or Connect
AppleInsider › Forums › Software › Mac OS X › Old unpatched OS X security flaw can give attackers root access to Macs
New Posts  All Forums:Forum Nav:

Old unpatched OS X security flaw can give attackers root access to Macs

post #1 of 69
Thread Starter 
A unaddressed bug in Apple's Mac OS X discovered five months ago allows nefarious hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer's files.

Date and Time


While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs, renewing interest in the issue, reports ArsTechnica.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users' files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer's clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac's clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

"The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit," said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

"I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package," Moore said.
post #2 of 69

It was discovered 5 months ago and apple hasn't fixed this yet?  How is that possible?  I would think they would want to be on top of the security there.

post #3 of 69
Quote:
Originally Posted by AppleInsider View Post

In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Dude, that's a pretty high bar. I think the ho-hum response from Apple is pretty reasonable.
post #4 of 69
Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?
post #5 of 69
Requires admin access and at least one prior sudo plus physical access or remote access.

So not something you can randomly do to someone. Aka FUD

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #6 of 69
Quote:
Originally Posted by jdhuskey View Post

So what product is Metasploit trying to sell with this fear-mongering?

 

Their penetration testing software.

post #7 of 69
I like the clock trick but there no, and I mean zero risk associated with this hack.

Why this article was even published.

I am use to see much better article from AppleInsider.
post #8 of 69
I take the delay seriously, but...

"an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before"

I'm actually OK with that one waiting for Mavericks or beyond!
post #9 of 69
So the attacker must have administrators access to access the Mac using this bug! Awesome.
post #10 of 69
Quote:
Originally Posted by AppleInsider View Post

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.
 

 

powerful but has limitations...

Ok, who else can have admin privileges on your mac except you or maybe your office sysadmin?

Yeah, it's "powerful" but only if one of us is drunk... or both.

post #11 of 69
I consider the action of the article's author irresponsible in publicizing this bug. It is not an easily exploitable bug, but the headline creates the impression there is a greater vulnerability. I wonder whether this behavior is covered under the DMCA act.

Seriously, Apple maintains comprehensive bug database, and they have to respond the entire database. Submitting bug reports includes one agreeing to follow Apple's policies. Apple considers bug reports proprietary information, i.e. trade secret. If you are a developer for Apple, Apple can cancel your developer account, if you disclose proprietary information.
post #12 of 69
Quote:
Originally Posted by jdhuskey View Post

Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?
Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.

Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.

Apple needs to fix this ASAP.
post #13 of 69
Quote:
Originally Posted by Durandal1707 View Post


Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.

Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.

Apple needs to fix this ASAP.

 

Being logged in as an admin account by itself is still not enough. "In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before".

post #14 of 69
Quote:
Originally Posted by jdhuskey View Post

Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?

It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.  

post #15 of 69
Quote:
Originally Posted by NasserAE View Post

Being logged in as an admin account by itself is still not enough. "In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before".
Yes, which many of us have. Not as many as are running administrator accounts, which is almost everyone, but not an insignificant percentage either.

In addition, the article is unclear whether this could work for the standard Auth Services auth box that appears when you, say, install software, and which in some modes also has a timeout feature similar to sudo. If the bug can exploit that functionality as well, then that's going to affect pretty near 100% of users.

Even if not, though, this is a bug that could potentially affect quite a lot of users, and its conditions, particularly the admin account requirement, are certainly not as exotic as people in this thread are making them out to be.
post #16 of 69
Quote:
Originally Posted by Franco Borgo View Post

I like the clock trick but there no, and I mean zero risk associated with this hack.

Why this article was even published.

I am use to see much better article from AppleInsider.

It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
Quote:
Originally Posted by Durandal1707 View Post

Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.

Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.

Apple needs to fix this ASAP.

Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway. So what does the exploit get them?

Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #17 of 69
Quote:
Originally Posted by jragosta View Post

Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway. So what does the exploit get them?

Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.

That's the key thing.  Like any bug, it needs to be addressed, but this is not the hack that any hacker is going to use - if they already have a system admin, they already have unlimited access to your files and pretty much can take over your machine already with that admin account.

 

As any security expert will testify, if someone has admin access to your computer, security is a forgone conclusion. 

post #18 of 69
Quote:
Originally Posted by jragosta View Post

It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
If you've ever used sudo at all, even once to try some nifty trick you saw online 2 years ago, the security on your Mac can be completely bypassed. That's not low at all. It's scary enough that I just went and applied the "Defaults timestamp_timeout=0" workaround to disable sudo's timeout feature on my machine.
Quote:
Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway.
No, they don't. This is OS X, not Windows 98.
Quote:
So what does the exploit get them?
http://lmgtfy.com/?q=what+are+the+dangers+of+rootkits
Quote:
Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.
Does everything have to be a pissing match? This is a fairly serious bug, and it needs to be fixed. What relevance is it whether OS X is safer or not than some unnamed alternatives?

Not to mention that the fact that you can't access all files on the disk with a default account is one of the things that makes OS X safer than those unnamed alternatives, and this hack bypasses that.
post #19 of 69
Quote:
Originally Posted by Durandal1707 View Post

Quote:
Originally Posted by jragosta View Post

It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
If you've ever used sudo at all, even once to try some nifty trick you saw online 2 years ago, the security on your Mac can be completely bypassed. That's not low at all. It's scary enough that I just went and applied the "Defaults timestamp_timeout=0" workaround to disable sudo's timeout feature on my machine.

 

Or you can just delete the sudo timestamp file after using sudo.

post #20 of 69

Let's all remember that you can easily reset the administrator password if you have physical access to a Mac. (It's a feature not a bug.)

post #21 of 69
This is a different class of attack than that. The attacker doesn't need physical access to your Mac. In fact, the attacker doesn't have to be personally attacking your machine at all. You could simply download a game, or some other innocuous looking app, and that app could change the Mac's system date, and ***WHAM*** you're rooted.
post #22 of 69
Quote:
Originally Posted by Durandal1707 View Post

This is a different class of attack than that. The attacker doesn't need physical access to your Mac. In fact, the attacker doesn't have to be personally attacking your machine at all. You could simply download a game, or some other innocuous looking app, and that app could change the Mac's system date, and ***WHAM*** you're rooted.

 

I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.

post #23 of 69
Quote:
Originally Posted by muppetry View Post

 

I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.

I guess that's why they're talking about "attackers" and not "maliciously crafted applications".

post #24 of 69

um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!

 

 

Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"  

 

Silliness.

 

 

Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)

 

You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."

 

But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."

 

How about...   *click* …  So much for "Macs being especially vulnerable…"

 

 

It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.

 

Another one: *click* solved.

 

 

So here's your new article which I have rewritten liberally:

There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.

 

(… insert a paragraph of historical backstory here…)

 

Done!

 

Awfully short article, but I think it's far more honest….

post #25 of 69
Quote:
Originally Posted by tribalogical View Post

um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!

 

 

Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"  

 

Silliness.

 

 

Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)

 

You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."

 

But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."

 

How about...   *click* …  So much for "Macs being especially vulnerable…"

 

 

It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.

 

Another one: *click* solved.

 

 

So here's your new article which I have rewritten liberally:

There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.

 

(… insert a paragraph of historical backstory here…)

 

Done!

 

Awfully short article, but I think it's far more honest….

 

Yeah it's pretty sad to see that this was parroted by a few Apple news sites without any mention of this obvious fix.

post #26 of 69
Quote:
Originally Posted by VL-Tone View Post

Quote:
Originally Posted by muppetry View Post

I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
I guess that's why they're talking about "attackers" and not "maliciously crafted applications".

Right - hence my response to Durandal1707, who raised the issue of applications rather than local attackers.
post #27 of 69
Apple is beginning to sour for me.
The keyboards on the iDevices are simply terrible. Auto correcting when none is needed, and now lag.
Not getting the Apple TV update that was announced a couple of days ago (Australia).
Surely with their pile of cash they can fix these problems.
iOS 7 looks far too android for me from what I have seen, I hope they change it.
post #28 of 69
Quote:
Originally Posted by muppetry View Post

I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
An app isn't *supposed* to be able to gain root privilege if it's not launched as root, but the whole point of this vulnerability is that it bypasses that particular restriction. All a malicious app has to do is to run a few command lines:

1. Change the clock date using the systemsetup command-line tool

2. Relaunch itself, or launch some shell script, or do anything it wants really, as root using sudo

3. There is no step three.
post #29 of 69
Originally Posted by AppleInsider View Post

... the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

 

Trivial workaround:

 

1. System Preferences -> Security & Privacy -> Require password <interval> after sleep or screen saver begins.

 

2. System Preferences -> Sharing -> un-check Remote Login.

 

3. There is no step three.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #30 of 69
Originally Posted by hfts View Post

Apple is beginning to sour for me. ...

 

Classic "concern troll."  Nice job.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #31 of 69
Originally Posted by hfts View Post
Apple is beginning to sour for me.

 

Good for you; stop lying.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
post #32 of 69
Not exactly easy to hack, if someone gets admin access the first time, just drop a payload via USB drive or something and get a rootkit going already there and then, why bother with this hack.
post #33 of 69
Caution, if someone has admin access, they can break in and get admin access!
post #34 of 69
Hardly a stop-the-presses security flaw, but Apple should be more proactive addressing all security issues if it wants to avoid the kind of snarky comments this guy makes.
post #35 of 69
Quote:
Originally Posted by SockRolid View Post

Classic "concern troll."  Nice job.
Not a troll thank you, how about stopping the left side of your brain from reflexing and think for a change.
These are legitimate concerns and I can list many more. To simply bury your head in the sand is the wrong thing to do. Apple could licence the Blackberry virtual keyboard (at least try to). So you see mr. Smarty pants, I have mentioned a possible solution, what have you done? Simply wasted cyber bits on your personal attack.
post #36 of 69
Quote:
Originally Posted by Tallest Skil View Post

Good for you; stop lying.
**** me, you again. Can you get lost.
post #37 of 69
Interesting, but also does not explain enough. This is just saying, if you get root access to OS X you can do anything you want? That's kind of the idea with sudo. Place a line in the sudoers file for whoever you are logged in as when you want to use the sudo command.
post #38 of 69
Quote:
Originally Posted by robogobo View Post

Caution, if someone has admin access, they can break in and get admin access!

Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.

 

I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.

post #39 of 69
Quote:
Originally Posted by drblank View Post

It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.  

You're talking of HD Moore here. He doesn't need attention, he's already a security rock star. It's like saying Apple needs to ask Samsung for design cues.

If the guys from Metasploit, who are quite obviously WAY better than anyone on these forums, think there is an issue, I believe them.

How critical it actually is, is for Apple to decide. Instead of personal attacks on the probity of the hackers, it could have been said that the security mindset may make people put more emphasis on security fixes than is reasonable for a company to devote time to, which is an industrial decision (and a human analysis line of thought).

Why is it that people here, instead of just taking the fact there seems to be an exploitable flaw, that will get solved when Apple decides it is necessary, attack the security specialist? He did not create the flaw, and it is his business to find these flaws. Security-critical businesses would much rather know about a flaw they can't fix and adapt their business flows than discover years afterwards that important information has been flowing to, say, China... or another US company, anywhere it shouldn't be flowing to, because they relied on the supplier telling them "the system is secure".

 

Note that Metasploit contains many more Windows exploits than Mac exploits... and has for years already. Just check it for yourself :

Metasploit.


Edited by lightknight - 8/29/13 at 3:30am

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #40 of 69
Quote:
Originally Posted by Nano_tube View Post

Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.

I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.

If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Old unpatched OS X security flaw can give attackers root access to Macs