Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Remote Root Exploit in Mac OS X
carrel.org ^ | 11/26/03 | William Carrel

Posted on 11/26/2003 1:31:31 PM PST by general_re

Mac OS X Security Advisory

Vulnerability:

Malicious DHCP response can grant root access

Affected Software

Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)

Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X

Abstract

A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.

What does this mean to the average user

Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.



Vendor Patch

Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.

(Excerpt) Read more at carrel.org ...


TOPICS: Miscellaneous; Technical
KEYWORDS: apple; computersecurity; lowqualitycrap; macuser; macuserlist; nosteenkingpatches; osx; root; schadenfreude
Navigation: use the links below to view more comments.
first 1-5051-79 next last

1 posted on 11/26/2003 1:31:32 PM PST by general_re
[ Post Reply | Private Reply | View Replies]

To: general_re
Commence finger-pointing, hand-waving, gloating - whatever your cup of tea happens to be...
2 posted on 11/26/2003 1:32:51 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Darn the luck! Happy Thanksgiving, Steve!
3 posted on 11/26/2003 1:33:33 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re
Don't point the finger at this Mac user, who realizes our safety is only in our (small) numbers.

Do you know if Norton Personal Firewall protects against this problem? My guess would be yes (tentative sigh of relief).
4 posted on 11/26/2003 1:39:56 PM PST by litany_of_lies
[ Post Reply | Private Reply | To 1 | View Replies]

To: *Macuser_list
ping!
5 posted on 11/26/2003 1:40:29 PM PST by Vermonter
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000; steve-b; ThinkDifferent; Liberal Classic; MarkL; FastCoyote; adam_az
Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!
6 posted on 11/26/2003 1:41:10 PM PST by Bush2000
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re
:~)
7 posted on 11/26/2003 1:43:12 PM PST by CyberCowboy777 (He wore his gun outside his pants for all the honest world to feel.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: litany_of_lies
Do you know if Norton Personal Firewall protects against this problem? My guess would be yes (tentative sigh of relief).

No, it doesn't. If you need to run a DHCP server under OSX, you're screwed unless you patch or run the workarounds.
8 posted on 11/26/2003 1:44:16 PM PST by Bush2000
[ Post Reply | Private Reply | To 4 | View Replies]

To: RedBloodedAmerican
I have a feeling that this thread will be remarkably quiet. The Mac bigots tend to ignore bad news.
9 posted on 11/26/2003 1:45:04 PM PST by Bush2000
[ Post Reply | Private Reply | To 3 | View Replies]

To: Bush2000
chirp chirp.
10 posted on 11/26/2003 1:49:05 PM PST by proust
[ Post Reply | Private Reply | To 9 | View Replies]

To: Bush2000; litany_of_lies
From a quick scan, it looks like the problem is on the client end - the DHCP client is set up to implicitly trust LDAP information it gets from the DHCP server, so you can hijack the OS by pointing it to a malicious LDAP server via DHCP. If LDAP is disabled on the client end, you should okay, but if not, you could be in major trouble - the malicious LDAP server can replace the normally disabled root account with its own functioning root account. Major trouble.
11 posted on 11/26/2003 1:49:26 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Bush2000
Hi,

I didn't ask to be on your ping list, so please remove me.

Thanks,
adam.
12 posted on 11/26/2003 1:55:17 PM PST by adam_az (.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: general_re
2003-10-09 Initial version of this advisory
2003-10-09 Apple Computer notified
2003-10-09 Apple Computer confirmed receipt and forwarded to eng. team
2003-10-11 Minor edits, also added "Philosophical Issues" and "Path to Root"
2003-10-14 Apple Computer assigns specific point of contact
2003-10-14 Requested confirmation of issue with Apple Computer
2003-10-15 Apple Computer confirms issue
(2003-10-24 Original deadline given to Apple for acknowledging issue)
(2003-10-24 Mac OS X 10.3 is released with this known issue)
(2003-10-28 Mac OS X 10.3 Security Update released, does not address issue)
2003-10-28 Requested update of fix status from Apple Computer
2003-10-28 Apple Computer proposes Nov. 3 fix date
2003-10-29 Apple Computer reneges on Nov. 3 date
2003-10-29 Requested fix in "2 or 3 weeks" from Apple Computer
(2003-11-04 Mac OS X 10.3 Security Update released, does not address issue)
(2003-11-15 Mac OS X 10.3.1 is released with this known issue)
2003-11-17 Requested update of fix status from Apple Computer
2003-11-18 Requested update of fix status from Apple Computer
(2003-11-19 Mac OS X 10.3.1 Security Update released, does not address issue)
2003-11-19 Apple Computer replies "scheduled to go out in December's update"
2003-11-19 Deadline of Nov. 26 given to Apple Computer
2003-11-25 Minor edits, made "Path to Root" a little more work for the script kiddies
2003-11-26 Advisory issued (48 days after initial vendor notification)


According to the log, it's taken Apple almost a month and a half to address this bug. Makes MS look responsive.
13 posted on 11/26/2003 1:56:24 PM PST by Bush2000
[ Post Reply | Private Reply | To 11 | View Replies]

To: adam_az
I didn't ask to be on your ping list, so please remove me.

I'll bet you don't want to be pinged. Ignorance is bliss.
14 posted on 11/26/2003 1:57:10 PM PST by Bush2000
[ Post Reply | Private Reply | To 12 | View Replies]

To: Bush2000
I'm not wild about people releasing vulnerabilities before a patch is available, but this does seem to be rather slow in coming....
15 posted on 11/26/2003 1:59:52 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Bush2000
Ya, but their computers are sooo pretty.

HAHAHAHAHAHAHA!
16 posted on 11/26/2003 2:03:13 PM PST by Sabretooth (I'm not SabERtooth, Im SabREtooth.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: general_re
Just talked to tech support for Road Runner and lucked into someone who has a Mac. FWIW, he understands the nature of the problem but doesn't see it as a significant issue for RR Mac customers. Went and made the suggested settings changes anyway.
17 posted on 11/26/2003 2:05:50 PM PST by litany_of_lies
[ Post Reply | Private Reply | To 11 | View Replies]

To: adam_az
BWAHAHAHAA
18 posted on 11/26/2003 2:06:48 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 12 | View Replies]

To: general_re
I'm not wild about people releasing vulnerabilities before a patch is available, but this does seem to be rather slow in coming....

I agree. There really ought to be a standard for the length of time that's acceptable for security researchers to hold back reporting a problem. Eight weeks does seem like a long time but, if it's a complicated fix, that needs to be taken into account.
19 posted on 11/26/2003 2:07:39 PM PST by Bush2000
[ Post Reply | Private Reply | To 15 | View Replies]

To: general_re
Bump.
20 posted on 11/26/2003 2:08:38 PM PST by First_Salute (God save our democratic-republican government, from a government by judiciary.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
It's like the news that comes out in support of America. If it casts President Bush (or a Republican Gov., like Arnold, in CA.) in a positive light, the anti-Bush/Arnold folks get vewwwwyyyy qwuiet!
21 posted on 11/26/2003 2:08:58 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 14 | View Replies]

To: litany_of_lies
He's probably right. It looks like the major problem is going to be for users on wireless networks, with Airport cards and the like - it's much easier to get someone to take a DHCP lease from you that way than it is to try bashing your way into a wired network. If you're on a wireless network, I suggest you read through the advisory carefully to see what you can do until a patch is issued. If not, it's probably not as serious an issue, as you were told.
22 posted on 11/26/2003 2:10:02 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Bush2000
We need to be nice to the Mac people. After all, they do own 5% of the market share.
23 posted on 11/26/2003 2:10:58 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 19 | View Replies]

To: Bush2000
At least there appears to be a timeline for an official fix. Anybody know when "December's update" is coming? Beginning, middle, end of the month?
24 posted on 11/26/2003 2:14:17 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Paul Atreides
Giggle.
25 posted on 11/26/2003 2:16:23 PM PST by martin_fierro (_____oooo_(____)_oooo_____)
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

Heh, heh!

26 posted on 11/26/2003 2:18:19 PM PST by Paul Atreides (Is it really so difficult to post the entire article?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro
Ping!
27 posted on 11/26/2003 2:18:53 PM PST by Paul Atreides (Is it really so difficult to post the entire article?)
[ Post Reply | Private Reply | To 26 | View Replies]

To: RedBloodedAmerican; Bush2000; Sabretooth
I don't know about you guys, but I only drive Ford Trucks. I don't like those Chevy Trucks. I don't like those Dodge Trucks. I don't like those car things. Only ford Trucks for me. I won't drive those other things.

That's sarcasm, in case you can't tell.

Now, curl your fingers around part way and curl your thumb around so your thumb touches your index finger, as if you were grasping a bundle of pencils. Hold your hand in front of yourself. Move it up and down repeatedly. Feel better?

If you want security, try OpenBSD.

28 posted on 11/26/2003 2:18:58 PM PST by MichiganConservative (Repeal the welfare state and the 14th, 16th, and 17th Amendments.)
[ Post Reply | Private Reply | To 23 | View Replies]

To: general_re
The only reason to gloat is that some of us have been saying for a couple years that the only reason Apple and Linux look secure is that no one has tried to break them.

As targets they're kind of scrawny. Not much meat.
29 posted on 11/26/2003 2:19:07 PM PST by js1138
[ Post Reply | Private Reply | To 2 | View Replies]

To: general_re
Just talked with Apple Tech Support. Two things:
- They are aware and will release a fix ASAP, but won't say when ASAP is.
- The problem is supposedly of much more concern to people operating wirelessly than with wired Ethernet.
30 posted on 11/26/2003 2:20:45 PM PST by litany_of_lies
[ Post Reply | Private Reply | To 24 | View Replies]

To: litany_of_lies
They are aware and will release a fix ASAP, but won't say when ASAP is.

According to this guy, their next monthly will have it. December. Dunno when in December that is, though. Maybe it'll be your Christmas present from Apple ;)

The problem is supposedly of much more concern to people operating wirelessly than with wired Ethernet.

Is there an echo in here? ;)

31 posted on 11/26/2003 2:26:28 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Paul Atreides

32 posted on 11/26/2003 2:28:07 PM PST by martin_fierro (_____oooo_(____)_oooo_____)
[ Post Reply | Private Reply | To 26 | View Replies]

To: js1138
Yeah, maybe, but you know how the kiddies are - they'll break s*** just for the hell of it. Anyway, the more complex systems get, the more likely it is that complex and unpredictable interactions will reveal holes...
33 posted on 11/26/2003 2:28:09 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: general_re
Echo-sorry, didn't see your post before I did mine.
34 posted on 11/26/2003 2:29:48 PM PST by litany_of_lies
[ Post Reply | Private Reply | To 31 | View Replies]

To: litany_of_lies
S'okay - it happens ;)
35 posted on 11/26/2003 2:33:17 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 34 | View Replies]

To: litany_of_lies
Basically, if you are Airporting at a Starbucks with an Apple, somebody with the proper tool can "root" you and then do whatever the they want with your computer. But if you just turn off any network authorization services and don't use DHCP, you are fine. However, you probably won't be able to use the network :-)

IMO, This is because of Apple's legacy holdover from Next - NetInfo. They never truly integrated their underlying Users & Groups with the guts of the operating system. It's kind of an early 90's concept tack-on.

They held that piece of junk (NetInfo) over and never converted everything over to the BSD security (probably due to the demands of producing consumer level "friendliness"). Permissions are a mess all over the OS.

This is what happens when the marketing/management suits ignore engineering. Now that it is public, I'm sure they have a crack team of Indians working on the problem as we speak.

Signed - Bitter Ex-Apple Guy That Knows LDAP Intimitely. ;-)))

All that said, I'm still gonna use my Mac laptop with airport in public places. Better than using Windows.

36 posted on 11/26/2003 3:06:13 PM PST by glorgau
[ Post Reply | Private Reply | To 30 | View Replies]

To: general_re
I usually avoid the PC v Mac threads but, I haven't seen the usual so I will ask (and answer) the question.

'Got Root?'

well yes, as a matter of fact I do.

37 posted on 11/26/2003 3:20:20 PM PST by Vinnie
[ Post Reply | Private Reply | To 1 | View Replies]

To: glorgau
Basically, if you are Airporting at a Starbucks with an Apple, somebody with the proper tool can "root" you and then do whatever the they want with your computer. But if you just turn off any network authorization services and don't use DHCP, you are fine. However, you probably won't be able to use the network :-)

Good summary. Yep. I love that one: "Turn off DHCP" (or, alternatively, "Unplug your network cable"). BWAHAHAHAHAHAHAHAHAHA!
38 posted on 11/26/2003 3:32:19 PM PST by Bush2000
[ Post Reply | Private Reply | To 36 | View Replies]

To: Bush2000
Just to let you know that I am one mac user who is not ignoring this thread. I don't worry about these things so much, though, because if someone broke into my computer they would be so bored with it at the end of 5 minutes, that they'd move on. I did turn off my airport thingee, though, as I seldom use it.

I will stay with Mac for the rest of my life, as it's all I've ever used. I think I have my 4th, 5th, and 6th ones right now.

39 posted on 11/26/2003 4:26:26 PM PST by basil
[ Post Reply | Private Reply | To 9 | View Replies]

To: general_re
In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)

Nothing to see here folks, move along.

40 posted on 11/26/2003 4:35:28 PM PST by SengirV
[ Post Reply | Private Reply | To 1 | View Replies]

To: basil
I did turn off my airport thingee, though, as I seldom use it.

LOL! Spoken like a true Mac user!

41 posted on 11/26/2003 4:37:41 PM PST by Snowy (Annoy a lib -> Work hard, earn money, and be happy!)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Bush2000
Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!
Repeat after me, Microsoft is secure!! BWAHAHAHAHAHAHAHAHAHAHAHAHA!BWAHAHAHBWAHAHAHAHAHAHAHAHAHAHAHAHA!AHAHAHAHAHAHAHAHAHA!

I just found three gigs of hacker crap hidden in my "Secure" IIS server. Now, I religiously update every time there is a security release. But, holy crap, my three year old Linux server on the same network never has crashed. I guess we all know who the moron is now, huh Bushie.

42 posted on 11/26/2003 4:43:56 PM PST by FastCoyote
[ Post Reply | Private Reply | To 6 | View Replies]

To: general_re
I find it amusing to see all of the posters on here gloating over a minor security breech that may allow a hacker to get to the "root" level of a Mac OSX system impact a few computers hooked up to a network with a bad guy on it.

Why is that amusing?

Because 99.9% of Windows users are already at least as exposed since they already are operating in what is essentially the "root" level of Windows and any hacker who gains access to their computer can do anything he likes to their computers without having to jump through these hoops to do the damage that theoretically MIGHT be done to one or two Macs on a network with a hypothetical rouge server!

That is funny.
43 posted on 11/26/2003 6:27:27 PM PST by Swordmaker
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Wow...all we need now is for someone to post one of those annoying penguin pics.
44 posted on 11/26/2003 6:32:06 PM PST by BureaucratusMaximus (if we're not going to act like a constitutional republic...lets be the best empire we can be...)
[ Post Reply | Private Reply | To 38 | View Replies]

To: Bush2000
According to the log, it's taken Apple almost a month and a half to address this bug. Makes MS look responsive.

Well, MicroSoft has more experience.


gitmo
45 posted on 11/26/2003 6:36:32 PM PST by gitmo (Stability cannot be purchased at the expense of liberty. -GWB)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Snowy
Think how good you would be if you never touched a computer until you were in your sixties. I spent all my "wonder years" raising our five kids. I may be late to the game and don't know the terminology, but I sure as hell can do what I need or want to do with it.
46 posted on 11/26/2003 6:46:50 PM PST by basil
[ Post Reply | Private Reply | To 41 | View Replies]

To: SengirV
Nothing to see here folks, move along.

I wish, but this is a nasty hole. Because it's trusted by default, the LDAP server can specify mountpoints on your box, which means I can run any arbitrary code I like by mounting my filesystem overtop yours. I can set up a root crontab job that starts up my code automatically, like enabling SSH, even if you've disabled it, and at that point, I've got a root login available to me, even if you don't - and odds are, you'd never notice what I was up to. All I have to do is sit back and wait for you to reboot to take my configuration instead of yours.

47 posted on 11/26/2003 7:57:05 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: Swordmaker
Because 99.9% of Windows users are already at least as exposed since they already are operating in what is essentially the "root" level of Windows and any hacker who gains access to their computer can do anything he likes to their computers without having to jump through these hoops to do the damage that theoretically MIGHT be done to one or two Macs on a network with a hypothetical rouge server!

The difference is, I need physical access to the Windows machine in most cases, even if you're running as an administrator, and if I have physical access, you're dead, no matter what OS you're running. This hole is much nastier than that, because it's a remote exploit. I don't have to pull a "Mission: Impossible" job and break into your house - I can just hang out at the Starbucks and look for folks with a Powerbook and a wireless card.

I know the tendency is to downplay this, but remote exploits of any sort are serious enough, and remote root access is a major, major problem. This is a potentially very serious problem for some users, and I strongly suggest you take the workarounds into consideration if you're potentially affected - this thing has been public for a little more than twelve hours now, and I practically guarantee that someone's scripted it and is taking it for a test drive by now.

48 posted on 11/26/2003 8:05:55 PM PST by general_re (Take away the elements in order of apparent non-importance.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: general_re
heh heh heh. That ought to wipe the smug grins off a few faces. Apple's OS-whatever has its roots in unix derivatives. Hackable? You betcha.
49 posted on 11/26/2003 8:12:52 PM PST by Noumenon (I don't have enough guns and ammo to start a war - but I do have enough to finish one.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FastCoyote
I guess we all know who the moron is now, huh Bushie.

Don't be too hard on yourself, Forrest.
50 posted on 11/26/2003 8:32:59 PM PST by Bush2000
[ Post Reply | Private Reply | To 42 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-79 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson