Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses OS X Operating Systems Apple

Apple Responds to Exploit 351

Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
This discussion has been archived. No new comments can be posted.

Apple Responds to Exploit

Comments Filter:
  • by Anonymous Coward
    The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.

    Yes that should be obvious to Mac users
    • by tgibbs ( 83782 ) on Friday November 28, 2003 @08:51PM (#7585251)
      Yes that should be obvious to Mac users
      It's very complicated. You run Directory Access and a window comes up with a series of checkboxes. Then you have to uncheck the ones Apple says to uncheck.
      • Important wrinkle (Score:3, Informative)

        by awtbfb ( 586638 )

        What is not fully documented is that if you have multiple network locations, you have to deselect this checkbox for each location. Fortunately, this is straightforward since there is a network location pull down menu right above the checkbox.

        Note that this means you can leave it checked for trusted networks but uncheck it for untrusted networks.

  • by Space cowboy ( 13680 ) on Friday November 28, 2003 @07:55PM (#7584995) Journal
    but it's as valid today as it ever was. There is a dichotomy between security and ease-of-use. Hitherto it has been impossible to have the one and the other simultaneously. Choose one.

    Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.

    That's not to say it's impossible, but it needs more than the current level of effort that goes into multi-node design. Apple is taking the first steps, and they've been somewhat burnt. Let's hope that doesn't discourage them from carrying on down the path... Unix as a genre can only learn from a successful easy-to-use and secure implementation of multi-machine computing. The thing is that you only learn by trying....

    Simon.

    • Comment removed based on user account deletion
    • Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.

      Uh, you mean Red Hat Linux, where every service and it's 3rd cousin is running?

      Try OpenBSD, which has just about nothing running default.

    • by cgenman ( 325138 ) on Friday November 28, 2003 @08:46PM (#7585234) Homepage
      I'd find the "Microsoft security vulnerabilities are the fault of ease-of-use" argument a little more valid if Microsoft's software were actually vulnerable due to useful features.

      For example, the messenger service isn't used by anyone by spam senders, e-mail scripting was never a useful device to anyone, and a fragile, naked file system doesn't lend itself to easy usage anyway. A web browser that can be told to run arbitrary code due to a buffer overflow is not vulnerable because it is easy to use, but because it is poorly written. The autodetection of hardware and updating of drivers is very easy to use, and has (as far as I know) never been the source of an exploit.

      You can both have security and ease-of-use... Just design a closed system with very limited purposes. A Hub, for example, is extremely easy to use, and has few possible points of security vulnerability. Routers, on the other hand, are frequently a bit archaic in their setup and get hacked all of the time.

      That's not to say that your point is invalid, but that there are other factors involved... Flexibility, control, effort, etc.

      I guess the point of this is that if I have to re-install windows or edit the registry again before Christmas I'm buying myself an iMac.

      • by Catnapster ( 531547 ) on Friday November 28, 2003 @09:03PM (#7585278) Homepage
        No, the parent is right. The security holes in MS products are all about ease-of-use; just to the cracker, though, not the user.
      • by Maserati ( 8679 ) on Friday November 28, 2003 @09:08PM (#7585294) Homepage Journal
        Universal Plug and Play [microsoft.com].
      • the messenger service isn't used by anyone

        A linux box here with an ISDN card sends Windows popups with "who is calling whom" info to the Windows boxes on the net. It occasionally annoys the children when they are playing a game, but we find it useful.

        In a company, the users seem to like the popup announcing them they have new mail. I intend to replace their Exchange server with a Linux box, so I guess I'll also have to script some gadget talking to messenger to keep them happy.
      • e-mail scripting was never a useful device to anyone

        Exposing the Outlook object model to .vbs files embedded in emails was pretty stupid on Microsoft's part, but the ability to script emails is very valuable from an organizational standpoint. The Security Model (for Active X objects and Windows login) that Microsoft defined was the real culprit.
      • by Webmonger ( 24302 ) on Saturday November 29, 2003 @12:52AM (#7586012) Homepage
        Hey, buffer overflows mean that the functionality provided is limited only by your imagination!
      • by RzUpAnmsCwrds ( 262647 ) on Saturday November 29, 2003 @02:23AM (#7586240)
        "For example, the messenger service isn't used by anyone by spam senders"

        System administators have used it for years. It's only recently that the spammers have decided to use it. That's why Microsoft is disabling the service by default in XPSP2.

        "fragile, naked file system"

        I don't honestly know what you are talking about. NTFS is a journaling filesystem with some very strong features. Metadata for every file, unlimited alternate data streams (Microsoft's version of the HFS data/resource forks, but you can have as many as you want), strong security permissions that even the OS obeys that can be applied on a per-user basis with inheritance and an allow/don't allow/deny system. NTFS one of the strongest attributes of Windows. Now, the permissions aren't set strict enough out of the box (and most users make their account part of the Administrators group - just like running as root all of the time).

        Imagine how a Linux system would hold up under the following situation:
        - User always running as root, even when they don't have to
        - User downloading and executing unknown code from random locations (screensavers, shareware, warez)
        - User installing software that is bundled with programs that spy on them / mess up their system
        - User never patching their system, even though the OS can do it automatically
        - User not using a password on their system in many cases
        - User downloading and executing unknown code (in email attachments) even though system warns of extreme security risk
        - User not using firewall even though it is built into the OS

        Now, Microsoft could do more:
        - No mail client should even be able to execute attachments. Even with a security warning. I do believe that Outlook Express now prevents you from executing attachments at all unless you uncheck a box hidden in some configuration dialog.
        - The firewall should be on by default. XP SP2 fixes this.
        - Users shouldn't run as root all of the time. Perhaps a warning when they log on would be helpful. The setup wizard already creates non-root users, but most people don't use them. I don't think users are adequtely informed of the security risks of running as root.
        - Windows should come with an antivirus solution. Something integrated and transparent. Sometimes, you need to run untrusted code, and an good antivirus program can help reduce the threat.
        - Windows should have more restrictive permissions by default. Currently, non-root users can write to "program files" and potentially destroy software (although not the OS).

        Finally, some things that are good:
        - As I said before, the permissions system is very good
        - Windows File Protection is good for those stupid installers that try to overwrite system libraries
        - Systm Restore is nice for those people who are too cheap or lazy to have a real backup solution
        - Automatic updates are nice - if only people would use them
        - Driver rollback is nice for nuking "crap rev" drivers

        "I guess the point of this is that if I have to re-install windows or edit the registry again before Christmas"

        If you do the following things, you won't have to:

        - Don't run as root (administrator) unless you absolutely must
        - Don't download and execute unknown code unless you have scanned it with an antivirus. Don't run it as root unless you absolutely must (many programs will install as nonroot)
        - Turn on the XP firewall
        - Run a spyware detection tool such as ad-aware or spybot to get rid of the crap
        - Install the latest patches and service packs

        Basically, use common sense. If Windows users would realize that, no, your computer *is not* a toaster and it *does* require a bit of work to keep it secure, there would be many fewer viruses and worms.

        Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.
        • by cgenman ( 325138 ) on Saturday November 29, 2003 @04:24AM (#7586445) Homepage
          Good advice overall, which any computer user should abide by. However, I'd like to point out a few things.

          First of all by "file system," I had meant the organizational file heiarchy in Windows, the portion that the OS sees. You can still break all of the links to a program by, for example, re-naming a folder. Many programs fail to work if installed on something other than the C: drive... Many of these are Microsoft's programs. The Windows folder is a hodgepodge of thousands of items, some of which are protected and some of which aren't, but few of which are intelligently laid out for either the user or the programmer. I agree that NTFS is a much better file system than Fat32 was (though the fact that Windows XP doesn't support 160 GB drives out of the box is pretty shameful), but what the OS does with it is shabby.

          Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

          Actually, some programs treat registry settings like they were a preferences dialog. Zone Alarm, for example, like thousands of other pieces of software has an annoying splash screen that appears every time your computer boots, and the only place the preference exists is in the registry. Program registrations need to be backed up from and occasionally restored to the registry... It's just a bad idea to keep your copy restriction authentication and your preferences in the same structure, but that's exactly what Microsoft designed.

          As a game developer, and an out-of-work one at that, Windows does need to be reinstalled every 6 months or so... If the constant flow of test games doesn't get you, the constant flow of uninstallers will. Rolling back to restore points is useful, but A: it doesn't always work and B: it doesn't address the cumulative damage of accrued extensions.

          As an addition to your suggestions, the user needs to check what icons are in the bottom-right hand corner of their screen, and shut off what isn't needed. Many people I have spoken too don't realize that those are applications and not just quick-launch shortcuts.

        • Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

          That is simply so wrong. There are so many applications that require the user to edit their registry. Not by design of course but because of software bugs.

          Some simple cases to illustrate my point.

          Exact Globe 2000 (administration software) suddenly won't properly print anymore. Call helpdesk. Remove some keys and voila print
        • Two things I'd love to see MS steal from Apple:

          Application Bundles. Ths means that the only dynamic libraries going into the System directories are actually part of the core OS. All an applications dynamic libraries are contained in the bundle. It's a bit wasteful space-wise, but HDD space is cheap. And it solves much of the problem of Users needing to install their own software, but needing to be Admin to do so. This is much like installing software in your home directory as an unpriviledged user in other
        • by Dylan Zimmerman ( 607218 ) <Bob_Zimmerman@myreal b o x . c om> on Saturday November 29, 2003 @03:20PM (#7588768)
          NTFS has a good permission system? That's news to me. As an administrator, I created a folder that denyed other users the ability to do anything with or to it. I set every single permission to "deny", especially the "Take Ownership" permission. I then logged in as a Limited account, navigated to the folder, right-clicked it, went to "Security", it told me that I wasn't allowed to view or change the security settings and that I couldn't take ownership. I then clicked on the "Advanced" button, went to the "Ownership" tab, and gave myself ownership. I then closed the two open dialogs, right-clicked again, added myself to the permissions, and gave myself full control over the folder.

          In UNIX, I could set the permissions to 750 and not have to worry about it anymore.

          Now, I like the link idea. Having the same file in multiple locations on your directory tree can be very useful. Also, the metadata and data streams are nice. However, NTFS doesn't have "strong security permissions" by any stretch of the imagination.

          I have to edit the registry all the time. Programs like to set themselves up to autorun by putting themselves in HKLM/Software/Microsoft/Windows/Current Version/Run. Most of these are programs that I don't like such as Microsoft Messenger. I go into the Microsoft Messenger preferences and uncheck "Run this program when Windows starts", but it doesn't remove the registry entry.
      • Oh give it a rest (Score:2, Insightful)

        by Sycraft-fu ( 314770 )
        The messenger service is used by many orginazations for alerts. Where I work, our servers use it to send alerts to those that manage them. Works well since, unlike e-mail, it will get immediate attention. A web browser that is able to execute scripts is much more complex and therefore venurable than one that just doens't execute code at all.

        Get off it, when you provide services to the world, you open yourself to the poiibility of getting hacked. Look at Linux. Consider the holes in OpenSSH. Is it essential
        • By the way, if you have to reinstall Windows continually, you need to get some skills with Windows. To fuck it up that often and that bad indicate poor skills of the user.

          You asinine troll. Windows is quite simply broken. Want proof? If something is f*cked up on your Windows system, and you reboot it, it frequently fixes the problem. Try that with another operating system. A reboot shouldn't fix anything, it's a symptom of the operating system breaking itself.

          I've been using NT since 3.51, I've bee

    • There is a dichotomy between security and ease-of-use. Hitherto it has been impossible to have the one and the other simultaneously. Choose one. Geez you sound like Gandalf or something. There's no physical reason why you can't have both. Having a great UI and security is a resource allocation (ie. business) problem , not a rule of the physical universe.

      I could also say that easily distributable digital music and artists getting paid are mutually exclusive concepts, but I would be dead wrong, as this

      • There's no physical reason why you can't have both. Having a great UI and security is a resource allocation

        Yes, there are real, physical (derived from natural laws) conflicts between ease and security.

        An easier version of SSH wouldn't force the user to memorize passwords, which is a fundamental conflict with security. An automobile would be easier to use if you didn't need to carry around an ignition key.

        However, the post you were responding to didn't say that. It said "Hitherto it has been impossible
  • by Crypto Gnome ( 651401 ) on Friday November 28, 2003 @07:56PM (#7584997) Homepage Journal
    Realistically, an issue trusting the LDAP server that your DHCP server points you at?

    What is the world coming to?

    Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?

    These days, the internet is not a safe place, we all need to be more than just a little paranoid - but are you paranoid enough?
    • by nehril ( 115874 ) on Friday November 28, 2003 @09:14PM (#7585308)
      Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?

      in a way, yes. an evil machine on your network may answer your dhcp request with, say, itself as your default route. wham, you have yourself a machine routing all your internet bound packets through itself, doing whatever it is evil people do (nice little man-in-the-middle eh?)

      it's back down to ease of use: dhcp, or have the network admin identify himself with DNA samples and personally configure each box on the network.
    • Spoofing DHCP is easy and handy to make sure you get the settings you want. A few times I unpluged a machine, plugged in a hub+laptop and gave the server settings I pre-configured, overiding the default DHCP servers. Microsoft/SUN and other vendors use configurable DHCP settings to pass information to Applications (proxy/etc). Even mobile networks can use DHCP to get its current settings. (gateway/msisdn/int-ext networks)

      Physical access is the number 1 security hole.
    • by Cysgod ( 21531 ) on Friday November 28, 2003 @09:22PM (#7585345) Homepage
      You trust the network (and DHCP) to tell you how to talk to the network. (IP address, netmask, gateway, DNS, etc.) And then you use things like SSL and SSH host keys to make sure you are really talking to who you think you are. You don't trust it with root access to your machine to do whatever it wants to.

      The argument I make in the "philosophical details" section of the advisory is that realistically you should not trust a network for user authentication information without at least *some* user interaction so the user is aware of what is going on. To do otherwise is irresponsible and puts end users at risk.
      • by Anonymous Coward on Saturday November 29, 2003 @02:06AM (#7586206)

        Still, i strongly disapprove the way you went about releasing your exploit.

        You should know damn well that the solution to this problem is far from being a simple patch to a piece of C code to plug a stupid buffer overflow vulnerability. People who expect, and, like you did, demand a solution to this problem within days or weeks, are people who blindly refuse to acknowledge the challenges surrounding the development of an appropriate and comprehensive solution. We are talking here about removing functionality from the DHCP protocol that had been taken for granted for years. Or significantly patching it to add a slew of warning dialog boxes, which are all usability enhancements. A short-term fix might need to be evaluated vs a longer-term fix. You don't develop this in days. it takes time.

        if you had any clue about processes surrounding software development, especially intricacies behind design and development of user interface updates, there is just no way in hell you would have published your advisory, much less with a working exploit. A December time frame would have been perfectly reasonable and you fucking know it.

        Now thanks to your dumbass move, chances are you've just cornered Apple into releasing an update that only solves problems partially.

        The Panther code base and user interface had been locked-down and tested way before your advisory. This would have required a major change in the code, delayed testing certification, and subsequently launch, for a security issue that is, after all, not even close to be remotely as bad as other issues found earlier. more on that later. Shortly after Apple had to address more urgent security issues in 10.2.8. You can't hold against them the fact that they didn't just "include this fix" with either 10.2.8 or Panther, why? Simple: AGAIN, the solution to this problem is NOT, and i fucking repeat NOT a simple code patch, unlike most security issues which usually revolve arround buffer-overflow security exploits.

        Why is this problem "not so bad after all"? Simple. While many people refer to it as a "remote exploit", i'd would like to strongly qualify this term and get people to understand that this exploit will not, absolutely NOT, allow just about anyone on the internet to "own your box". You can only get infected if you happen to plug your computer on a LOCAL AREA NETWORK with one or more "evil hosts", that could subsequently try to own you. But think, my friend, think hard: WHAT ARE THE FUCKING ODDS of this happening? Even if it does, it's not like some evil internet worm could sneak around and wreak havoc the whole internet. Each infection can only max out at hundreds of machines at a time, and always be localized to a fairly specific, restricted geographical location, and in most cases the source of the exploit could be located and terminated.

        The point i'm trying to make here is that YES, Apple did miss their original november release date but fairly promply gave you a new december release date. You should fucking know by now that the fix to this problem is not trivial and could have waited another 30 days from the day you released your advisory.

  • I'm sick of hearing about Windows exploits!

    It's about damn time they found an explot for an Apple computer!

  • by Anonymous Coward on Friday November 28, 2003 @07:58PM (#7585009)
    No matter what sort of spin Apple puts on it, it's still retarded of them to trust LDAP to the point that UID=0 is trusted to be root.

    Still, I don't think that this exploit is really that easy to take advantage of... the circumstances which would lead to it are fairly limited for now (until WiFi is as pervasive as air, anyway).
    • Novell's directory service has this problem too. It does not have a "minimum uid" setting, so it will gladly accept a uid of 0...

      Which is why we don't use it at my company.

  • Yikes! (Score:5, Funny)

    by Quasar1999 ( 520073 ) on Friday November 28, 2003 @08:00PM (#7585020) Journal
    This is horrible... First the machine comes with a pre-configured backdoor/exploit, and they want to leave it like this? Second, if you can just plug in the machine in a network, and have it totally configure itself, you've just killed a job for an IT guy... and we need all the jobs we can get...

    Oh, wait... once the new machine gets owned by some script kiddies, then the IT guy gets called... okay... phew... nearly thought that a job was eliminated... nevermind... as you were... ;)
  • I wonder what new bug is waiting in their "automatic setup" to bite us.

    I was recently bit by their hijacking of the .local tld with their Rendezvous/mDNS crap.

    (and when you call their support to ask why the Mac cannot see the local mail server called x.y.local, they have no idea and tell you to go around asking in web forums!)

    So whatever they do and sell you as "making things easier", I would be very afraid to have it on my network.
  • Use what you know... (Score:4, Interesting)

    by Rahga ( 13479 ) on Friday November 28, 2003 @08:03PM (#7585039) Journal
    This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule. When the pointy haired boss walks in and requests a machine than can set up itself when he plugs in to the network, it gets delivered.

    I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment. This goes for everything from Quake servers (remember ID's backdoor?) to all of the $40 photo-editing tools that are sold at Wal-Mart with marketing emphasis on the end user, with interfaces so all-encompasing, wizard-heavy, and dumbed-down that even I don't attempt to tech my low-tech friends how to use them.
    • Home vs. Work (Score:5, Insightful)

      by LauraW ( 662560 ) on Friday November 28, 2003 @08:20PM (#7585115)
      I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment.

      In this case, the software is actually more vulnerable in a work environment, because it requires a compromised DHCP server on the local subnet. Most home users would probably notice if you plugged in another computer in their house. It's less likely to be noticed in a corporate environment, at least for long enough to compromise a few servers.

      Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

      • Re:Home vs. Work (Score:5, Insightful)

        by Rahga ( 13479 ) on Friday November 28, 2003 @08:26PM (#7585146) Journal
        Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

        The janitors in my bank building could probably do this on multiple networks on multiple floors with ease. Heck, just drop a decently modded dreamcast under a secretary's desk or anywhere you can find a ethernet drop and weak switching.

      • Re:Home vs. Work (Score:5, Informative)

        by wolrahnaes ( 632574 ) <sean AT seanharlow DOT info> on Friday November 28, 2003 @08:53PM (#7585254) Homepage Journal
        Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

        I have mod points, but I had to respond.

        This is so true. Many organizations beyond a few (10-20 or so) computers do not have good physical security. Anyone can easily place a rogue node on a network and wreak havoc.

        This happened recently at my school. Someone setup a DHCP server that responded faster than the school's Netware systems could. This seemed to be accidental because the configuration was all over the place, and didn't work at all. The techs have been investigating this for a few weeks and I'm not sure if they have found it yet.

        While my above example didn't cause any harm, imagine if someone was to setup a DHCP system and also took advantage of IE's "autodetect proxy settings" feature. They could be almost undetectable, yet be able to log all Internet traffic by redirecting the proxy and default gateway through their box.
        • >> The techs have been investigating this for a few weeks and I'm not sure if they have found it yet.

          to get the drop (assuming areasonably intelligent switch):

          (on dhcp client)
          ping [IP of dhcp server] (to ensure arp entry is active)
          arp -a [IP of dhcp server] (to get mac address)

          (on switch - this is cisco catalyst syntax, but any managed switch should have this feature)
          show cam [mac addr of dhcp server] (to get port on switch)

          a few weeks? should be a few minutes with a 1/2 decent network config...
      • There's a Starbucks every block or half a block in NYC. In almost all of those Starbucks, theres at least a couple people using laptops with the wireless access. Go into one of those with a properly configured laptop and sit and wait...

        As for noticing - I wouldn't notice someone sitting outside my house and hooking onto my wireless network. I rarely pull up the DHCP clients list on my wireless access point. I imagine it's the same for most people. I rarely pull up network browsers, too - I just go to the m

    • by tgibbs ( 83782 ) on Friday November 28, 2003 @08:43PM (#7585221)
      This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule.
      Neither is it much concern to the typical home user who either connects directly to DSL or cable modem, or at worst uses his own short-range WiFi with some level of security. Currently, it is mainly a concern for traveling businessmen who take their WiFi equipped laptops to Starbucks or a convention center and connect from there. It will probably become more of an issue as such semi-public WiFi nodes become more common.
  • by danielrm26 ( 567852 ) * on Friday November 28, 2003 @08:04PM (#7585047) Homepage
    ...it's about *how it's handled*.

    All software is, and will continue to be for the forseeable future, vulnerable. The question for the users and security people is, "How will company x handle themselves when a vunlerability is discovered in their product?"

    This question, and its answer, is the most important issue when deciding who you trust with your data.
  • by b17bmbr ( 608864 ) on Friday November 28, 2003 @08:06PM (#7585055)
    really, from apples docs, you have to have a malicious dhcp server on your subnet. of course, someone could bring a rogue box into work, but this isn't on par with ms exploits. wouldn't a simple mac address filter at the switch level take care of all this. yeah, you could instal dhcpd on your authorized client, but this should also be a fairly easy thing to detect. i think apple is right, it's a configuration level solution.
    • by Anonymous Coward
      > you have to have a malicious dhcp server on your subnet.

      Keep in mind "your subnet" could be the WLAN at the coffee house (I must have seen 6 macs down there today - near the Castro in SF, in case anyone's interested), or a cable modem connection. This also means that if you can own one box on the network, you automatically get root on the all the others.
      • From what I've read this "exploit" only happens on startup. So for most Mac users, who leave their PowerBooks in sleep mode, this has no effect whatsoever in a place like starbucks.
      • What if the machine "trusted" the first subnet it ever appeared on, and required confirmation to trust all subsequent subnets it discovers?
        That way it's almost certain to do the right thing when you unpack it at home (or work, whatever) and will be less vulnerable to being attacked in Starbucks. After all, surely no-one boots up for the first time in a coffee shop?
      • since i have an ibook, to enter a new network, even if you use dhcp, you have to add it in the network preferences, and you have to tell it to use ldap, etc. most publc wifi's go like this: one, you have to get your mac address add to the database, two, you set it up to use dhcp (but do not configure any ldap, etc., since you're not authenticating against anything, and have no technical shared resources) then you get your IP address, and you go from there. besides, if this is the only os x exploit, then
    • ok, so your thinking a switch which supports mac address filtering (start thinking several hundred bucks) is something the average joe is going to have in his home? Or that the average business with less than 50 users is likely to have?
    • We had to track down and have arrested a haxs0r that was spoofing our router in an attempt to capture passowrds. He could have also easily done this with a DHCP server (well, had he been intelligent enough to make his software work). When tou run a network that offers some kind of public access, and there are a great many, you run the risk of infiltration. Plus, do you trust ALL your employees?

      Security is not simple, and the balance between security and usability is even more complex.
  • by Mundocani ( 99058 ) on Friday November 28, 2003 @08:11PM (#7585071)
    In many discussions, people downplay the importance of exploits like these because the attacker has to be on your local network to take advantage of the security hole. What about all of the mis-configured (or deliberately) open wi-fi networks out there? I think that wireless networking has changed the importance of "local exploits" by allowing somebody passing by to become a local entity on an open wi-fi network.
    • by Anonymous Coward
      I am not so sure that I buy the whole... wireless dhcp server being that huge.

      First, if someone can jack into my ethernet with a machine and place it on my same subnet... they deserve to h4x0r my boxen.

      Now... if they get on my wireless network, what are the chances that my wireless machine will leave an already established lease to jump ship and run to another dhcp server especially if my base station is also my wireless dhcp server. And lets not forget the whole problem of "ssh" is not on by default. I
      • ...if they get on my wireless network, what are the chances that my wireless machine will leave an already established lease to jump ship

        The chances are that if you read the original advisory the main vulnerability identified required a reboot. At reboot, your Mac will associate with the first DHCP server it hears from. This may or may not be a malicious one. The chances are, of course, not 100%, but they are above zero, and thus something for people to know about, so they can protect themselves.

        A
      • I agree that the risk is small, but it's there none-the-less. My point is mainly that people tend to downplay local exploits without recognizing that wireless networking is changing the meaning of local. It sort of reminds me of how people (myself included) used to dismiss stack overflow exploits as unlikely due to the difficulty of engineering one.
  • by clasher ( 2351 ) <bkeffer@@@thecommandline...org> on Friday November 28, 2003 @08:13PM (#7585082) Homepage
    This problem seems little worse than other problems related to DHCP. If someone had access to your subnet and was able to configure a rogue DHCP server (e.g. to exploit the OS X ldap bug) they could just as easily return a rogue proxy as the default gateway or a tainted DNS server. If you are not vigilant about SSH warning messages or best practices you could be connecting to a server which is just recording your password and passing it along to the real server.

    There may be something I missing, but this does not seem to be a problem with Mac OS X as much as it is with DHCP. DHCP in its simplest form is not secure. Using DHCP on a subnet requires trust. As with any other kind of security you will have to trust something, whether it is your computer or your home network.

    I hope people do not blow this bug out of proportion too much.
    • by kwj8fty1 ( 225360 ) on Friday November 28, 2003 @08:35PM (#7585189) Homepage
      Sure, someone can feed you bogus dhcp info, and they could then man-in-the-middle you.

      That fine, but THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

      This is a different attack completely.

      AFAIK, no other OS offers root access to any little kiddy acting like a dhcp server.

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Friday November 28, 2003 @09:01PM (#7585270)
        Comment removed based on user account deletion
      • That fine, but THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

        IF you are running with DHCP.

        And if you are on a network doing this? Trap out any unauthorized DHCP servers on your switches. You probably are already doing this to prevent headaches from people plugging in private 802.11 devices and screwing things up. Or you could just have an explicit allow list of MAC's (the standard accepted meaning of MAC, not your CaPsEd Mac.) Both are a sta

      • Look, if I can physically compromise your network and slip in a trojan server, I can almost certainly root any machine you've got in the same time anyway.

        And don't talk about wireless without RTFA, Airport is not affected.

      • and again, the 'who cares' part of the problem is: how are they going to use that root access when ssh and other services are OFF by default?
    • ok, now I'll be the first to admit, DHCP is not generally the most secure thing in the world. But are you honestly saying you fail to see how a vulnerability which basically turns DHCP into a user friendly rootkit which by default gives full root access to every file and service on every machine which recieves a lease is a tad bit more serious than redirecting users to a barney sucks webpage when they try to go to google?

      DHCP is not secure, it was never intended to be a secure or trusted mechanism. That'
  • by leereyno ( 32197 ) on Friday November 28, 2003 @08:13PM (#7585083) Homepage Journal

    The more they overthink the plumbing, the easier it is to stop up the drain.
  • by iamdrscience ( 541136 ) on Friday November 28, 2003 @08:13PM (#7585085) Homepage
    A friend of my brother's recently found this one in OSX: Link to his blog entry about it [sumorai.net]

    Not SO bad, but could be bad, and it's considerably more dangerous for known Unix nerds.
    • I just tested it. It is real.
    • I just tested it on panther and at least 2 or 3 chars of the password get passed on to a window behind...
  • Re: (Score:2, Insightful)

    Comment removed based on user account deletion
  • Oh... (Score:5, Funny)

    by MiniChaz ( 163137 ) on Friday November 28, 2003 @08:42PM (#7585212) Homepage

    This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.

    Slashdotter A: "Are we being sarcastic?"

    Slashdotter B: "I can't even tell anymore."

  • by penguin7of9 ( 697383 ) on Friday November 28, 2003 @08:57PM (#7585266)
    This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services.

    That is a root vulnerability. You could perhaps trust LANs 20 years ago, you absolutely cannot trust them today, and any vendor that ships software that, by default, trusts the LAN is shipping software with severe security problems.
    • ok, i may be missing something, so if i am, please correct me... but, even if you connect to a malicous LAN, that gives you a evil dhcp server that tries to exploit this thing, how are they gonna do anything? ssh is off by default, so they can't login...

      again, maybe i am missing something.
  • This doesn't sound much different from MS's way of leaving most services turned on and wide open by default.
  • -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.

    Reminds me of a user who left the Windows 2000 Professional CD-ROM in his CD-ROM drive, booted from it, and reinstalled Windows. Though, he did have to "answer a few questions" (i.e. Press R to reinstall Windows).

    I'd say it's one more nail in Microsoft's coffin. Apple once again comes through wi
  • I was browsing a local windows network I set up the other day and saw a shared folder that was NOT previously made shareable. It seems one of the new Windows patches re-enables the "shared documents" folder on the network, and in explorer it's misleading because it doesn't use the standard "hand-looking" shared folder icon. I am really sick of this intentional and misleading crap by Microsoft! Apple should set a higher standard in this area by making sure everything is straightforward and on high securit
  • by theolein ( 316044 ) on Friday November 28, 2003 @11:25PM (#7585760) Journal
    In light of the recent Debian break in, where the core servers were rooted and a rootkit installed on other machines, and all this using ldap for user authentification, I think Apple is making a huge mistake. All it needs is a couple of apple machines to be rooted by an exploit based on this and Apple will be in the same sorry boat that MS is in.

    (And for the zealots, I'm posting this from a G4 PB so STFU thanks.)
  • Not Just Apple! (Score:5, Insightful)

    by linuxislandsucks ( 461335 ) on Friday November 28, 2003 @11:41PM (#7585821) Homepage Journal
    Ah ahem, several storage servers like Snap and etc also come with this 'feature'..

    and those run Linux...

  • A solution... (Score:5, Insightful)

    by igomaniac ( 409731 ) on Saturday November 29, 2003 @03:07AM (#7586331)
    Since this is an autoconfiguration feature, why not have it on only for the first boot after installing the OS? This way the computer can autoconfigure and then when it is configured it turns the feature off again.
  • sandbox? (Score:3, Interesting)

    by foniksonik ( 573572 ) on Saturday November 29, 2003 @03:57AM (#7586408) Homepage Journal
    I always wondered why there wasn't a sandbox approach to this automatic networking stuff... something to the tune of:

    Plug new PC in, a daemon listens/pings for DHCP, LDAP, whatever... and if it finds it, politely asks the user if he/she would like to enable the service. If you have admin privileges you get to authenticate and proceed to register with the service or if in an untrustworthy environment you can choose to leave them disabled. If a new server is found at any time the process is repeated... though you could set a preference to ignore new servers as well.

    See, sandbox. Requests are let in automatically but service must be opted into manually.

Garbage In -- Gospel Out.

Working...