Old unpatched OS X security flaw can give attackers root access to Macs

Posted:
in macOS edited January 2014
A unaddressed bug in Apple's Mac OS X discovered five months ago allows nefarious hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer's files.

Date and Time


While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs, renewing interest in the issue, reports ArsTechnica.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users' files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer's clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac's clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

"The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit," said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

"I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package," Moore said.
«134

Comments

  • Reply 1 of 70


    It was discovered 5 months ago and apple hasn't fixed this yet?  How is that possible?  I would think they would want to be on top of the security there.

  • Reply 2 of 70
    shogunshogun Posts: 362member
    In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

    Dude, that's a pretty high bar. I think the ho-hum response from Apple is pretty reasonable.
  • Reply 3 of 70
    Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?
  • Reply 4 of 70
    charlitunacharlituna Posts: 7,217member
    Requires admin access and at least one prior sudo plus physical access or remote access.

    So not something you can randomly do to someone. Aka FUD
  • Reply 5 of 70
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by jdhuskey View Post



    So what product is Metasploit trying to sell with this fear-mongering?


     


    Their penetration testing software.

  • Reply 6 of 70
    I like the clock trick but there no, and I mean zero risk associated with this hack.

    Why this article was even published.

    I am use to see much better article from AppleInsider.
  • Reply 7 of 70
    nagrommenagromme Posts: 2,834member
    I take the delay seriously, but...

    "an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before"

    I'm actually OK with that one waiting for Mavericks or beyond!
  • Reply 8 of 70
    nasseraenasserae Posts: 3,166member
    So the attacker must have administrators access to access the Mac using this bug! Awesome.
  • Reply 9 of 70
    vlad1kvlad1k Posts: 11member

    Quote:

    Originally Posted by AppleInsider View Post



    While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

     


     


    powerful but has limitations...


    Ok, who else can have admin privileges on your mac except you or maybe your office sysadmin?


    Yeah, it's "powerful" but only if one of us is drunk... or both.

  • Reply 10 of 70
    I consider the action of the article's author irresponsible in publicizing this bug. It is not an easily exploitable bug, but the headline creates the impression there is a greater vulnerability. I wonder whether this behavior is covered under the DMCA act.

    Seriously, Apple maintains comprehensive bug database, and they have to respond the entire database. Submitting bug reports includes one agreeing to follow Apple's policies. Apple considers bug reports proprietary information, i.e. trade secret. If you are a developer for Apple, Apple can cancel your developer account, if you disclose proprietary information.
  • Reply 11 of 70
    jdhuskey wrote: »
    Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?
    Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.

    Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.

    Apple needs to fix this ASAP.
  • Reply 12 of 70
    nasseraenasserae Posts: 3,166member

    Quote:

    Originally Posted by Durandal1707 View Post





    Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.



    Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.



    Apple needs to fix this ASAP.


     


    Being logged in as an admin account by itself is still not enough. "In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before".

  • Reply 13 of 70
    drblankdrblank Posts: 3,383member

    Quote:

    Originally Posted by jdhuskey View Post



    Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?


    It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.  

  • Reply 14 of 70
    nasserae wrote: »
    Being logged in as an admin account by itself is still not enough. "<span style="color:rgb(24,24,24);font-family:arial, helvetica, sans-serif;line-height:18px;">In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before".</span>
    Yes, which many of us have. Not as many as are running administrator accounts, which is almost everyone, but not an insignificant percentage either.

    In addition, the article is unclear whether this could work for the standard Auth Services auth box that appears when you, say, install software, and which in some modes also has a timeout feature similar to sudo. If the bug can exploit that functionality as well, then that's going to affect pretty near 100% of users.

    Even if not, though, this is a bug that could potentially affect quite a lot of users, and its conditions, particularly the admin account requirement, are certainly not as exotic as people in this thread are making them out to be.
  • Reply 15 of 70
    jragostajragosta Posts: 10,473member
    I like the clock trick but there no, and I mean zero risk associated with this hack.

    Why this article was even published.

    I am use to see much better article from AppleInsider.

    It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
    Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.

    Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.

    Apple needs to fix this ASAP.

    Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway. So what does the exploit get them?

    Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.
  • Reply 16 of 70
    diddydiddy Posts: 282member

    Quote:

    Originally Posted by jragosta View Post



    Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway. So what does the exploit get them?



    Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.


    That's the key thing.  Like any bug, it needs to be addressed, but this is not the hack that any hacker is going to use - if they already have a system admin, they already have unlimited access to your files and pretty much can take over your machine already with that admin account.


     


    As any security expert will testify, if someone has admin access to your computer, security is a forgone conclusion. 

  • Reply 17 of 70
    jragosta wrote: »
    It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
    If you've ever used sudo at all, even once to try some nifty trick you saw online 2 years ago, the security on your Mac can be completely bypassed. That's not low at all. It's scary enough that I just went and applied the "Defaults timestamp_timeout=0" workaround to disable sudo's timeout feature on my machine.
    Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway.
    No, they don't. This is OS X, not Windows 98.
    So what does the exploit get them?
    http://lmgtfy.com/?q=what+are+the+dangers+of+rootkits
    Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.
    Does everything have to be a pissing match? This is a fairly serious bug, and it needs to be fixed. What relevance is it whether OS X is safer or not than some unnamed alternatives?

    Not to mention that the fact that you can't access all files on the disk with a default account is one of the things that makes OS X safer than those unnamed alternatives, and this hack bypasses that.
  • Reply 18 of 70
    muppetrymuppetry Posts: 3,328member

    Quote:

    Originally Posted by Durandal1707 View Post




    Quote:

    Originally Posted by jragosta View Post



    It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.


    If you've ever used sudo at all, even once to try some nifty trick you saw online 2 years ago, the security on your Mac can be completely bypassed. That's not low at all. It's scary enough that I just went and applied the "Defaults timestamp_timeout=0" workaround to disable sudo's timeout feature on my machine.


     


    Or you can just delete the sudo timestamp file after using sudo.

  • Reply 19 of 70
    vl-tonevl-tone Posts: 337member


    Let's all remember that you can easily reset the administrator password if you have physical access to a Mac. (It's a feature not a bug.)

  • Reply 20 of 70
    This is a different class of attack than that. The attacker doesn't need physical access to your Mac. In fact, the attacker doesn't have to be personally attacking your machine at all. You could simply download a game, or some other innocuous looking app, and that app could change the Mac's system date, and ***WHAM*** you're rooted.
Sign In or Register to comment.