Mac OS X Security Competition Ends in 30 Minutes

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

gwerdna?

[Loconut1389]

I wonder if the hacker's name is Andrew G. by any chance?

What kind of hacker do you suppose he is? gwerdna is a pretty poor anagram of Andrew G.

If that's not his name, it's fairly random.

He's been using it since the end of 2004 at least. http://p212.ezboard.com/bnendowingsmirai.showUserP ublicProfile?gid=gwerdna

Mac OS X Security Challenge

[daveschroeder]

Mac OS X Security Challenge

In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, I have decided to launch a Mac OS X Security Challenge.

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

- Not give any external entities access
- Not even have any ports open

The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu (128.104.16.150). The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements.

Re:Mac OS X Security Challenge

[Bromskloss]

So, test.doit.wisc.edu is some guy you're having a war against, and now you want him to have an.. umm... unfortunate accident with his computer, right? With our help, sneaky. ;-) Mabye by the slashdotting alone. Welcome to the wild web.

Re:Mac OS X Security Challenge

[tpgp]

Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Whilst I agree that this is not the same as a remote exploit, do not underestimate the seriousness of local privilege escalation.

For instance, an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)

I don't believe (as some pundits seem to) that Mac OS is a Microsoft style security disaster only awaiting the attention of hackers to happen - but I do believe that Mac owners are going to have to start paying a little more attention to security matters then they currently are.

Re:Why keep SSH on?

[Daedala]

It's a Mac. You don't _keep_ SSH on. It's disabled by default. You have to turn it on deliberately.

Re:Why keep SSH on?

[AKAImBatman]

The problem wasn't even that he had SSH running. It was that he was giving out accounts! I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.

Doors unlocked, windows open

[Dekortage]

So SSH was on and accessible? Dumb move. Like saying "I dare you to steal my jewelry from my bedroom -- oh, and my house is unlocked with the windows open."

But maybe people WANT something to be stolen. Many years ago, the garbagemen (sanitation workers) in NYC went on strike, and garbage was piling up in the streets. A relative of mine in Brooklyn still managed to get rid of his: he put it in big boxes, wrapped the boxes in gift paper with bows, and left them in his car with the doors unlocked. They always got stolen.

How this applies to the story, I dunno, but I still think it's funny.

Local access IS important!

[Chemisor]

Excuse me, but if your OS can be rooted in 30 minutes from a local account, you have no business calling it secure. UNIX is supposed to have multiple local accounts and still be secure with them all running. If you close down every network port on a machine and say "come get me now", that's really not saying much. I, for one, would really like to know how he managed to get root from a local account, so I can verify I don't have the same problem on my server, which really does have ssh access to more than one person.

Re:Why keep SSH on?

[gowen]

But you need to remember that OS X is not designed for remote, multi-user usage

That excuse was bullshit when it was used to defend Windows boxes, and, amazingly, it remains bullshit when applied to fashionable platforms, too.

Re:Perhaps with a desktop Mac

[Johnny+Mnemonic]

Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.

Of course SSH is on by default on a Mac Server--it is designed to run, and be configured from first boot, headless. That would be pretty difficult to do if you had no services. Other default services are Apple Remote Desktop, for GUI control, and the Server Admin Suite; even the Apple Server Admin Tools can be port forwarded through SSH if you prefer.

The assumption is that servers will be managed by those with a clue, whereas desktops will not usually be. Also, no Mac desktops are expected to be configured and maintained headless from first boot, whereas you have to specify a video card for an Xserver for it to be graphical at all. I don't think those are unreasonable assumptions to make.

Re:Why keep SSH on?

[AKAImBatman]

Um, you are talking about OSX vs OSX Server. Which *Does* ship with these services enabled by default.

Which was also not what was compromised. Kind of nice for the GP to switch topics like that. :-/

I want to know more details about this incident.

The machine was a Mac Mini "running a default install of OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues." It's colored orange for some odd reason, and sits on a bookshelf sideways. He, "set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine."

This is all available on his webpage.

Basically, the guy is a moron. He thinks he's proving something by making a Desktop configured machine do server-class work, and then expect it not to get rooted.

Was it a local privelage escalation flaw?

Yes. The exact hole has been withheld, but it probably doesn't matter anyway. In a contest of machine vs. hacker where the owner is doing nothing to stop the hacker (and in fact, inviting him by removing barriers!), my money is on the hacker.

Was it a remote flaw in SSH or Apache? Maybe an SSH password attack?

The guy gives out SSH accounts. There was no need to penetrate this layer of security, because he left the door wide open.