Screensaver Bug in Mac OS X 452
dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."
Why... (Score:5, Insightful)
Re:Why... (Score:3, Informative)
Re:Why... (Score:3, Informative)
No, IIRC the last story on slashdot about a vulnerablity was this one [slashdot.org]. The exploit it mentioned [netsys.com] was an integer underflow vulnerablity.
This message has been doubly encrypted with rot13 for enhanced security.
Re:Why... (Score:5, Funny)
Because extensive user testing has shown that some people can type their passwords so fast that even a GHz-class RISC processor can't keep up unless the password capture program is written in C. The system can fall behind if it takes more than a handful opcodes per character in the inner loop. Unfortunately, these performance constraints preclude checking array bounds between each typed character.
It's regrettable that we have to live with risks like these, but we have little choice when dealing with data input at these kinds of speeds.
Re:Why... (Score:5, Funny)
How the hell did you get it to work in C? I had to hand roll the code in assembler and optimize the register allocations. You can also save a byte and a cycle on the loop if you take the branch-prediction microcode into account.
-
Re:Why... (Score:3, Funny)
Because Panthers run faster (Score:5, Interesting)
Just FYI Panther seems immune to this exploit.
Tried doing the procedure ~10 minutes in the Screen Saver and nothing happened. Then tried again in few other cocoa apps. Still nothing. Just worked like normal(for once this is a good thing).
My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.
And yes, I realize most people can't just upgrade to Panther yet to fix this rather major oversight on Apple's part.
Yea and I think that you should be able to use Exposé as a screensaver =)
Re:Because Panthers run faster (Score:5, Insightful)
Or perhaps somebody realized there was a bug and fixed it without ever considering how bad the bug was.
Re:Why... (Score:3, Informative)
Because it is easy to introduce such bugs in your program. And they are often easy to exploit. It has been claimed (I haven't seen any statistics though) that 50% of all security problems are buffer overflows. I think that next to buffer overflows, the most frequent class of security problems are caused by race conditions.
Hey! I'm famous. (Score:5, Informative)
It'll probably be trivial for Apple to fix, though. So I'm just waiting for the patch to arrive.
*taps finger on desk*
Quick summary of article. (Score:5, Funny)
Re:Hey! I'm famous. (Score:5, Insightful)
So in that respect I don't think the vast majority of OS X users are worse off then most Linux users.
Re:Hey! I'm famous. (Score:3, Insightful)
Re:Hey! I'm famous. (Score:3, Interesting)
99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile)
Because you run abc-2.2-9rh9.i386.rpm. A patch is available for abc-2.2-1, but it doesn't apply cleanly to abc-2.2-9rh9.src.rpm.
Now you have two choices: download abc-2.2-1 original tarball, apply patch and recompile(thus tainting your 'prestine' rpm and possibly screwing dependencies). Or be like me and just wait for redhat to release an updated package.
Now suppose you were adventurous and proceeded to downloa
Re:Hey! I'm famous. (Score:5, Funny)
True, except you wouldn't be able to run Fink to download the screensaver patch until you figure out why your computer crashes every time you type with your hardware-hacked keyboard. You suspect that it's because your version of OpenAqua is creating conflicts with GND (GND's Not Darwin), but you can't go online to check because the web forum doesn't support OnSafari 0.1.2.33a.
Finally, there's no objection! (Score:5, Funny)
Re: Finally, there's no objection! (Score:3, Funny)
> A full, easily exploitable security hole in MacOS X. Now all those windoids will have no reason not to switch, as MacOS X now provides all the features of Windows, including a security hole.
And think how much faster the exploits will run on a G5!
Re:Finally, there's no objection! (Score:5, Funny)
I'm sorry but you're going to have to provide support for more than a single security hole before you convince me to switch. Windows has a proven track record of reliable security holes in almost every portion of the system, everything from E-mail to wordprocessors to Plug-N-Play and more.
-
Doesn't matter (Score:5, Insightful)
Set an Open Firmware Password. (Score:5, Informative)
Re:Finally, there's no objection! (Score:3, Insightful)
Mac OS X doesn't have a UNIX layer like Cygwin.
It IS a true, blue UNIX.
see, cygwin can be removed from windows, there is absolutely no way to remove the UNIX CORE from Mac OS X.
Use it, and you'll see.
Re:Finally, there's no objection! (Score:5, Insightful)
What are you talking about? A screensaver password vulnerability requires physical access to the machine. Most Unices will not protect against a malicious user with physical access, either.
at least [Linux and NT] has a general design idea of what is a protection of user sessions.
That's even more ridiculous. This is a bug, not something there by design.
Re:Finally, there's no objection! (Score:5, Interesting)
Re:Finally, there's no objection! (Score:3, Funny)
Re:X isn't :0 only (Score:5, Informative)
The buffer exploit is a Quartz problem, and entirely local.
There is an X implementation for OSX - it runs on Quartz, like Exceed or CygX run on Win GDI. It may be possible to send events to Quartz via the Aplle X server - but this is not shipped by Apple as a production code, and won't be until Panther. That is several months and many bug-fixes away!
Just tried this exploit (Score:4, Informative)
You sure it's real? Have you verified it?
I'm running 10.2.6 on a 933MHz Quicksilver with SuperDrive
Tried entering another users's login and password at the screensaver prompt and could not get access.
When I used Folding@Home, however, I *could* crash the screensaver, and thus forcing the user back into the desktop, but that has nothing to do with the bug you're mentioning, but with the fact that Folding@Home crashes.
Re:Finally, there's no objection! (Score:4, Informative)
Its verified.
Setting a lock password, and starting the screensave, when I move the mouse the authentication dialog pops up. I type some 'a' characters, select the text with shift-left, ctl-k it then hold down ctl-y until the box stops scrolling.
Hit enter.
Screensaver crashes back to desktop, not typed my real password at all.
I don't know why it didn't work for you, but you must have done it differently.
Re:Finally, there's no objection! (Score:5, Funny)
Re:The screensaver was never meant to be secure (Score:5, Insightful)
I don't think you understand much about this subject. Mac OS X is a multi user system from the ground up, as much as any other Unix system, the only thing that is NOT multi user about it at the moment is the GUI.
If you go into
You are confused about what makes a system into a Unix system. The architecture of Mac OS X is a lot like every other Unix system (but for a few technical changes to abstract the OS from the hardware, and make it easier to write low level OS plugins, and binary device drivers) until you reach the GUI level.
If I take Linux or BSD or Solaris or HP/UX or AIX or Tru64 and put a GUI on it that is not the X Window System, it doesn't stop being a Unix machine.
It seems like you think Apple took Mac OS 9, stuck a Unix layer like Cygwin on top and are trying to call it a Unix system, This is not the case. If anything, compatibility with Mac OS 9 is the thing that is tacked on and "not supposed to be there".
If you want to read all about Mac OS X's history, so that you can fully understand it, and not seem like an idiotic troll when posting on the subject try reading something like these two O'Reilly articles on the history of Mac OS X.
http://www.macdevcenter.com/pub/a/mac/2002/05/0
http://www.macdevcenter.co
Anyway, rest assured that Apple didn't take their old OS and tack on new features to make it Unix, they took Unix, and tacked on new features to make it compatible with Mac OS.
Didn't work for me ... (Score:4, Interesting)
Re:Didn't work for me ... (Score:3, Informative)
I didn't at first either, but did using the ctrl-a, ctrl-k, crtl-y method others have described.
Revenge of the drinking bird (Score:5, Funny)
It probably didn't work for you because you didn't type enough stuff. Go buy a drinking bird.
5 Point Defacing to be lowered? (Score:2, Interesting)
THe bug is bigger than the article lets on (Score:5, Informative)
First of all, the ctl-k ctl-y macros work in just about any Cocoa field. I pointed that out earlier on macslash. What I also pointed out was that this bug will crash just about every Cocoa app with a text field. I've crashed the login panel with it. It's not pretty. I really hope apple takes heed to this bug and fixes it at the core. Unfortunately the original bug report was.... well... not too elegantly written. We'll see what happens.
In the meantime security savvy users should logout rather than trust the screen saver and use an Open Firmware password on their machine. That way you prevent people from logging in using single user mode. Hit command+O+F during boot to get into open firmware, then type in password. After that type reset-all. You should be good to go. And don't forget the password or you will be totally screwed!
Re:THe bug is bigger than the article lets on (Score:5, Insightful)
Re:THe bug is bigger than the article lets on (Score:3, Insightful)
You can't secure a computer if the attacker can physically pick it up and cart it away for an extended period of time. That's a given.
But the point is that taking reasonable precautions like this can make sure no one can get into your puter and ftp all your files off while you're in the bathroom.
HERE's an even simpler hack (Score:4, Funny)
Oh you dont want to change the password? well then boot in single user mode and you dont need one. Ta Da
Oh they left open firmware on?. open the case and remove one of the memory cards. reboot. ta da!
Comment removed (Score:4, Informative)
Comment removed (Score:5, Informative)
Re:Try Xlock! (Score:3, Funny)
2 words (Score:2, Insightful)
Re:2 words (Score:2)
Re:2 words (Score:3, Funny)
Doesn't that mean that it can also be re-enabled in OpenFirmware But if they've got physical access to the machine, it's over pal.
and the user will never suspect you were there, because everything is just as they left it.
Until you change their background, trash their home directory and fill their dock with millions of useless files.
Earlier Today.... (Score:2, Funny)
then we wouldn't have to get our vulnerabilty news a day late and a dollar short.
Wow. (Score:2, Funny)
It's only news becasue OS X doesn't have heaps of bugs like everything else.
I'd paste the list of current problems with glibc, but I only have DSL and it would take too long.
Re:Wow. (Score:3, Informative)
What, like this is the first security issue? (Score:3, Insightful)
Re:What, like this is the first security issue? (Score:2)
Still no evidence... (Score:5, Insightful)
Any machine you can get physical access to is insecure.
It shouldn't be that difficult to prove, though, if there's a cocoa-based network app where you could dump more than 2048 characters (Camino, perhaps?).
Physical access != physical access (Score:4, Insightful)
Any machine you can get physical access to is insecure.
Not all physical access is the same. Many demo machines in stores are left in screensaver mode, so that they show the computer is "doing something" without allowing users to write dirty messages in Notepad (or whatever Apple calls its version; I haven't used a Mac since Mac OS 8.1, when it was called "SimpleText"). It's easy to interact with the keyboard of a floor model, but it's often not feasible to turn off the machine and insert a boot disk, and it's definitely impossible to open the machine's case without getting caught, kicked out of the store, and possibly arrested for attempted vandalism.
Re:Still no evidence... (Score:5, Insightful)
As for "Any machine you can get physical with..", how about a machine with good security measures before and during the boot loading (to avoid stuff like bios/OF-tricks or the classic "passing
Or I dunno, maybe any machine you can get physical with is insecure. That won't make me take this bug any less seriously. The unfreeness of many prominent cocoa objects, including end-user-widget ones, does seem like quite a risk to me. Relying on a single source of fixes has never been a good idea.
This is NOTHING (Score:5, Interesting)
Security via screensavers should never be trusted. I'm not quite sure why its still being put in place. WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k
Now, if this can be used as a buffer overflow attack as stated in the second link, that can be a problem. Not so much that a local user will overflow thier own system and gain local root, but the fact that this is the same throughout multiple cocoa apps shows the possibility of one of those being remotely exploitable.
Of course that's only for the 4 people running OSX as a server.
Win95 Screensaver Security (Score:4, Informative)
Of course, as others have mentioned, if you've got physical access to a machine, it's insecure. While I'm thinking about it XP and 2k have autorun enabled by default; I wonder how they handle autorun security when the computer is locked.
Re:Win95 Screensaver Security (Score:4, Informative)
I've tried it before on the screensaver ... (Score:2, Funny)
Once again... no response from the company? (Score:2, Insightful)
I'm not trying to blast Apple in particular here or anything, but it seems that all companies have had a poor record lately responding to security holes pointed out by email users. Recall the Microsoft Passport security vulnerability. [slashdot.org]
Granted, I would guess that the email volume these receive claiming discovery of new exploits is daunting, but doesn't this deserve top priority for response?
Oh my god! (Score:5, Funny)
Good Grief! (Score:2, Insightful)
I writed this commented.. (Score:5, Interesting)
It's no wonder why Apple didn't reply, look at the subject of the email sent to Apple: "forgot your screensaver password ?? Hackit anyway." Must have been Jeff K [sometingawful.com] reporting the bug.
In other news, a similar bug has been an issue on the Mac OS X version of Folding@Home. The screen saver crashes when lock screen is activated, and it's been months since I first noticed it, and I've seen it mentioned on the Folding boards, and it still hasn't been fixed. I agree with some of the people on the Macslash forum: Don't rely on screen savers if you have truly sensitive data within in reach of scrupulous characters.
So...my cat (Score:5, Funny)
Get root access (Score:5, Interesting)
Reboot the computer
Hold down appl ctrl + S
Type "mount -uw
"su" (it dosen't ask for a password)
"/sbin/systemstarter"
"passwd"
Re:Get root access (Score:5, Insightful)
Yes, the OF Password is also circumventable, but not if the machine is physically locked :-)
If you want your machine to be secure, you can take steps to ensure that it is, regardless of platform, but when there is physical access to the machine it generally takes a lot more security to do so.
Re:Get root access (Score:3, Informative)
Re:Get root access (Score:3, Informative)
Unable to reproduce (Score:5, Informative)
This will probably make a pretty ugly entry in ~/Library/Safari/History.plist.
I also tried crashing the screen saver login window. It hung with the SPOD trying to manage that much data being pasted all at once, but it did not crash. After several minutes, I killed the processes remotely, but even killing the process did not return me to the desktop - I just got another login prompt, and was able to log in.
I'm running 10.2.6, the latest available version.
Re:Unable to reproduce (Score:5, Informative)
I then logged out and tried the same trick with the user login window. This time the login window greyed out the buttons and it refused to let me enter any password or take any action. I had to reboot the machine externally. Once I did so and the system restarted I was presented with the login window again, even though I have the machine set to auto-log me on. I tried the trick again with the same results, had to reboot. This time I entered in my normal user password and had no problems logging in.
I tried the trick on several other programs without being able to use it to circumvent security. It looks to me like this is a problem with the screen saver only. That being said, you should NEVER use a screen saver as a way to protect sensitive data. If you are that worried about your data then log out from the account when you leave your desk, it only takes a few seconds to log back in. If you are really worried about security then keep your computer behind lock and door - no matter what the machine it is so easy to bypass any security measures once you have physical access to the machine.
ok people wtf (Score:5, Interesting)
Probably going to get modded down for troll, but I had to vent. Excuse me.
Re:ok people wtf (Score:3, Insightful)
Agreed that this is bad, but the root user is disabled by default on OSX. If you enable the root account in Netinfo, log into the GUI with it, and then leave it logged in with a screen saver running, you're a fucking idiot anyway, and you really deserve what you get.
That said, this will be a good test of Apple's response time for security issues. My understanding is that they've been pretty good abo
Re:ok people wtf (Score:4, Insightful)
I mean, shit, when it comes to security it's always better to be safe than sorry.
Re:ok people wtf (Score:3, Informative)
Not without the user knowing when they got back.
emacs in a password box... (Score:5, Funny)
Actually, the thing that surprises me is that they managed to trim emacs down so it's only an operating system.
Re:emacs in a password box... (Score:3, Funny)
And they even managed to run a decent editor on top of it!
Re:emacs in a password box... (Score:4, Informative)
There are some apps that don't properly handle these key combos (the iApps and Office X seem to all ignore them), but I think this is because they are using a slightly different part of OS X (perhaps Carbon instead of Cocoa)... The nice part about Office X though is that you can reconfigure the key combos so that they do work -- it just takes time to do it.
Since you need physical access... (Score:3, Interesting)
Re:Since you need physical access... (Score:3, Interesting)
Very Good News for Me! (Score:5, Funny)
Re:Very Good News for Me! (Score:5, Funny)
Yes, but please be thoughtful of other people who might happen to see the screen while you're on the site....Besides, you can go to www.msn.com from home anyways.
Re:Very Good News for Me! (Score:5, Funny)
Re:Very Good News for Me! (Score:4, Funny)
Bug Sure, Security bug no (Score:5, Informative)
Personal computers and workstations make no attempt to be secure against physical access. I just changed two Mac OS X root passwords so I could create an account for myself on some pc's last week. I'm not a regular mac user, I just did a google search and found three or four ways to do it, the easiest was to just boot into single user mode, turn on the standard password authentication mechanism, and then type passwd... I've never met a Sun workstation that didn't give you fully fledged debug console at Meta-A.. Lilo lets you enter single user mode with just a kernel parameter to linux... You can overwrite the password files in Windows, etc.
You could encrypt the root filesystem, then on boot authenticate the machine (to make sure someone didn't just clone the startup to harvest your decryption key) and then enter the decryption key based on a one time response from the computer. That level of paranoia would justify caring about this "exploit." Even so someone could just install a sniffer inside the computer since our hardware is not hardened in the least.
Re:Bug Sure, Security bug no (Score:3, Funny)
Maybe you could, like, lock the door to the room with the Mac in it...
The Postedon (Score:3, Funny)
Confirmed for me (Score:5, Informative)
2003-07-05 23:25:41.258 ScreenSaverEngine[9993] Exception raised during posting of notification. Ignored. exception: *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0) Jul 6 00:10:42 localhost crashdump: Crash report written to:
The tone of the original letter to apple (Score:5, Insightful)
I would be surprised if the mail didnt get deleted after just looking at the subject of it
Seriously, people reporting security bugs need to start working on their english and sentence structure, and stop sounding like 10 years old script kiddies.
It's not a bug.... (Score:3, Informative)
Seriously, all software produces exploits of some kind, even the beloved Linux and its considerably more stable cousin OpenBSD. The difference between an open source project like Linux or OpenBSD and more proprietary software like Cocoa and Windows is that more often than not if there's an exploit, the sooner it's discovered the sooner someone patches it, and as a result the sooner it gets fixed. I remember
Re:It's not a bug.... (Score:3, Interesting)
Not a troll--I've heard this statement tossed out so many times as absolute fact, and yet I don't know if it's ever been tested.
As for Samba, you might have had good luck with a security patch, but we had a bug that caused a prouduction system to crater (12 CPUs and about 8GB of RAM) completely. It
i saw this in a movie (Score:3, Funny)
(and that's why he did those commercials too!)
cyberRodent
There are worse... (Score:3, Funny)
Doesn't work at all! WTF? (Score:5, Funny)
Couldn't find any more beer, and I couldn't find my pants, either.. but that's another story.. grrr
Re:Hot on the heels of... (Score:2)
Re:Hot on the heels of... (Score:3, Interesting)
Re:Hot on the heels of... (Score:5, Informative)
(It wasn't even that bad of a vulnerability, as it required end-user cooperation to exploit and also excellent timing/sustained penetration of the target network (software update runs once a week by default-- you need to guess when to arpspoof/dnsspoof properly. Still, it's not a good thing, and Apple fixed it promptly).
I believe this is no longer true... (Score:5, Interesting)
If I am not mistaken, this was on Slashdot a while back. Apple was quick to correct this.
The only problem(an ironic one) is that they updated the flaw through Software Update =)
Re:Full Text (Score:5, Insightful)
About a message containing:
Delfim Machado - dbcm@xpto.org
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
He's Portuguese. Could you have written that report as well in his language? I'm all for basic literacy, but I can speak English and a tiny bit of Spanish. I think anyone who can communicate in a language other than their native one is doing pretty well, even if the readers do have to struggle a bit.
Re:Oh shit (Score:3, Informative)
Apple Security Updates [apple.com]
There have been more than you think. Apple, however, does release patches fairly quickly, and many of the holes are in 3rd-party code (e.g. OpenSSL) which affects Linux users too.
Re:Doesn't X have and even easier exploit? (Score:5, Informative)
Unless you're using xdm/kdm/gdm, which will automatically start X without you logging into the console first. If you kill X, it'll just restart X for you, and give you a graphical login prompt.
Re:Is this a true "buffer overflow" attack? (Score:3, Insightful)
Re:Cool... I'm trying it on the boss tomorrow.. (Score:3, Informative)
Re:LP (Score:5, Insightful)
Compare:
Microsoft [microsoft.com]
Apple [apple.com]
Notice how many of Apple's security holes are actually holes in things like Sendmail, BIND, Samba, Apache and CUPS, all of which are off by default, and affect Linux and FreeBSD as well.
Re:Mac OS X technology names (Score:3)
Kernel? No, that would be Mach [cmu.edu]. FreeBSD 4.4 is the reference platform for the rest of the command line environment, however.
Yeah, four years ago when the "Yellow Box" environment was renamed that I thought it was funny for maybe a day or two.