Remote Root Exploit in Mac OS X

carrel.org ^ | 11/26/03 | William Carrel

[general_re]

Mac OS X Security Advisory

Vulnerability:

Malicious DHCP response can grant root access

Affected Software

Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)

Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X

Abstract

A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.

What does this mean to the average user

Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.

Vendor Patch

Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.

[Snowy]

I did turn off my airport thingee, though, as I seldom use it.

LOL! Spoken like a true Mac user!

[FastCoyote]

Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!

---

Repeat after me, Microsoft is secure!! BWAHAHAHAHAHAHAHAHAHAHAHAHA!BWAHAHAHBWAHAHAHAHAHAHAHAHAHAHAHAHA!AHAHAHAHAHAHAHAHAHA!

I just found three gigs of hacker crap hidden in my "Secure" IIS server. Now, I religiously update every time there is a security release. But, holy crap, my three year old Linux server on the same network never has crashed. I guess we all know who the moron is now, huh Bushie.

[Swordmaker]

I find it amusing to see all of the posters on here gloating over a minor security breech that may allow a hacker to get to the "root" level of a Mac OSX system impact a few computers hooked up to a network with a bad guy on it.

Why is that amusing?

Because 99.9% of Windows users are already at least as exposed since they already are operating in what is essentially the "root" level of Windows and any hacker who gains access to their computer can do anything he likes to their computers without having to jump through these hoops to do the damage that theoretically MIGHT be done to one or two Macs on a network with a hypothetical rouge server!

That is funny.

[BureaucratusMaximus]

Wow...all we need now is for someone to post one of those annoying penguin pics.

[gitmo]

According to the log, it's taken Apple almost a month and a half to address this bug. Makes MS look responsive.

Well, MicroSoft has more experience.

[basil]

Think how good you would be if you never touched a computer until you were in your sixties. I spent all my "wonder years" raising our five kids. I may be late to the game and don't know the terminology, but I sure as hell can do what I need or want to do with it.

[general_re]

Nothing to see here folks, move along.

I wish, but this is a nasty hole. Because it's trusted by default, the LDAP server can specify mountpoints on your box, which means I can run any arbitrary code I like by mounting my filesystem overtop yours. I can set up a root crontab job that starts up my code automatically, like enabling SSH, even if you've disabled it, and at that point, I've got a root login available to me, even if you don't - and odds are, you'd never notice what I was up to. All I have to do is sit back and wait for you to reboot to take my configuration instead of yours.

[general_re]

Because 99.9% of Windows users are already at least as exposed since they already are operating in what is essentially the "root" level of Windows and any hacker who gains access to their computer can do anything he likes to their computers without having to jump through these hoops to do the damage that theoretically MIGHT be done to one or two Macs on a network with a hypothetical rouge server!

The difference is, I need physical access to the Windows machine in most cases, even if you're running as an administrator, and if I have physical access, you're dead, no matter what OS you're running. This hole is much nastier than that, because it's a remote exploit. I don't have to pull a "Mission: Impossible" job and break into your house - I can just hang out at the Starbucks and look for folks with a Powerbook and a wireless card.

I know the tendency is to downplay this, but remote exploits of any sort are serious enough, and remote root access is a major, major problem. This is a potentially very serious problem for some users, and I strongly suggest you take the workarounds into consideration if you're potentially affected - this thing has been public for a little more than twelve hours now, and I practically guarantee that someone's scripted it and is taking it for a test drive by now.

[Noumenon]

heh heh heh. That ought to wipe the smug grins off a few faces. Apple's OS-whatever has its roots in unix derivatives. Hackable? You betcha.

[Bush2000]

I guess we all know who the moron is now, huh Bushie.

Don't be too hard on yourself, Forrest.

[Bush2000]

...if someone broke into my computer they would be so bored with it at the end of 5 minutes, that they'd move on.

That's a rather naive assumption. They could also destroy your computer.

[SengirV]

So in order to exploit this, you must have total control over my network, since you are replacing the existing LDAP server. Yes it is a problem, but far from the usual windows problems where opening up an email totally screws you over.

[glorgau]

They could also modify the kernal so that processes could be hidden even from unix commands like 'top'. Then your computer could be instructed to serve out whatever the malicious person wanted - say like child porn.

Once you've got root, you can make the box do whatever it _can_ do. that said, I'd bet that the fix for this comes out in about 2 days.

[Bush2000]

So in order to exploit this, you must have total control over my network, since you are replacing the existing LDAP server

Not true. All that I have to do is get your client machine to use my box as the LDAP server. That isn't difficult, particularly if I have access to the network segment on which the machine-to-be-attacked resides.

[ThinkDifferent]

But if you just turn off any network authorization services and don't use DHCP, you are fine. However, you probably won't be able to use the network :-)

Actually you just need to disable the "Use DHCP-supplied server" options for LDAP and NetInfo. You can still use DHCP to get an IP address. This is really just a problem with default settings; auto-configuration from remote LDAP or NetInfo servers can be quite useful in controlled environments, but it should *not* be the default behavior.

[ThinkDifferent]

That isn't difficult, particularly if I have access to the network segment on which the machine-to-be-attacked resides.

You *must* have access to the same subnet as the target. You can't attack a random Mac on the Internet with this technique. The main threat seems to be for the Starbucks wireless user.

[general_re]

So in order to exploit this, you must have total control over my network, since you are replacing the existing LDAP server.

No, I just have to find a wireless user and pretend to be an LDAP server...

[HAL9000]

Settle down, Thomas. There are no reports that anyone in the real world has been attacked with this exploit. The patch will be available in a few days, after it has been tested.

[Vermonter]

From Apple's knowledge base:

---

TITLE

Mac OS X: Directory Access Configuration In the Presence of a Malicious DHCP Response

Article ID: Created: Modified:

32478 11/26/03 11/26/03

---

TOPIC

Learn how to configure the Directory Access feature to protect your Mac from a malicious DHCP server.

---

DISCUSSION

Please note that the exploit requires the malicious DHCP server to be located on your local subnet. For typical home network configurations with a broadband (DSL or cable service) modem and a NAT (Network Address Translation) device, such as Apple's Airport, this exploit is not possible.

If there is a chance that a malicious DHCP server has been injected into your subnet or you are operating on an untrusted network there are two solutions to the potential vulnerability depending on if you are using a directory service.

No directory service: For users that do not use a directory service you can go into the Directory Access utility and uncheck the "Use DCHP-supplied LDAP Server" option (Figure 1). You are no longer susceptible to this exploit.





Figure 1 Uncheck the Use DHCP-supplied LDAP Server option

Directory service: If your Mac is configured to use a directory service consult with your IT administrator before changing any settings. Your IT administrator will need to change the default setting from "automatic" to "custom" search policy in the Directory Access authentication tab and specify the correct LDAP server.

---

Document Information
Product Area:	MC
Category:
Sub Category:
Keywords:	kmosx ktech

Email this document to:	(Ex: )