Remote Root Exploit in Mac OS X

carrel.org ^ | 11/26/03 | William Carrel

[general_re]

Mac OS X Security Advisory

Vulnerability:

Malicious DHCP response can grant root access

Affected Software

Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)

Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X

Abstract

A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.

What does this mean to the average user

Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section "Workarounds" for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.

Vendor Patch

Apple Computer has been notified of this issue and may be working a fix at this time. At the time of this writing, a fix is not available from Apple.

[RedBloodedAmerican]

It's like the news that comes out in support of America. If it casts President Bush (or a Republican Gov., like Arnold, in CA.) in a positive light, the anti-Bush/Arnold folks get vewwwwyyyy qwuiet!

[general_re]

He's probably right. It looks like the major problem is going to be for users on wireless networks, with Airport cards and the like - it's much easier to get someone to take a DHCP lease from you that way than it is to try bashing your way into a wired network. If you're on a wireless network, I suggest you read through the advisory carefully to see what you can do until a patch is issued. If not, it's probably not as serious an issue, as you were told.

[RedBloodedAmerican]

We need to be nice to the Mac people. After all, they do own 5% of the market share.

[general_re]

At least there appears to be a timeline for an official fix. Anybody know when "December's update" is coming? Beginning, middle, end of the month?

[martin_fierro]

Giggle.

[Paul Atreides]

Heh, heh!

[Paul Atreides]

Ping!

[MichiganConservative]

I don't know about you guys, but I only drive Ford Trucks. I don't like those Chevy Trucks. I don't like those Dodge Trucks. I don't like those car things. Only ford Trucks for me. I won't drive those other things.

That's sarcasm, in case you can't tell.

Now, curl your fingers around part way and curl your thumb around so your thumb touches your index finger, as if you were grasping a bundle of pencils. Hold your hand in front of yourself. Move it up and down repeatedly. Feel better?

If you want security, try OpenBSD.

[js1138]

The only reason to gloat is that some of us have been saying for a couple years that the only reason Apple and Linux look secure is that no one has tried to break them.

As targets they're kind of scrawny. Not much meat.

[litany_of_lies]

Just talked with Apple Tech Support. Two things:
- They are aware and will release a fix ASAP, but won't say when ASAP is.
- The problem is supposedly of much more concern to people operating wirelessly than with wired Ethernet.

[general_re]

They are aware and will release a fix ASAP, but won't say when ASAP is.

According to this guy, their next monthly will have it. December. Dunno when in December that is, though. Maybe it'll be your Christmas present from Apple ;)

The problem is supposedly of much more concern to people operating wirelessly than with wired Ethernet.

Is there an echo in here? ;)

[martin_fierro]

[general_re]

Yeah, maybe, but you know how the kiddies are - they'll break s*** just for the hell of it. Anyway, the more complex systems get, the more likely it is that complex and unpredictable interactions will reveal holes...

[litany_of_lies]

Echo-sorry, didn't see your post before I did mine.

[general_re]

S'okay - it happens ;)

[glorgau]

Basically, if you are Airporting at a Starbucks with an Apple, somebody with the proper tool can "root" you and then do whatever the they want with your computer. But if you just turn off any network authorization services and don't use DHCP, you are fine. However, you probably won't be able to use the network :-)

IMO, This is because of Apple's legacy holdover from Next - NetInfo. They never truly integrated their underlying Users & Groups with the guts of the operating system. It's kind of an early 90's concept tack-on.

They held that piece of junk (NetInfo) over and never converted everything over to the BSD security (probably due to the demands of producing consumer level "friendliness"). Permissions are a mess all over the OS.

This is what happens when the marketing/management suits ignore engineering. Now that it is public, I'm sure they have a crack team of Indians working on the problem as we speak.

Signed - Bitter Ex-Apple Guy That Knows LDAP Intimitely. ;-)))

All that said, I'm still gonna use my Mac laptop with airport in public places. Better than using Windows.

[Vinnie]

I usually avoid the PC v Mac threads but, I haven't seen the usual so I will ask (and answer) the question.

'Got Root?'

well yes, as a matter of fact I do.

[Bush2000]

Basically, if you are Airporting at a Starbucks with an Apple, somebody with the proper tool can "root" you and then do whatever the they want with your computer. But if you just turn off any network authorization services and don't use DHCP, you are fine. However, you probably won't be able to use the network :-)

Good summary. Yep. I love that one: "Turn off DHCP" (or, alternatively, "Unplug your network cable"). BWAHAHAHAHAHAHAHAHAHA!

[basil]

Just to let you know that I am one mac user who is not ignoring this thread. I don't worry about these things so much, though, because if someone broke into my computer they would be so bored with it at the end of 5 minutes, that they'd move on. I did turn off my airport thingee, though, as I seldom use it.

I will stay with Mac for the rest of my life, as it's all I've ever used. I think I have my 4th, 5th, and 6th ones right now.

[SengirV]

In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)

Nothing to see here folks, move along.