Slashdot Mirror
Apple Responds to Exploit
Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
but it's as valid today as it ever was. There is a dichotomy between security and ease-of-use. Hitherto it has been impossible to have the one and the other simultaneously. Choose one.
Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.
That's not to say it's impossible, but it needs more than the current level of effort that goes into multi-node design. Apple is taking the first steps, and they've been somewhat burnt. Let's hope that doesn't discourage them from carrying on down the path... Unix as a genre can only learn from a successful easy-to-use and secure implementation of multi-machine computing. The thing is that you only learn by trying....
Simon.
Physicists get Hadrons!
Realistically, an issue trusting the LDAP server that your DHCP server points you at?
What is the world coming to?
Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?
These days, the internet is not a safe place, we all need to be more than just a little paranoid - but are you paranoid enough?
Visit CryptoGnome in his home.
No matter what sort of spin Apple puts on it, it's still retarded of them to trust LDAP to the point that UID=0 is trusted to be root.
Still, I don't think that this exploit is really that easy to take advantage of... the circumstances which would lead to it are fairly limited for now (until WiFi is as pervasive as air, anyway).
This is horrible... First the machine comes with a pre-configured backdoor/exploit, and they want to leave it like this? Second, if you can just plug in the machine in a network, and have it totally configure itself, you've just killed a job for an IT guy... and we need all the jobs we can get...
;)
Oh, wait... once the new machine gets owned by some script kiddies, then the IT guy gets called... okay... phew... nearly thought that a job was eliminated... nevermind... as you were...
---
Programming is like sex... Make one mistake and support it the rest of your life.
This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule. When the pointy haired boss walks in and requests a machine than can set up itself when he plugs in to the network, it gets delivered.
I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment. This goes for everything from Quake servers (remember ID's backdoor?) to all of the $40 photo-editing tools that are sold at Wal-Mart with marketing emphasis on the end user, with interfaces so all-encompasing, wizard-heavy, and dumbed-down that even I don't attempt to tech my low-tech friends how to use them.
...it's about *how it's handled*.
All software is, and will continue to be for the forseeable future, vulnerable. The question for the users and security people is, "How will company x handle themselves when a vunlerability is discovered in their product?"
This question, and its answer, is the most important issue when deciding who you trust with your data.
dmiessler.com -- grep understanding knowledge
really, from apples docs, you have to have a malicious dhcp server on your subnet. of course, someone could bring a rogue box into work, but this isn't on par with ms exploits. wouldn't a simple mac address filter at the switch level take care of all this. yeah, you could instal dhcpd on your authorized client, but this should also be a fairly easy thing to detect. i think apple is right, it's a configuration level solution.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Yeah but there explanation seems like they are talking with you, and instead of at you.
I feel like Steve Jobs just bought me a drink and explained the problem, then gave me a hug when it was time to go home.
I'll miss him.
In many discussions, people downplay the importance of exploits like these because the attacker has to be on your local network to take advantage of the security hole. What about all of the mis-configured (or deliberately) open wi-fi networks out there? I think that wireless networking has changed the importance of "local exploits" by allowing somebody passing by to become a local entity on an open wi-fi network.
I was moderating, but this just burns me too much to remain silent.
I am not an artist. I'm bad at music, too. But I'm not much of a programmer, either. However, I know two people who are good examples.
First is my father. He has a doctorate in E.E., focusing on bottlenecks in computer systems, programmed assembly for TI in the 70s, and has been a professor in E.E. since long before I was born. He only uses Macs. We have one machine in the house that is not a Mac, this one, running Slack 7. He used Macs back in the "old days" for research because, for the money, they were the fastest things he could get his hands on. Now he uses them for work and at home because a) he's used to them and b) they are the best compromise between usability (he can still go into the terminal and screw around, but he can also use the very nice GUI when he doens't feel like typing everything or he's in a meeting with the Dean or the President of the university) and security/stability (it doesn't crash everyday and it has yet to get a virus). I use them for the same reason. And because I can't afford a computer of my own so I use what we have.
The other person is my music teacher. He's a professional musician as well. He's backed up Lionel Ritchie in concert before and plays bass in his own band. He also does some composing. On a Mac, only. He uses Macs because, back when he started, the best if not only composing software was for Macs. Since then, he's been sorta stuck with them. Not that he'd change, though, as my school has given him a PC and he hasn't found a program that works as well on it as his program for Mac (I wish I could remember the name, but alas, I can't. It's one of the major 2, though, I remember). Yes, he has been a "struggling musician" before. And yes, he stuck with his Mac through it because his Mac worked. Well.
Those are a couple of reasons why us "fruits" become blind zealots. It's sort of like being a Darwinian Evolution zealot. We get attacked by ignorant nay-sayers all the time, but we never lose sight of what we know works. Tell me, why are you such an ignorant bigot? Maybe you should get out of the house more...
No trespassing. Violators will be shot. Survivors will be shot again.
This problem seems little worse than other problems related to DHCP. If someone had access to your subnet and was able to configure a rogue DHCP server (e.g. to exploit the OS X ldap bug) they could just as easily return a rogue proxy as the default gateway or a tainted DNS server. If you are not vigilant about SSH warning messages or best practices you could be connecting to a server which is just recording your password and passing it along to the real server.
There may be something I missing, but this does not seem to be a problem with Mac OS X as much as it is with DHCP. DHCP in its simplest form is not secure. Using DHCP on a subnet requires trust. As with any other kind of security you will have to trust something, whether it is your computer or your home network.
I hope people do not blow this bug out of proportion too much.
A friend of my brother's recently found this one in OSX: Link to his blog entry about it
Not SO bad, but could be bad, and it's considerably more dangerous for known Unix nerds.
I don't mind this at all.
:-)
No professional I know connects a server to the network BEFORE they configure security and network settings.
Shame on you if you do
In this case, the software is actually more vulnerable in a work environment, because it requires a compromised DHCP server on the local subnet. Most home users would probably notice if you plugged in another computer in their house. It's less likely to be noticed in a corporate environment, at least for long enough to compromise a few servers.
Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.
You fool, have you even tried using a Mac lately? No? Just what I thought.
I'm a tech support (24+ years) who will have nothing but Macs in my house. Why? Because they work, don't crash, and my wife and son can't fuck them up.
After spending all day fixing other people's computer problems, the last thing I want to do at home is fix my own.
I'll stick with Macs.
This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
Slashdotter A: "Are we being sarcastic?"
Slashdotter B: "I can't even tell anymore."
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services.
That is a root vulnerability. You could perhaps trust LANs 20 years ago, you absolutely cannot trust them today, and any vendor that ships software that, by default, trusts the LAN is shipping software with severe security problems.
WEP or not I think your wireless network would need to be much more complex that most to exploit this. At least on my Airport network (and probably by default) the wireless clients get their settings from the base station and the base station only. You can run and LDAP server all night and day in my front yard and it wont do you a bit of good. I'll probably ask you what youre doing when I mow the lawn though.
Before anyone says "macinista", I've been using computers all day every day for 25 years now (since i was eight or so), and was a commodore man if you must know. I only got my first mac about two years ago. However, I will no longer have anything but a mac in my house because MacOS X based macs do everything I need - including a high quality X server - and never, ever, break. I'm a Solaris admin all day for a very large company. I don't want to hassle with munged computers at home. I prefer to farm.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
I work tech support, and if I had a dollar for every Windows owner that didn't understand the difference between right and left-clicking I could buy Slashdot and every AC posting to it.
Ah ahem, several storage servers like Snap and etc also come with this 'feature'..
and those run Linux...
Don't Tread on OpenSource
mDNS isn't crap, it's cool, something like it been needed for a long time, and it's going through the IETF standards process. Apple's not "hijacking" anything. If you believe that using .local is a mistake, then you can bring up your concerns on the appropriate IETF working group. The IETF standardization process is completely open; anyone can join the mailing list and voice their concerns and get things changed.
Look here for info on mDNS and the related IETF working groups you can join.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Since this is an autoconfiguration feature, why not have it on only for the first boot after installing the OS? This way the computer can autoconfigure and then when it is configured it turns the feature off again.
The interactive way to Go -- http://www.playgo.to/iwtg/en/
because, unlike MS, apple has turned off services that aren't needed, by default.
Who cares that an exploit can create a new user, if ssh and remote login is turned off anyway? The Answer: well, not many people. this is somewhat of a bug/potential hole, that should be fixed, but NOT panicked about.
so why the hell are you running a mission critical server via dhcp? give it a static address to negate even the possibility of the exploit you are talking about here.
If remote setup is spin, why is it in the documentation that was released for Panther when the OS was released ? See the server administration pdfs.
.
This isn't a new "exploit" - all previous versions of MacOS X and NeXTStep had this with NetInfo by design - thats for nearly 15 years. However, it requires specific non-default configuration to work ( the network directory does not have precedence over the local directory by default - what is claimed in the original web page announcing the exploit is wrong )
For this to work, someone with local access to the machine has to go and change the directory lookup order for authentication, so that the network directories override local.
This is one of a long list of "exploits" that fall into the category of "If I have local administrator/root access and misconfigure something in a specific way, then I am potentially remotely exploitable"
The UI in MacOS should definately warn you if you tried to make the change, but this really isn't the sort of thing you'd work people day and night to fix.
Yes, perhaps they'll eventually come out with an advisory for the people who are lagging two generations behind on their OS version and who are on untrusted networks. Not too surprising that they dealt with the bulk of current users first.
Not surprising, since from Apple's view, it's really a beta. Jaguar was the first version of OS X that was ready for prime time, and thus I suspect that it will be the first one to have real long-lived support from Apple, since it's also the end of the road OS-wise for OldWorld machines (Beige G3's and Wallstreet Powerbooks).
That said, the Technote on this will likely have instructions for pre-Jaguar versions of OS X.
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya