Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Bug Apple

Screensaver Bug in Mac OS X 452

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."
This discussion has been archived. No new comments can be posted.

Screensaver Bug in Mac OS X

Comments Filter:
  • Why... (Score:5, Insightful)

    by Anonymous Coward on Saturday July 05, 2003 @09:47PM (#6374985)
    Is it always buffer overflows? :/
    • Re:Why... (Score:3, Informative)

      by gnurb ( 632580 )
      write [securiteam.com]your own buffer overflow exploit
    • Re:Why... (Score:3, Informative)

      by Dirus ( 592987 )
      Is it always buffer overflows? :/

      No, IIRC the last story on slashdot about a vulnerablity was this one [slashdot.org]. The exploit it mentioned [netsys.com] was an integer underflow vulnerablity.

      This message has been doubly encrypted with rot13 for enhanced security.

    • Re:Why... (Score:5, Funny)

      by Waffle Iron ( 339739 ) on Saturday July 05, 2003 @10:51PM (#6375299)
      Is it always buffer overflows? :/

      Because extensive user testing has shown that some people can type their passwords so fast that even a GHz-class RISC processor can't keep up unless the password capture program is written in C. The system can fall behind if it takes more than a handful opcodes per character in the inner loop. Unfortunately, these performance constraints preclude checking array bounds between each typed character.

      It's regrettable that we have to live with risks like these, but we have little choice when dealing with data input at these kinds of speeds.

      • Re:Why... (Score:5, Funny)

        by Alsee ( 515537 ) on Saturday July 05, 2003 @11:45PM (#6375440) Homepage
        a GHz-class RISC processor can't keep up unless the password capture program is written in C.

        How the hell did you get it to work in C? I had to hand roll the code in assembler and optimize the register allocations. You can also save a byte and a cycle on the loop if you take the branch-prediction microcode into account.

        -
        • you can't imagine how much the resource usage can be optimized by constraining the password to 4 letters max, only caps, and only letters from A to D, no numbers or other symbols. By imposing those limits on the passwords you could implement range-checking and avoid any and all buffer overflows, hence making the system WAY MORE SECURE!
    • by igabe ( 594295 ) on Sunday July 06, 2003 @01:03AM (#6375685) Homepage

      Just FYI Panther seems immune to this exploit.

      Tried doing the procedure ~10 minutes in the Screen Saver and nothing happened. Then tried again in few other cocoa apps. Still nothing. Just worked like normal(for once this is a good thing).

      My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.

      And yes, I realize most people can't just upgrade to Panther yet to fix this rather major oversight on Apple's part.

      Yea and I think that you should be able to use Exposé as a screensaver =)

    • Re:Why... (Score:3, Informative)

      by kasperd ( 592156 )
      Is it always buffer overflows?

      Because it is easy to introduce such bugs in your program. And they are often easy to exploit. It has been claimed (I haven't seen any statistics though) that 50% of all security problems are buffer overflows. I think that next to buffer overflows, the most frequent class of security problems are caused by race conditions.
  • Hey! I'm famous. (Score:5, Informative)

    by DarkAurora ( 324657 ) on Saturday July 05, 2003 @09:49PM (#6374996)
    I was the one that posted about the address bar in Safari. I am using 10.2.6. This is a problem for ALL cocoa apps.

    It'll probably be trivial for Apple to fix, though. So I'm just waiting for the patch to arrive.

    *taps finger on desk*
    • by Anonymous Coward on Saturday July 05, 2003 @10:40PM (#6375257)
      It's been discovered that someone with physical access to your computer can access it.
  • by HomerNet ( 146137 ) <sov.columbia@nOspAM.gmail.com> on Saturday July 05, 2003 @09:49PM (#6374998)
    A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

    • > A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

      And think how much faster the exploits will run on a G5!

    • by Alsee ( 515537 ) on Saturday July 05, 2003 @11:32PM (#6375416) Homepage
      Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.

      I'm sorry but you're going to have to provide support for more than a single security hole before you convince me to switch. Windows has a proven track record of reliable security holes in almost every portion of the system, everything from E-mail to wordprocessors to Plug-N-Play and more.

      -
    • Doesn't matter (Score:5, Insightful)

      by itistoday ( 602304 ) on Saturday July 05, 2003 @11:35PM (#6375424) Homepage
      This requires "5 minutes" to hold down the key long enough. If one has access to a machine for 5 minutes then security doesn't matter. On any version of OS X one can simply launch up single-user mode when restarting and have Root access in under a minute.
  • by wtmcgee ( 113309 ) on Saturday July 05, 2003 @09:49PM (#6375001) Homepage
    using 10.2.6 - not saying it's not a real bug, just can't get it to crash my screen-saver.
    • I didn't at first either, but did using the ctrl-a, ctrl-k, crtl-y method others have described.

    • by gotr00t ( 563828 ) on Sunday July 06, 2003 @12:09AM (#6375503) Journal
      Like how Homer Simpson got his "drinking bird" to cover for him by constantly pressing 'y' while he went to the movies, you could do the same thing. Have one of those drinking birds continually tap a single key over and over again while the Mac is in screensaver mode, and EVENTUALLY, it will terminate due to this bug.

      It probably didn't work for you because you didn't type enough stuff. Go buy a drinking bird.

  • Does this mean when all the script kiddies have their defacing party OSX will be worth less than 5 points?
  • First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it. It's not pretty. I really hope apple takes heed to this bug and fixes it at the core. Unfortunately the original bug report was.... well... not too elegantly written. We'll see what happens.

    In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine. That way you prevent people from logging in using single user mode. Hit command+O+F during boot to get into open firmware, then type in password. After that type reset-all. You should be good to go. And don't forget the password or you will be totally screwed!

    • by tbmaddux ( 145207 ) * on Saturday July 05, 2003 @09:58PM (#6375051) Homepage Journal
      In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine... don't forget the password or you will be totally screwed!
      The open firmware password can still be circumvented with physical access to the machine. Change the amount of RAM and then zap PRAM 3 times and you're in. Or just yank the hard drive and go to work on it at your leisure. So 1) you won't be totally screwed, and 2) you can't count on it to protect you. If someone can get to your machine, they don't need the exploit described in the original article to compromise it (though it does make things convenient).
      • You can't secure a computer if the attacker can physically pick it up and cart it away for an extended period of time. That's a given.

        But the point is that taking reasonable precautions like this can make sure no one can get into your puter and ftp all your files off while you're in the bathroom.

    • by goombah99 ( 560566 ) on Saturday July 05, 2003 @11:59PM (#6375479)
      got physical access? good. then put in a install CD. boot it, and select change password from the menu. Ta Da.

      Oh you dont want to change the password? well then boot in single user mode and you dont need one. Ta Da

      Oh they left open firmware on?. open the case and remove one of the memory cards. reboot. ta da!

    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Sunday July 06, 2003 @03:58AM (#6376152)
      Comment removed based on user account deletion
  • 2 words (Score:2, Insightful)

    log out!
  • Today meaning July 4th at 3:00 pm, this bug made its rounds on every major vulnerabilty database before slashdot even posted it... Why doesn't slashdot get its own vuln db? Or maybe a link to bugtraq: http://www.securityfocus.com/archive/1 [securityfocus.com]

    then we wouldn't have to get our vulnerabilty news a day late and a dollar short.
  • Wow. (Score:2, Funny)

    by Duncan3 ( 10537 )
    Wow, a bug, who would have guessed software has bugs, oh, the horror.

    It's only news becasue OS X doesn't have heaps of bugs like everything else.

    I'd paste the list of current problems with glibc, but I only have DSL and it would take too long.
  • by binaryDigit ( 557647 ) on Saturday July 05, 2003 @09:56PM (#6375042)
    I don't see what the big deal with this is. It's not like Apple hasen't released other security patches to OSX. Or are we "forgiving" them for stuff that is found in the non Apple specific parts (e.g. sendmail), if so, why should we, they ship it, they charge for it, right? Anyone out there honestly believe that there aren't a whole host of other issues just waiting to be found?
    • No, no one believes that it is the only security issue waiting to be found, /. is just publicizing this so people will patch their boxes and discuss various aspects of the vulnerablility in order to better understand it, and future threats along the same lines. For instance, if you know how to saw a 2x4, you will be able to learn how to saw a 4x4 really quickly. This is different from any other security issue, because, far fewer people use, lets say kismet, or vim, than use a screen saver, so it affects far
  • by idiotnot ( 302133 ) * <sean@757.org> on Saturday July 05, 2003 @09:56PM (#6375043) Homepage Journal
    ....that it's remotely exploitable.

    Any machine you can get physical access to is insecure.

    It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).
    • by yerricde ( 125198 ) on Saturday July 05, 2003 @10:25PM (#6375178) Homepage Journal

      Any machine you can get physical access to is insecure.

      Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.

    • by Sunnan ( 466558 ) <sunnan@handgranat.org> on Saturday July 05, 2003 @10:33PM (#6375215) Homepage Journal
      I'm getting kinda tired of hearing "Pah! It wasn't a remote exploit, anyway..." followed by "Any machine you can get physical access to is insecure." as an excuse when there's a security hole. Sure, network exploits are worse but local exploits are still problems.

      As for "Any machine you can get physical with..", how about a machine with good security measures before and during the boot loading (to avoid stuff like bios/OF-tricks or the classic "passing /bin/sh to lilo"-trick) as well as encrypted filesystems to prevent someone just taking your disks and mount them in another computer?

      Or I dunno, maybe any machine you can get physical with is insecure. That won't make me take this bug any less seriously. The unfreeness of many prominent cocoa objects, including end-user-widget ones, does seem like quite a risk to me. Relying on a single source of fixes has never been a good idea.
  • This is NOTHING (Score:5, Interesting)

    by SeanTobin ( 138474 ) <byrdhuntr@NOspaM.hotmail.com> on Saturday July 05, 2003 @09:58PM (#6375048)
    This is nothing to be upset about. Heck, windows users have had this feature since windows 95. 3-finger salute and end the screen saver task :)

    Security via screensavers should never be trusted. I'm not quite sure why its still being put in place. WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k :)

    Now, if this can be used as a buffer overflow attack as stated in the second link, that can be a problem. Not so much that a local user will overflow thier own system and gain local root, but the fact that this is the same throughout multiple cocoa apps shows the possibility of one of those being remotely exploitable.

    Of course that's only for the 4 people running OSX as a server.
    • by Fred Ferrigno ( 122319 ) on Saturday July 05, 2003 @10:39PM (#6375247)
      I can't remember if ctrl-alt-del worked to bypass the screen saver in Win95 (though I doubt it), but I know it never worked in Win98. The more effective way to do it is to burn a CD with a simple program that kills the screen saver. Unless the user actively searched out and disabled autorun, which is a much bigger safety/security hole that comes enabled on all Windows systems, it works flawlessly.

      Of course, as others have mentioned, if you've got physical access to a machine, it's insecure. While I'm thinking about it XP and 2k have autorun enabled by default; I wonder how they handle autorun security when the computer is locked.
  • and was able to crashed it, dropping me into the desktop, now I've tried it too on the Log-in and was able to crash it, sending me into a full Darwin/BSD console, you'll have to login again for you to be able to access the console though ... but full screen console Mac ... this you've gotta see. w007!!!!
  • here is the mail that i've sent to apple security people, they didn't replied :(

    I'm not trying to blast Apple in particular here or anything, but it seems that all companies have had a poor record lately responding to security holes pointed out by email users. Recall the Microsoft Passport security vulnerability. [slashdot.org]

    Granted, I would guess that the email volume these receive claiming discovery of new exploits is daunting, but doesn't this deserve top priority for response?

  • Oh my god! (Score:5, Funny)

    by sageFool ( 36961 ) on Saturday July 05, 2003 @10:00PM (#6375059) Homepage
    Someone with physical access to your machine can access it!! WHO KNEW?! Call in the army reserve and physically secure access to all your machines!
  • Good Grief! (Score:2, Insightful)

    by computerme ( 655703 )
    If you have access to any machine, you can override security. Can anyone say, "boot up with a cd-rom"? I thought you could. These are the droids you are looking for, move along... move along...
  • by banal avenger ( 585337 ) on Saturday July 05, 2003 @10:07PM (#6375087)

    It's no wonder why Apple didn't reply, look at the subject of the email sent to Apple: "forgot your screensaver password ?? Hackit anyway." Must have been Jeff K [sometingawful.com] reporting the bug.

    In other news, a similar bug has been an issue on the Mac OS X version of Folding@Home. The screen saver crashes when lock screen is activated, and it's been months since I first noticed it, and I've seen it mentioned on the Folding boards, and it still hasn't been fixed. I agree with some of the people on the Macslash forum: Don't rely on screen savers if you have truly sensitive data within in reach of scrupulous characters.

  • So...my cat (Score:5, Funny)

    by Spoticus ( 610022 ) on Saturday July 05, 2003 @10:09PM (#6375099)
    can hop up on the desk and crack OS X?
    • Get root access (Score:5, Interesting)

      by gotr00t ( 563828 ) on Sunday July 06, 2003 @12:12AM (#6375514) Journal
      On any computer using OSX, it is possible to change the root password with 6 easy steps:

      Reboot the computer
      Hold down appl ctrl + S
      Type "mount -uw /"
      "su" (it dosen't ask for a password)
      "/sbin/systemstarter"
      "passwd"
      • Re:Get root access (Score:5, Insightful)

        by usr122122121 ( 563560 ) <usr122122121@braxtec[ ]om ['h.c' in gap]> on Sunday July 06, 2003 @12:33AM (#6375574) Homepage
        On any computer using OSX, it is possible to change the root password with 6 easy steps: [snip]
        This suggestion wouldn't work if the computer was secured with the Open Firmware Password method.

        Yes, the OF Password is also circumventable, but not if the machine is physically locked :-)

        If you want your machine to be secure, you can take steps to ensure that it is, regardless of platform, but when there is physical access to the machine it generally takes a lot more security to do so.

      • Re:Get root access (Score:3, Informative)

        by tesmako ( 602075 )
        For those who have missed it here is the classic get-root-in-3-steps for Linux;

        * reboot
        * at lilo/other obscure bootloader load linux with -init /bin/sh
        * run passwd
        Of course easily avoided with a BIOS password or mean bootloader, just like on a mac where you can avoid this problem with an OpenFirmware password.
      • It's rather easier just to boot from the installer CD and select "change password" from the Installer menu. Change an admin's password, and away you go...
  • Unable to reproduce (Score:5, Informative)

    by Phroggy ( 441 ) * <slashdot3@NospaM.phroggy.com> on Saturday July 05, 2003 @10:15PM (#6375122) Homepage
    I just pasted about 2.7MB of text into Safari's address bar, and it didn't crash at all. I pressed return, and it attempted to load the page; Squid aborted the connection but Safari's still trying to load it. I'm typing this in another Safari window. No problems. Process Viewer shows Safari is using 25% of my RAM.

    This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.

    I also tried crashing the screen saver login window. It hung with the SPOD trying to manage that much data being pasted all at once, but it did not crash. After several minutes, I killed the processes remotely, but even killing the process did not return me to the desktop - I just got another login prompt, and was able to log in.

    I'm running 10.2.6, the latest available version.
    • by Graff ( 532189 ) on Sunday July 06, 2003 @01:58AM (#6375877)
      Just like you, I'm running MacOS 10.2.6. On my first attempt to reproduce the screen saver crash I had the screen saver pause for a second, fade to black and then the login window came back up again. I tried it for a second time and this time it did crash and I was able to get to the desktop. This was repeatable several times.

      I then logged out and tried the same trick with the user login window. This time the login window greyed out the buttons and it refused to let me enter any password or take any action. I had to reboot the machine externally. Once I did so and the system restarted I was presented with the login window again, even though I have the machine set to auto-log me on. I tried the trick again with the same results, had to reboot. This time I entered in my normal user password and had no problems logging in.

      I tried the trick on several other programs without being able to use it to circumvent security. It looks to me like this is a problem with the screen saver only. That being said, you should NEVER use a screen saver as a way to protect sensitive data. If you are that worried about your data then log out from the account when you leave your desk, it only takes a few seconds to log back in. If you are really worried about security then keep your computer behind lock and door - no matter what the machine it is so easy to bypass any security measures once you have physical access to the machine.
  • ok people wtf (Score:5, Interesting)

    by carpe_noctem ( 457178 ) on Saturday July 05, 2003 @10:20PM (#6375148) Homepage Journal
    I saw this "exploit" on full-dis, where it started a rather large thread, given how silly this bug actually is (a screensaver breaker...ooooh now I'm quaking in my boots). I thought it was excessive that -anyone- responded to his thread, and now it got posted on /. ? What gives?

    Probably going to get modded down for troll, but I had to vent. Excuse me. ;)
  • by ceswiedler ( 165311 ) * <chris@swiedler.org> on Saturday July 05, 2003 @10:32PM (#6375209)
    Hah! I knew it! Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!

    Actually, the thing that surprises me is that they managed to trim emacs down so it's only an operating system.
    • Mac OSX isn't based on Mach or BSD at all! It runs on top of emacs!

      And they even managed to run a decent editor on top of it!
  • by crispy1083 ( 636320 ) on Saturday July 05, 2003 @10:33PM (#6375219)
    ...you can probably just boot using a CD or external hard drive, which results in a much worse security problem, since it'll give you access to Mac OS 9. You can use that to trash the Mac OS X system, since you can destroy all the normally hidden files and not worry about permissions.
    • There is a firmware password program that you can dowload from apple to make sure that only the system selected gets booted into... otherwise you need a password to boot from a CD or another boot folder. You have to hold option down at boot time and a password field comes up. There is also a password screen for the mulitple users option for OS 9 that secures booting into it. The only question is Are there any problems with the security of the security system in OS 9 like this bug in OS X? For that reason OS
  • by Doctor Sbaitso ( 605467 ) on Saturday July 05, 2003 @10:44PM (#6375272) Journal
    My local computer store has password-protected screensavers on all its demo Macs - now I'll be able to surf the web for... ahem... "those" sites... when the store employees aren't looking!
  • by zenyu ( 248067 ) on Saturday July 05, 2003 @10:51PM (#6375302)

    Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd... I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A.. Lilo lets you enter single user mode with just a kernel parameter to linux... You can overwrite the password files in Windows, etc.

    You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.
    • You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.

      Maybe you could, like, lock the door to the room with the Mac in it...

  • by sharkey ( 16670 ) on Saturday July 05, 2003 @11:14PM (#6375358)
    Mortal enemy of the Mastodon!
  • Confirmed for me (Score:5, Informative)

    by coolmacdude ( 640605 ) on Saturday July 05, 2003 @11:17PM (#6375365) Homepage Journal
    I was able to reproduce it on my Powerbook. Here is the crash log.

    2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0) Jul 6 00:10:42 localhost crashdump: Crash report written to: /Users/jonathan/Library/Logs/CrashReporter/ScreenS averEngine.crash.log
  • by ultrapenguin ( 2643 ) on Saturday July 05, 2003 @11:28PM (#6375402)
    Was so immature, its no wonder it got ignored.
    I would be surprised if the mail didnt get deleted after just looking at the subject of it :)

    Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.
  • It's not a bug.... (Score:3, Informative)

    by ebbomega ( 410207 ) on Saturday July 05, 2003 @11:29PM (#6375408) Journal
    It's a feature!

    Seriously, all software produces exploits of some kind, even the beloved Linux and its considerably more stable cousin OpenBSD. The difference between an open source project like Linux or OpenBSD and more proprietary software like Cocoa and Windows is that more often than not if there's an exploit, the sooner it's discovered the sooner someone patches it, and as a result the sooner it gets fixed. I remember /. reported a samba security hole about three months ago that I had patched about an hour before the article was even posted, thanks mainly to Mandrake's Security Update.
    • That's quite an interesting statement. Do you have any evidence whatsoever that open source security bugs get fixed faster than closed source ones? Compare Linux with Solaris, if you want a level playing field.

      Not a troll--I've heard this statement tossed out so many times as absolute fact, and yet I don't know if it's ever been tested.

      As for Samba, you might have had good luck with a security patch, but we had a bug that caused a prouduction system to crater (12 CPUs and about 8GB of RAM) completely. It
  • by cyberrodent ( 158321 ) on Sunday July 06, 2003 @12:03AM (#6375488) Homepage Journal
    that's how Mystique hacked into that government computer in Xmen 2 -- and I'm pretty sure that's how Jeff Goldblum hacked into the alien ship too - only we didn't know it at the time because os X was only released to celebrites at that time.

    (and that's why he did those commercials too!)

    cyberRodent
  • by FooGoo ( 98336 ) on Sunday July 06, 2003 @01:51AM (#6375860)
    But everytime I try and type it into my Mac Steves head fills my 23" cinema display and tells me I need to listen closer to the next keynote. I think it's a security feature.
  • by EvilStein ( 414640 ) <spam@pbp . n et> on Sunday July 06, 2003 @02:19AM (#6375939)
    I got drunk last night and passed out at the keyboard and came 'round *six hours later* - a lot longer than the 5 minutes needed for this "exploit" and I STILL couldn't get into my Mac OS X box.

    Couldn't find any more beer, and I couldn't find my pants, either.. but that's another story.. grrr

We were so poor we couldn't afford a watchdog. If we heard a noise at night, we'd bark ourselves. -- Crazy Jimmy

Working...