New Remote Root in Mac OS X

Cysgod writes "I've released a security advisory detailing a new remote root vulnerability in Mac OS X 10.3, 10.2 and possibly earlier versions." The main thrust is that it exploits a problem in the DHCP client, to gain root access, and turning off various services can prevent attack. It is unclear why an exploit was made public before Apple resolved the problem. Apple's fix is apparently scheduled for a December release.

Call me an Apple Apologist, but..

[grub]

OK, there's a hole. Still, when Apple (or OpenBSD) have a security hole it's newsworthy rather than just Business As Usual.. unlike other companies which promise security but can't deliver.

The Reason the exploit was made public..

[Smitty825]

The exploit was made public before the official fix is that Apple had 48 days to fix the issue. Also, by releasing information about the exploit, Apple Sysadmins can make a minor change to their setup to prevent this exploit from occuring...

Just because the exploit isn't public, doesn't mean that somebody else doesn't know!

Damn

[JHromadka]

It seems pretty irresponsible to release details on an exploit when the vendor has already acknowledged the issue and has a date planned on when to release the fix. Now if Apple was ignoring them, that would have been a different story.

Nothing is infallible

[Coryoth]

So, we have yet another security hole. No surprises there - they will come up eventually. It sounds as if the patching is reasonably prompt (though next month doesn't sounds that fast - hopefully that means it is well tested and it won't break anything like MS patches can). Ultimately though, we don't see many holes for MacOS X. Yes, I'm sure they exist, but they are a lot less frequent than some.

For instance, there's still this [theregister.co.uk] unpatched hole in IE that MS doesn't seem inclined to do much about right now. So much for their "on average a patch in 24 hours" policy they were claiming. Looks like they'll get their patch out around the same time Apple does. I guess we hope that means that they've tested it this time...

Jedidiah

Re:Making rounds

[marsipan]

"Root is disabled by default"

Yes, the built-in root (uid 0) account in OS X is disabled.

But, this exploit *replaces* that local uid 0 with one from a malicious remote directory service.

So, the Apple root-account default is circumvented.

What is the fix?

[stefanb]

I'm not sure I fully understand the problem, but it appears to me that the defaults of just accepting information from DHCP for authentication and authorization are wong; not necessarily any piece of software. (It is debateble whether the very possibility of obtaining such information from DHCP is such a bad idea that the option should not be offered at all.)

Obviously, the fix is not quite so easy: instead of just updating a binary or two, Apple needs to devise a program/an advisory that will alert users to the problem, and that also makes sure people don't shoot themselves in the foot (turn option off, suddently you can't log in anymore).

Devising such a thing, and testing it in a wide variety of environments will take time, so I wouldn't blame Apple for "reacting slowly" just yet.

People post Windows exploits immediatley

[DaveCBio]

Why should it be any different for Macs?

Re:Damn

[mrsev]

Not when they dont fix it!

Re:The Reason the exploit was made public..

[GigsVT]

I do agree that's plenty of time, but it's still questionable to release the exploit at this stage. He could have disclosed, and then if Apple downplayed it saying it wasn't exploitable, then released the exploit.

Re:Damn

[MrPink2U]

It seems pretty irresponsible not to release a timely patch to a know root exploit. Would you people please make up your minds on the standards by which you judge a software company.

Good News?

[KrizDog]

Now I can finally login as root on OSX. Considering all my friends running OsX have no idea what their root password is, or for that matter what root is, this seems like a blessing.

bigger problem

[kaan]

Let's assume that somebody is sitting outside of my apartment with all of this wireless hijacking configured, and we'll further assume that I've got all of the exact configurations required for my machine to be vulnerable. One would presume that this person is after the data in my machine, or wants to cause problems for me. Why else would they be trying to break in and gain root access? (btw, don't I need to have enabled the root account for this person to get root access, since root is not enabled on OS X by default?)

I might be going out on a limb here, but I would venture to say that there's a much bigger threat because the dude could just kick my door down and take my entire computer away with him. Then he can have all my data, and all of my applications, and my hardware too. Meanwhile, some other loser nerd is still mucking around trying to get this "hack" to work, but the guy who jacked me is walking away with my machine.

I understand this security issue is a threat and all, but I just don't see why anyone should be overly concerned. People seem to come up with scary stories like this about all kinds of things, hyping the facts up to make it seem like everyone who owns a Mac today is going to have a nerd take over their machine and steal all of their stuff. It reminds me of the pains people will go to in order to "secure" their machines, but then do something completely insecure like walk away from their desk for 10 minutes without password-protecting their machine.

Re:Call me an Apple Apologist, but..

[FredFnord]

Most security holes aren't newsworthy. Remote root exploits, if they can actually be used, are, no matter what platform you're on. Thankfully, they're also rare, on most platforms.

If someone can screw up your machine if they're sitting at it, or have an account on it, or are on the same (unswitched) subnet, that's annoying. If they can crash your machine remotely, or bring down its network stack, or DOS it to death with just one remote machine, that's really annoying. But when they can take it over, that's when it steps beyond annoying and becomes newsworthy.

-fred

Re:Making rounds

[Kunta Kinte]

Apparently, it took 48 days from the time he informed Apple until now. Looks like he was itching to post something.

I'd hardly consider waiting 48 days 'itching'.

Sounds very responsible in my opinion.

Re:Damn

[Anonymous Coward]

bullcrap. try reading about it... they were given 48 days and kept making excuses.

Apple is dragging their feet.

Re:bigger problem

[freeweed]

I might be going out on a limb here, but I would venture to say that there's a much bigger threat because the dude could just kick my door down and take my entire computer away with him.

Person breaks into your place, steals your computer. You know about it, you can call the cops. You can also change bank account info, credit cards, passwords, or any other information you might keep on your computer (they're used for more than just porn, ya know :).

Someone hacks in remotely, you have no clue it happened. They can do what they want, when they want, and there's absolutely nothing you can do about it.

Re:What does this mean to the average home user?

[TheCrazyFinn]

Neither are vulnerable.

The real worry is folks with an Airport card wandering around with their powerbook.

The Exploit only works from the same subnet (As it relies on DHCP)

Re:Good News?

[Jesrad]

Root account is disabled by default. Apple has chosen to make the users do all administrative tasks via sudo instead, which makes sense in the case of your clueless friends.

Re:bigger problem

[venom600]

Have you considered the possibility that an attacker may not be interested in any of the data you have on your computer. Instead, he or she may just root it, leave a back door and come back later to use your box as a launch platform for a DOS? Who's liable then?.....you. What if the person places child pornography on your computer and joins it to a P2P network?

I think there is a common mis-conception out there about the intentions of crackers. You don't have to have valuable data on your computer to have valuable computer resources.

Re:Local insecurity

[Commykilla]

If you have physical access to a machine, security is compromised anyway. You can rip out the hard drive and take/modify the bits by force if you want. If the machine is locked in a box, then you can't reboot it without being root, so the exploit doesn't work and you're still safe.

Reason for release of info

[Todd Knarr]

I suspect the reason why this info was released was simple: Apple went and released the 10.3 upgrade with a known remote-root vulnerability in it after having acknowledged the existence of the vulnerability.

To me, knowing that this vulnerability exists would be critical. I don't run a Mac, but I attach to possibly hostile networks routinely. Normally I can firewall my machine to block attacks, but I can't firewall off DHCP and still use the network. Were I using a Mac and OSX, I'd very much want to know that I needed to take immediate steps to avoid giving someone the keys to my machine just by plugging in at the local coffee house.

Release of this information may constitute a problem for Apple, and may mean a lot of fast work for OSX users. Not releasing it, though, would mean a lot more work for OSX users who get their machines rooted, and a lot more work for the rest of us who have to fend off attacks and other crud routed through those rooted boxes.

Background info

[krisbrowne42]

This is hardly a vulnerability, it's an ease of access feature that NeXT people have known about for almost a decade. The idea of this is, you take a computer out of the box, put it on your network, and it's working. Everything configured, users setup, etc. That should probably be shipped off by default, but I can understand the way they've done it in the past. It should also be noted that unless you've got a OS X server floating around, physical access to the network and management access to the existing DHCP server, this would be awefully hard to exploit.

Re:The Reason the exploit was made public..

[TopShelf]

Why is this situation any different from new Windows exploits, which are shouted from the rooftops at the earliest opportunity?

I'm not trolling here, just genuinely wondering...

Why it was made public

[siphoncolder]

"It is unclear why an exploit was made public before Apple resolved the problem. Apple's fix is apparently scheduled for a December release."

• Because I hate [company] for making software that allows this to happen, they need to be taught a lesson.
• Because they're not releasing it quickly enough - Open Source software is superior, because it would be released ASAP, usually same day, and [company] doesn't.
• Because I hate [company], period, they sux.

Re:The Reason the exploit was made public..

[Greedo]

I have to say, I looked down that timeline as well and thought "Well, at least Apple is looking into the problem and has given a timeframe for an update (December)."

Then, 5 days before December, they release the advisory.

I don't think it's unreasonable for Apple to take some time confirming the exploit, and planning an update. Remember when they released an update that broke things?

I *do* think it's unreasonable for Carrel to demand deadlines to Apple ... or anyone, really ... to fix their stuff. Especially when Carrel knows it's going to be fixed. Not much better than blackmail, if you ask me.

Re:Call me an Apple Apologist, but..

[HeghmoH]

Which category is it in if they can take over the machine, but only if they're on the same unswitched subnet, only if things are set up just so, and only if they're very lucky?

Re:What does this mean to the average home user?

[homesteader]

Routers connect subnets. Routers do not forward broadcasts. If you use VLANs and have multiple logical subnets on one physical network, you still won't see broadcasts from one VLAN passed to the others.

So if you're on the same physical/logical subnet with no routing required between machines, the exploit is possible.

Didn't to post AC

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The Reason the exploit was made public..

[ZxCv]

I don't think it's unreasonable for Apple to take some time confirming the exploit, and planning an update. Remember when they released an update that broke things?

This exploit would take any qualified engineer at Apple less than a day to confirm, and it is serious enough that it shouldn't have to wait for a 10.x.z update to be fixed (and, in fact, 10.3 and 10.3.1, as well as in independent security update have all been released since Apple was notified of this issue). Any way that the entire system can be compromised remotely should be fixed immediately. Apple has released a few security updates that were completely independent of a whole system update, and they should have done exactly that in this case.

I love OS X, but this is completely unacceptable. I'm just glad my Macs don't use dhcp.

Re:bigger problem

[glorf]

One would presume that this person is after the data in my machine, or wants to cause problems for me. Why else would they be trying to break in and gain root access?

I wouldn't presume that. An attacker could be after your computer to use it as a spam proxy, part of a distributed child porn archive, zombie for DoS attacks, or even just another link in the chain to further cover tracks of some other nefarious activity (e.g. ordering goods with a stolen credit card is something they probably wouldn't want to do from their own connection).

Then of course there is the fact that some people break in to others' computers because they find it an interesting thing to do to amuse themselves and they consider it more of an intellectual exercise than a crime. And why should I settle for your hardware when I can keylog your access to your banking site and empty your entire account? The risk vs reward ratio for compter crime is much better than that of traditional B&E type stuff.

And are you sure the assumption that it is a wireless attack in your immediate vicinity valid? When cable internet access fist came out a lot of people didn't realize they were on the same network as everyone else in their neighborhood and had open shares that anyone could access.

Re:i thought i would never say this

[Anonymous Coward]

This is not the first vulnerability to ever afflict an Apple product. Plus, Administrator is not the same as root as you don't have kernel level access.

Re:The Reason the exploit was made public..

[druske]

If he'd waited until Apple released the fix, he wouldn't have generated any publicity for himself. Apple had already made it clear they were fixing the problem, it seems like nothing more than self-promotion to release an advisory right now. Add to that the fact that this is publicized just before a holiday (U.S. Thanksgiving) --- when sysadmins and Apple programmers might be taking some time off, but script kiddies have time to play --- and you've got the potential for some mischief. Ending the advisory with "Happy Holidays" suggests that this wasn't altogether coincidental, either.

why?

[fudgefactor7]

"It is unclear why an exploit was made public before Apple resolved the problem.

Dude this happens almost every time. It doesn't matter the vendor, if it's MS, Oracle, RedHat, or Apple...no matter. Exploit warnings always preceed the patch. It's how it is.

Show-boating, grand-standing

[macdaddy]

IMHO this guy is show-boating. It is not unreasonable for an operating system company to take a non-critical but serious bug and spend 1.5 months developing and testing a fix. How many times have we seen a vendor rush to fix something only to seriously break things by not testing the fix thoroughly? Do we really want them to break something else? This isn't a minor piece of software like an FTP server where a security hole can be fixed in a morning, tested in an afternoon, and release the next day. I contend that even a piece of software as complex as Sendmail can be fixed and tested in a small amount of time and is really a minor piece of the puzzle when you're talking about an entire operating system.

This exploit means nothing to very little the average user simply because no remote services are enabled by default. I'm using a 10.2.8 box right this minute and I had to enable Remote Login and Personal File Sharing.

I really don't know where to start talking when it comes to the idiocy of releasing an exploit, not just a proof of concept, prior to the vendor releasing a fix. Apple wasn't dragging their heels. The whole timeframe is under 1.5 months. It is certainly not unreasonable to expect their programmers to spend time working on a bug fix. Hell the development cycle alone is more than a month if not two. So they didn't make the November 3 date. That's less than a month from the date the bug was reported. That's no surprise. I'd hate to rush a fix out that fast too. So the 10.3 Security Update and 10.3.1 Security Updates didn't fix it. Does he not realize that they were in the pipeline for testing back at the beginning of October? They aren't going to insert another code change in the middle of testing.

IMHO this guy is show-boating, grand-standing, and showing that he has unreasonable expectations. The security vulnerability isn't that great. It's a hole, yes. It's not nearly as serious as a security hole in IE in which ALL IE installations are affected by "default." I think this guy should seriously be flogged for releasing an exploit at the same time as the advisory. That's just plain ridiculous. IMHO that alone speaks wonders about this guy. It's idiotic acts like this that seriously make me wonder about full disclosure. Anyhow, I've said my piece. Move along.

Re:If you are unsure why it was made public...

[dubiousmike]

Because this is a news site and not a tin-foil-hat site.

If it was made public, many who frequent this site might have been made aware of it and thus could try to take appropriate measures to protect themselves.

Re:Show-boating, grand-standing

[holoway]

"This exploit means nothing to very little the average user simply because no remote services are enabled by default. I'm using a 10.2.8 box right this minute and I had to enable Remote Login and Personal File Sharing."

This exploit means a ton to the average user; the directory server you authenticate too can dictate what mount points you have.. allowing me to have target machines mount all sorts of interesting things. Bad, bad scene.

As far as the timeline for releasing the vulnerability goes, it appears he told Apple he was planning on publishing the vulnerability.. and got no response. I imagine that, had they responded with something along the lines of "Sorry, it has to go through our testing pipelines first, and the absolute earliest we can do it is December" things might have gone differently.

Wholly unacceptable

[jjeffrey]

Apple are actually being slower to patch than Microsoft. For a hole this serious - and this is about as serious as security holes get - this is unforgivable. It was a stupid design decision in the first place.

Re:Yeah but..

[Todd Knarr]

Oh, forgot the most important one: it doesn't matter whether you've enabled sshd or not. Remember that this vulnerability allows them to control network mounts on your machine via the relevant DHCP parameters. That means that they can mount their startup directories over top of yours, and theirs have things configured to start sshd. Presto, your machine now has sshd running and ready to accept logins even if you've disabled it, because your configuration no longer applies.

Re:Good News?

[brianosaurus]

Subtle difference:

if you log in as root, no one knows who you really are. if you "sudo bash", that command gets logged, and its still possible to determine who you really are.

personally I try to avoid using "sudo bash", because its too easy to screw something up when you're root. but sometimes I get lazy.

Re:i thought i would never say this

[Hoser McMoose]

Actually that brings MS and Apple even for the past month at 1 a piece (Microsoft had a buffer overrun in the Workstation service).

Ohh, and both MS and Apple have had a security vulnerbility for their browser this month on top of the OS vulnerbilities listed above.

Linux doesn't seem to have had any new security vulnerbilities announced this month, though a few security fixes are filtering through for vulnerbilities announced in October. Both WinXP and OS X also had some similar fixes for earlier bugs.

Long story short, it doesn't matter what OS you run, you WILL have security vulnerbilities. Patch your OS and use a firewall already!

Re:i thought i would never say this

[JeffTL]

Well, actually, on most Windows boxen, EVERYONE is root.

Re:What does this mean to the average home user?

[EverLurking]

The theoretical risk if you use alot of public or unknown WAP's and can't account for how responsible/evil the owner of the WAP might be (who knows what nefarious acts those public WAP operators providing free broadband are up to...yeah, unlikely) is high as they could get root access and mount a directory with a new crontab that will start up a remote SSH daemon to access your computer with later. Hard to think someone would go through the trouble but you never know nowadays. Apple should have had a fix for this sooner or at least issued a Knowledgebase article.

The fix is rudimentary, just go into your /Applications/Utilities folder, fire up the "Directory Access", uncheck a couple of boxes (the LDAP and NetInfo services)and you're done. Takes like 10 seconds to do, no reboot required, no other reconfiguration, no problems (under WinBlows, would have taken like 30 minutes of fruitless hunting around and a couple of reboots/patches and reconfiguration afterwards probably). Well, it would have taken 10 seconds if I hadn't already had these two services unchecked b/c some at www.OSXHints.com suggested that disabling unused directory services sped up your startup a little bit.

If you need configuration information from a LDAP or NetInfo server (ie. at work), you could always create a new Location under your Network system preferences panel and go back to Directory Access, disable the relevant LDAP and NetInfo services on all your other locations except your work location. If you can't trust your work not to try to hack your computer with this exploit, you've got bigger fish to fry.

For most home/SOHO users who are behind their own home router/firewalls and have otherwise trustworthy family members/roomates/co-inhibitants, this is a non issue (then again, if the people who live with you are trying to hack you are living with you, you have another far greater problems to deal with than this exploit : ). People on a shared subnet (like Cable Modem users) at risk if you're not behind a local/home hardware router/gateway device and someone else on your subnet wants to play "Hack the neighbor's Mac" with this exploit. I think you should be able to trust the DHCP information being handed to you by your DSL provider (again, if you can't then your problems go WAAAAAY beyond this exploit), no big deal. Correct me if I'm wrong but, I'm pretty sure my off the shelf LinkSys router doesn't know what to do with LDAP or NetInfo configuration info handed down by my ISP even if they did hand out any, and it certainly isn't set to pass it through to my internal subnet.

But then again, what are you thinking NOT being behind at least a inexpensive (they're what, like under $100 now even with 802.11g?) NAT/SPI firewall that's up and running 24/7 regardless of how your computer is configured if you're on Cable Modem or DSL at home?

In short, a easy fix and not really a problem for most home/SOHO users. You can breath easy now.

DaveC

Re:What does this mean to the average home user?

[IM6100]

'Every' geek who runs a Unix/Freenix has uses for ssh and is likely running it. Hell, some people see running ssh as 'security enhancing' since the classic alternative is telnet. So yes, there are probably people who like to be able to 'reach into' their Powerbook from their desktop from time to time for various tasks, who have the ssh daemon enabled. Likely there are a bunch of them.

Re:Background info

[Anonymous Coward]

This is a vulnerability because Windows clients do some authentication on the Directory Server and have since 1993. Otherwise they'd be vulnerable to DHCP and WINS spoofing.

Just because NeXT thought it was smart to trust DHCP servers back in the low-security 1980s doesn't make it a smart idea in 2003.

Re:Why it was made public

[merdark]

When the next Linux worm comes out you can be sure you'll here me say:

• Because I hate OSS folk for being so arrogant and stuck up and *still* letting this happen.
• Because I don't want an untested patch that could break my mission critical server, and I don't want to risk recompiling parts of a very complex system myself. There is *no evidence* that open source software is at all better than propietary software in real world applications.
• Because I hate OSS zealots, period, they suck (and don't know basic grammar either).

Don't think it'll happen to Linux? Just wait till Linux gets the features of OSs like Windows and OS X. It's easy to secure a system with few features, but much much harder to secure a complex but flexible system with many many features.

It's people like you that give the OSS community a bad image, namely that of a snotty 15 year old brat.

Security company puts publicity ahead of security.

[inimcus]

I can see the reason for some of the advisory, but not the part where they tell people how to exploit it. If I were Apple, I would be furious about this. Apple told them when they would have a patch. Sure they should have given a general overview of the exploit, and how to defend against it, but to post how to do it is irresponsible.

One man's "blackmail"...

[Zhe Mappel]

I don't think it's unreasonable for Apple to take some time confirming the exploit, and planning an update. Remember when they released an update that broke things?

I *do* think it's unreasonable for Carrel to demand deadlines to Apple ... or anyone, really ... to fix their stuff. Especially when Carrel knows it's going to be fixed. Not much better than blackmail, if you ask me.

If we followed that kind of standard, then we would always be waiting for corporations to decide when they're good and ready to fix problems that put the public at risk. That is a curiously supine view of manufacturer responsibility!

And it's precisely what Microsoft says when lobbying for federal punishment for those who reveal its vulnerabilities: only the corporation shall be an arbiter of public safety where its products are concerned. It shouldn't be hard to work out why that is practically an invitation for manufacturer caprice, negligence, and laziness.

Look again at Carrel's timeline. What happened on Oct. 24? What big commercial product unveiling did Apple choose not to interrupt or cloud with acknowledgement of this untimely news about the famously iron-clad OS X?