More serious security hole...
Just saw this posted over at slashdot,
Remote root in OS X
"unlikely" that anybody will be affected, but then again knowledge is power and all that.
BTW I love my ibook, Im not trying to spread FUD.
Remote root in OS X
"unlikely" that anybody will be affected, but then again knowledge is power and all that.
BTW I love my ibook, Im not trying to spread FUD.
Comments
As with most remote exploits, completely disconnecting yourself from any network will keep you safe
Better would be to disable NetInfo and LDAP DHCP configuration.
What kinds of stuff can you do with it?
Edit: OK, I decided not to be lazy and googled it and found What is LDAP?.
How in the world would that allow them to remotely mount your hard drive? I see nothing more there than a database that your computer would load from the server.
Now, I know that NetInfo can do some crazy stuff, but LDAP?
"LDAP servers also provide "authentication" service, so that web, email, and file-sharing servers (for example) can use a single list of authorized users and passwords."
I believe it is those type of services that you become vulnerable through. I don't know if mount points can be controlled by LDAP (like netinfo) but if they can, they don't have to mount *your* hard drive; they get you to mount theirs, with config files set to launch an ssh server on your computer so that they can log in (with the root account that they just created using LDAP or NetInfo)
Actually, I don't *really* know what I'm talking about, but I think that's a reasonable imitation of the truth.
Your machine searches over DHCP for a DHCP server. The server returns all sorts of useful info, including where to look for NetInfo servers. The NetInfo server in turn hands your machine a list of users/passwords to check *first* for authentication.
So if someone creates a bogus DHCP server (trivial), which returns spoofed information (harder) which directs the unsuspecting machine to a malicious NetInfo server returning information that *seems* right at first (very difficult), then... *pant pant*... that NetInfo server can tell the machine to allow a root account login with *whatever password it wants*.
Then someone remotely can log into that machine, read all the files, delete whatever they want, and basically run rampant.
The key, according to the person reporting this hole, is that NetInfo just assumes that whatever server it is told to go to, is an okay server, and it accepts all information without question.
Yeah, that's a hole. BUT it requires several difficult steps to set up, and requires DHCP, and requires that bogus server returning DHCP info before any other official server does, etc, etc, etc.
Of course, you could just tell NetInfo *NOT* to look over DHCP for servers... :P
Originally posted by Kickaha
... that NetInfo server can tell the machine to allow a root account login with *whatever password it wants*.
Well, OK, but what if the root account is disabled (and by default it is)? It seems to me that this is a potential vulnerability and there is no proof that it will actually work in a machine with default settings. Of course it is something that needs to be addressed quickly.
Originally posted by PB
Well, OK, but what if the root account is disabled (and by default it is)? It seems to me that this is a potential vulnerability and there is no proof that it will actually work in a machine with default settings. Of course it is something that needs to be addressed quickly.
Because the lookup procedure is to look at the server *first* for login info, *then* the local machine. So if the server says root is enabled, it is.
Originally posted by PB
Well, things are not clear. The original security advisory affirms that even if remote services and root account are off, the computer is not safe. On the other hand, MacBidouille said yesterday that this is not correct and that disabling anything among root account, remote services, DHCP or LDAP authentication, makes the exploit impossible. And by default, at least two of those are disabled. Could anyone confirm? Is there a real danger or is it FUD again?
Hi, author of the advisory here. (Sorry it took me so long to get to AI, I read the Future Hardware discussion here all the time, I've been trying to do the rounds...)
Being that I successfully rooted my spouses iBook several times in testing for this bug, I'd say it's pretty real. That machine had no remote services on and root account disabled, and is pretty much as it shipped from the factory except for the screen background being changed. But then I'm probably biased.
The only two ways to stop this are (a) don't use DHCP (not very practical in many scenarios) or (b) follow the workaround given in the advisory to get DirectoryServices to *not* trust DHCP for finding LDAP servers.
The actual risk of getting had by this bug is probably limited, since someone has to want to attack your machine from your local subnet (such as your 802.11b/g network) to take advantage of it. But then the actual risk of getting your home broken into isn't necessarily extraordinarily high in most places, but you lock your doors anyway. Likewise, it would probably behoove most people to apply the workarounds.
MacBidouille is wrong that disabling services renders you immune. It doesn't. It just makes the attack a little bit harder, but not too much harder. Disabling the root account has no impact on this attack whatsoever since the account "bluemeanie" or whatever is coming from the attacking server.