on an open wi-fi network.

  5. No worse than DHCP itself by clasher · · Score: 5, Insightful

    This problem seems little worse than other problems related to DHCP. If someone had access to your subnet and was able to configure a rogue DHCP server (e.g. to exploit the OS X ldap bug) they could just as easily return a rogue proxy as the default gateway or a tainted DNS server. If you are not vigilant about SSH warning messages or best practices you could be connecting to a server which is just recording your password and passing it along to the real server.

    There may be something I missing, but this does not seem to be a problem with Mac OS X as much as it is with DHCP. DHCP in its simplest form is not secure. Using DHCP on a subnet requires trust. As with any other kind of security you will have to trust something, whether it is your computer or your home network.

    I hope people do not blow this bug out of proportion too much.

    1. Re:No worse than DHCP itself by kwj8fty1 · · Score: 3, Insightful

      Sure, someone can feed you bogus dhcp info, and they could then man-in-the-middle you.

      That fine, but THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

      This is a different attack completely.

      AFAIK, no other OS offers root access to any little kiddy acting like a dhcp server.

  6. Re:Yikes! Who configures after connecting ethernet by Anonymous Coward · · Score: 3, Insightful

    I don't mind this at all.
    No professional I know connects a server to the network BEFORE they configure security and network settings.

    Shame on you if you do :-)

  7. Home vs. Work by LauraW · · Score: 4, Insightful
    I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment.

    In this case, the software is actually more vulnerable in a work environment, because it requires a compromised DHCP server on the local subnet. Most home users would probably notice if you plugged in another computer in their house. It's less likely to be noticed in a corporate environment, at least for long enough to compromise a few servers.

    Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

    1. Re:Home vs. Work by Rahga · · Score: 5, Insightful

      Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

      The janitors in my bank building could probably do this on multiple networks on multiple floors with ease. Heck, just drop a decently modded dreamcast under a secretary's desk or anywhere you can find a ethernet drop and weak switching.

  8. Well well well.... by JFMulder · · Score: 1, Insightful

    .... turns out, if someone had RTFM, nobody would be talking about this.

  9. Re:much ado about nothing by Anonymous Coward · · Score: 2, Insightful

    > you have to have a malicious dhcp server on your subnet.

    Keep in mind "your subnet" could be the WLAN at the coffee house (I must have seen 6 macs down there today - near the Castro in SF, in case anyone's interested), or a cable modem connection. This also means that if you can own one box on the network, you automatically get root on the all the others.

  10. Re:Use what you know... by tgibbs · · Score: 4, Insightful
    This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule.
    Neither is it much concern to the typical home user who either connects directly to DSL or cable modem, or at worst uses his own short-range WiFi with some level of security. Currently, it is mainly a concern for traveling businessmen who take their WiFi equipped laptops to Starbucks or a convention center and connect from there. It will probably become more of an issue as such semi-public WiFi nodes become more common.
  11. What's with the endless zealot crap... by Anonymous Coward · · Score: 1, Insightful

    from the dictionary --

    One who is zealous; one who engages warmly in any cause, and pursues his object with earnestness and ardor.

    Doesn't sound so bad to me. Are you a Linux zealot? A Windows zealot? Does having a strong opinion make you a zealot? Or are you opinionless.

    You are the lemming. Spewing the same tired crap about 'Mac zealots'.

    Shut up, Anti-Mac zealot.

  12. Re:No, that's not so bad by Squozen · · Score: 5, Insightful

    I work tech support, and if I had a dollar for every Windows owner that didn't understand the difference between right and left-clicking I could buy Slashdot and every AC posting to it.

  13. Not Just Apple! by linuxislandsucks · · Score: 5, Insightful

    Ah ahem, several storage servers like Snap and etc also come with this 'feature'..

    and those run Linux...

    --
    Don't Tread on OpenSource
  14. Re:In other words... by Anonymous Coward · · Score: 1, Insightful

    Sure, just send fake DHCP requests until the basestation uses up it's IP address pool.

  15. zerg by Lord+Omlette · · Score: 1, Insightful
    This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services.
    If Microsoft ever said this, we'd be laughing at them. Rightfully so. WTF.
    --
    [o]_O
    1. Re:zerg by burns210 · · Score: 3, Insightful

      because, unlike MS, apple has turned off services that aren't needed, by default.

      Who cares that an exploit can create a new user, if ssh and remote login is turned off anyway? The Answer: well, not many people. this is somewhat of a bug/potential hole, that should be fixed, but NOT panicked about.

  16. A solution... by igomaniac · · Score: 4, Insightful

    Since this is an autoconfiguration feature, why not have it on only for the first boot after installing the OS? This way the computer can autoconfigure and then when it is configured it turns the feature off again.

    --

    The interactive way to Go -- http://www.playgo.to/iwtg/en/
  17. Re:Apple is making a huge mistake by burns210 · · Score: 4, Insightful

    so why the hell are you running a mission critical server via dhcp? give it a static address to negate even the possibility of the exploit you are talking about here.

  18. Oh give it a rest by Sycraft-fu · · Score: 2, Insightful

    The messenger service is used by many orginazations for alerts. Where I work, our servers use it to send alerts to those that manage them. Works well since, unlike e-mail, it will get immediate attention. A web browser that is able to execute scripts is much more complex and therefore venurable than one that just doens't execute code at all.

    Get off it, when you provide services to the world, you open yourself to the poiibility of getting hacked. Look at Linux. Consider the holes in OpenSSH. Is it essential? No. Is it useful? Hell yes. When you run services that the whole world can get at, you run the risk that there is a flaw in the coding that someone exploits.

    Now, a valid solution to this is to have everything turned off and/or locked down by default. Ok, that works, but is a pain in the ass (read not easy to use) since you must then figure out how to enable everything and make it work. IF you have useful services enabled by default, it runs the risk they are venurable and can be exploited by default.

    By the way, if you have to reinstall Windows continually, you need to get some skills with Windows. To fuck it up that often and that bad indicate poor skills of the user.

  19. Re:Quick fix, just not easy for Mac users.. by pudge · · Score: 2, Insightful

    So, you don't care whose rules YOU break, you just care that others follow YOUR rules.

    Typical liberal.