Old unpatched OS X security flaw can give attackers root access to Macs
A unaddressed bug in Apple's Mac OS X discovered five months ago allows nefarious hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer's files.
While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs, renewing interest in the issue, reports ArsTechnica.
The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users' files, though that level of control is password protected.
Instead of inputting a password, the flaw works around authentication by setting a computer's clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac's clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.
"The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit," said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.
Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.
While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.
Apple has yet to respond or issue a patch for the bug.
"I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package," Moore said.
While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs, renewing interest in the issue, reports ArsTechnica.
The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users' files, though that level of control is password protected.
Instead of inputting a password, the flaw works around authentication by setting a computer's clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac's clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.
"The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit," said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.
Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.
While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.
Apple has yet to respond or issue a patch for the bug.
"I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package," Moore said.
Comments
It was discovered 5 months ago and apple hasn't fixed this yet? How is that possible? I would think they would want to be on top of the security there.
Dude, that's a pretty high bar. I think the ho-hum response from Apple is pretty reasonable.
So not something you can randomly do to someone. Aka FUD
Quote:
Originally Posted by jdhuskey
So what product is Metasploit trying to sell with this fear-mongering?
Their penetration testing software.
Why this article was even published.
I am use to see much better article from AppleInsider.
"an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before"
I'm actually OK with that one waiting for Mavericks or beyond!
Quote:
Originally Posted by AppleInsider
While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.
powerful but has limitations...
Ok, who else can have admin privileges on your mac except you or maybe your office sysadmin?
Yeah, it's "powerful" but only if one of us is drunk... or both.
Seriously, Apple maintains comprehensive bug database, and they have to respond the entire database. Submitting bug reports includes one agreeing to follow Apple's policies. Apple considers bug reports proprietary information, i.e. trade secret. If you are a developer for Apple, Apple can cancel your developer account, if you disclose proprietary information.
Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.
Apple needs to fix this ASAP.
Quote:
Originally Posted by Durandal1707
Yeah, because it's not as if the *default user account* that's set up for you when you first get your Mac is an admin account or anything.
Oh, wait, it is. I bet 98% of you are logged into an administrator account right now.
Apple needs to fix this ASAP.
Being logged in as an admin account by itself is still not enough. "In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before".
Quote:
Originally Posted by jdhuskey
Ok, it's a bug, but it's hardly a major security concern if the hacker has to already have administrator access to my computer, either physically or remotely, to do it! So what product is Metasploit trying to sell with this fear-mongering?
It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.
In addition, the article is unclear whether this could work for the standard Auth Services auth box that appears when you, say, install software, and which in some modes also has a timeout feature similar to sudo. If the bug can exploit that functionality as well, then that's going to affect pretty near 100% of users.
Even if not, though, this is a bug that could potentially affect quite a lot of users, and its conditions, particularly the admin account requirement, are certainly not as exotic as people in this thread are making them out to be.
It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway. So what does the exploit get them?
Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.
Quote:
Originally Posted by jragosta
Yeah, and virtually every one of that 98% already has unlimited access to all their files, anyway. So what does the exploit get them?
Yes, it's a bug. It needs to be fixed. But compared to the alternatives, Mac OS X is still much, much, much safer. No one ever claimed perfection.
That's the key thing. Like any bug, it needs to be addressed, but this is not the hack that any hacker is going to use - if they already have a system admin, they already have unlimited access to your files and pretty much can take over your machine already with that admin account.
As any security expert will testify, if someone has admin access to your computer, security is a forgone conclusion.
No, they don't. This is OS X, not Windows 98.
http://lmgtfy.com/?q=what+are+the+dangers+of+rootkits
Does everything have to be a pissing match? This is a fairly serious bug, and it needs to be fixed. What relevance is it whether OS X is safer or not than some unnamed alternatives?
Not to mention that the fact that you can't access all files on the disk with a default account is one of the things that makes OS X safer than those unnamed alternatives, and this hack bypasses that.
Quote:
Originally Posted by Durandal1707
Quote:
Originally Posted by jragosta
It's not 'zero risk'. It's a real bug and should be addressed, even though the risk is quite low.
If you've ever used sudo at all, even once to try some nifty trick you saw online 2 years ago, the security on your Mac can be completely bypassed. That's not low at all. It's scary enough that I just went and applied the "Defaults timestamp_timeout=0" workaround to disable sudo's timeout feature on my machine.
Or you can just delete the sudo timestamp file after using sudo.
Let's all remember that you can easily reset the administrator password if you have physical access to a Mac. (It's a feature not a bug.)