Slashdot Mirror
Mac OS X Security Competition Ends in 30 Minutes
ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest.
According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
That's one of the first things you turn off to protect the machine.
Don't lead me into temptation... I can find it myself.
I wonder if the hacker's name is Andrew G. by any chance?
P ublicProfile?gid=gwerdna
What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.
If that's not his name, it's fairly random.
He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUser
Mac OS X Security Challenge
In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
Almost all consumer Mac OS X machines will:
- Not give any external entities access
- Not even have any ports open
The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.
My IP is 127.0.0.1. :)
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
What was this fool trying to prove? He allowed direct SSH access to the machine! Of course someone is going to hack it! Once you're inside the system, it becomes incredibly easy to find configuration mistakes, and exploit holes in priviledged programs. Remember, this system runs much of the same software as Linux and FreeBSD. Much of that software hasn't been properly audited and locked down. Why? Because this is a desktop machine.
Mac OS X security primarily stems from not doing anything stupid by default. Which means that there are no remote services enabled, the system tries to be intelligent about handling executable files (like most Unixes), and super-user functionality is handled by Sudo. But that's not a bullet-proof vest. There's nothing in the system that makes it automagically secure against all attacks. So if you want security, don't turn on those remote services, and don't give out SSH accounts!
Javascript + Nintendo DSi = DSiCade
Don't feel lonely, Mac-geeks, you're in the very good company of Linux users. The benefit of your security: You're uninteresting.
Since "hacking" and all the other activities that end in "-ing" and often start with a "ph" are no longer fun pastimes for geeks but actually became a hunting ground for very money oriented very well organized criminal organisations, security is in small numbers: An attack has to hit as many targets as possible. Maximize your output. And, well, if there are potentially 100 Linux boxes out there with a blatant security hole or 10.000 boxes running Windows with an obscure and hard to exploit hole, the latter will be chosen.
Not (only) because the respective users usually also employ a very different attitude towards security and because they usually have very different levels of understanding concerning the abilities and liabilities of their machines. But simply because you can hit more targets with your attack.
Plain and simple as that.
You can run the most insecure, most open system you want, as long as you're the only one using it you're safe. Unless hacking you alone already warrants the cost associated with it.
Yes, hacking has become a matter of cost/benefit calculation.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm not really sure why this competition happened in the first place. If you were a Mac OS X enthusiast wanting to show the "amazing" security of your OS, why would you leave the first major door wide open?
And who gains from this publicity? It would seem like sponsoring a hacking competition that took MORE than 30 minutes (seemingly the goal of such an event) would be good for Apple, but then why leave the system more vulnerable at the start of the contest? And if it was really sponsored by an anti-Apple group posing as an pro-Apple group, why have the hacker claim that Macs are essentially "small pickin's"?
It just doesn't make sense...
...consider disconnecting your Internet connection. Duh.
The only trend to security is that there isn't any financial motivation to hack small-potatoes.
This was a while ago, but when you give a user a local account, its almost assumed that if they really wanted to they could get root. You should take care when giving out accounts.
It like giving physical access to a machine. If you give physical access to any linux machine, its not hard to log onto it. (this is why you lock up the machines!)
This "30 min" contest was for people with an actual SSH account given to them for a LOCAL exploit, so its not a remote exploit, it also is not the most secure version of the Mac OS, but for SERVERS, nothing is as secure as MacOS.
.mil
:
Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.
Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinly using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.
The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.
http://uptime.netcraft.com/up/graph/?host=www.army
http://www.google.com/search?q=army+webstar+"os-9"
Check it out yourself. This entire post is full of factual citations and 100% facts.
No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.
Why?
Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.
That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers
This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward
To fully protect a Windows/Linux/BSD/OS X box, is to plug out the network-cable
You forgot to lock the door and remove the keyboard, mouse and monitor.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Before the Mac-o-philes here start getting all bent out of shape, perhaps reading the article in question would be a good start...
w s_leave_OS_X_vulnerable_/0,2000061744,39234678,00. htm
Here's a salient quote:
"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users... There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.
"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.
Bad anagram for a name or not, the guy sounds like he knows what he is talking about. There is a link to another article as well that talks about Apple's lack of diligence on security issues. Here's a link:
http://zdnet.com.au/news/security/soa/Ancient_fla
The point is that Security is everybody's business, and no company can afford to slack. Not even the lily-white Apple is immune.
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
I have a feeling that the Reality Distortion Field has already cancelled whatever negative effect this has had
So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."
But maybe people WANT something to be stolen. Many years ago, the garbagemen (sanitation workers) in NYC went on strike, and garbage was piling up in the streets. A relative of mine in Brooklyn still managed to get rid of his: he put it in big boxes, wrapped the boxes in gift paper with bows, and left them in his car with the doors unlocked. They always got stolen.
How this applies to the story, I dunno, but I still think it's funny.
$nice = $webHosting + $domainNames + $sslCerts
Andrewg does know what he talking about. andrewg has published papers (not on mac security) and is part of some wonderful communities pulltheplug.org and felinemenace.org . I assure you that this machine would of been hacked... with SSH access or not. I think it shows the importance of having patches that minimize possible exposure (i.e grsec/pax etc) that would of decreased the chances of successful exploitation dramatically.... but then again nothing is bullet proof
What to have some fun? Count how many post show up that try to make excuses
for the Mac. Man, if this were a windows box, I assure you that 99% of the
the post would be slamming MS w/o a second thought.
Although people want to point out that they shouldn't have allowed people to
have a SSH connection, you need to keep in mind that an SSH connection was
allowed because they thought the config was secure enough to handle it.
I do give them kodos for allowing the hack contest to take place. The best
way to test your software is to allow others to try and break it. Hopefully
they will fix the exploit and run the contest again.
Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.
The first thing that I'm going to do as a "normal user" is turn on SSH and Personal Web Sharing. Then I'm going give anyone who wants access to my machine an SSH account.
This "test" was silly and unrealistic, at best.
Here's a "real" test:
1) Turn on brand new Mac Mini
2) Update to latest rev of OS
3) Try to hack it from the Internet, without knowing its IP address.
Good frackin' luck!
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
We have a Mac server here at work for testing, we set it up 100% default mainly because none of us are Mac people. A quick nmap (using just well known ports) reveals not only is SSH open, but several others. Also, non-open ports report closed, not filtered indicating no firewall, at least none with respect to it's local subnet.
Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.
I'm disturbed by the attitude that anything but a remote exploit against an ideally (not typically or justifiably) configured box is meaningless or misleading.
What good is a door if it's welded shut? Wouldn't a proper lock be more useful?
Security should be about maximizing functionality securely, not limiting it.
Yep, cuz' we know stupid Mac users are always going around enabling SSH and giving shell accounts to total strangers.
Oh, wait, 99.9% of Mac users are blissfully ignorant of what security defaults to change to make their system more hacker-friendly.
Kang might have something to say about that.
The CB App. What's your 20?
That's one of the first things you turn off to protect the machine. No, you don't have to turn it off. Just don't give out user accounts to other people. These guys who broke in where gien accounts with passwords. SSH is very secure as long as you closely control what accounts may be accessed via ssh and varify that these accounts use strong passwords. But if you machine has an account with username "bob" and uses "bob" as the password your sytem is wide open, or at least Bob's account is.
The whole article seemed to culminate in the following information: some guy said if Macs were more popular they would have a worse record than "other operating systems." It seems to be comparing OS X to Linux, but it isn't entirely clear what the baseline is for their eval of Mac OS.X and it also doesn't clarify what exactly makes these OSs different. Also, the web site defacement isn't proof that the person with an unprivileged account acquired superuser privileges to do anything other than deface the web page. I don't doubt it could have happened, but maybe it did and maybe it didn't...
Also, giving people LDAP accounts on the machine is really cheating. Maybe some noobs get a boner when someone fuzzes the hell out of a box from a local account until they get some fuzz escalated **BORING**. If they really wanted to throw down the gauntlet, then we would see Mandatory Access Control implemented on OS X . The big difference is that the MAC policies would be enforceable at the Mach MK level (on Mach ports, tasks, processes...), and OS X would be the ONLY OS with a security policy interface that could come close to usable for average people.
--- Nothing clever here: move along now...
Then he should put his gpg public key at
http://test.doit.wisc.edu/ and sign and publish on slashdot an invitation to hack this machine to prove that he's the owner of this machine.
k2r
"Would HAVE", not "would OF".
what would be much more interesting is if some nice person set up multiple OS platforms, configured them with the same services, and waited to see how long it'd take to hack each of them. maybe lock them down a little more than the mac mini test, just to make it more of a challenge. maybe: windows XP, os x, solaris, and a couple of linux dists ... ?
go look at the original page where the challenge is posted. TFA is just that a FA. It was written by some idiot who didnt read the actual challenge and wrote an article trying to be as ambigious as possible. It was 6 hours and not 30 minutes as the article calims (though, with a shell i've gotten root in a couple of minutes on some macs)
people set up ssh accounts on the machine and they were supposed to rm -rf the thing and no one has.
if you look on the page people can remotely add accounts to the server in order to get shell access VIA THE FUCKING WEB PAGE
The war with islam is a war on the beast
The war on terror is a war for peace
Why would he need to do that, since if you go to http://test.doit.wisc.edu/, the machine itself presents a page explaining the competition?
The only function that signing the invitation here on Slashdot would do, is positively link the owner of the Slashdot account daveschroeder to the machine...but really, what does that matter? The owner of the machine, even if it's not daveschroeder (and I'm not implying that this is the case, but speaking hypothetically -- especially since his name is at the bottom of the page) is inviting people to hack it. I think that pretty much makes it valid, signature or not.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
While the implications of this "test" are debateable, what I would really like know is how the hack was done. Is there some flaw in OS X that was exploited? Or did the admin do something else silly like make the root password something simple like "hello" and it was guessed/dictionary attacked. Is this a Mac OS X specific hack? Or did they use a vulnerabilty that is common to other UNIX flavors as well?
I mean, really. You have local root exploits on OS X. I'm not surprised, when you have companies like Adobe shipping apps containing setuid root shell scripts. Suppose you set them up with an Interix or Cygwin ssh login on Windows, how long would it take to deface IIS? Or would you even bother calling that an "exploit"?
If you need to give potentially hostile users shell, you want them in a FreeBSD jail at a minimum.
That's just wrong, sorry. There was at least two bugs in MacHTTP I discovered in 96, iirc:
/M_A_C_H_T_T_P_V_E_R_S_I_O_N gave statistics about the server and wasn't documented (i.e. it was a back door). There was a discussion on MacHTTP mailing list, many Mac fans estimating this was a feature and not a backdoor, and finally MacHTTP was changed to provide only a version string instead of statistics.
- URL
- There was a bug in the URL parsing code which permitted to read the data fork of any file provided you knew its path. This bug existed in MacHTTP 2.2 and was fixed in 2.2.1 when I notified MacHTTP's author.