TrueSec outlines "Rootpipe" privilege escalation vulnerability in Mac OS X Yosemite

2

Comments

  • Reply 21 of 46
    Quote:

    Originally Posted by patpatpat View Post

     

    He didn't reveal the exploit, he revealed the existence of an exploit.

     

    And to quote the guy himself...

    Kvarnhammar said, "The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It's important that they have time to patch, and that the patch is available for some time."


    And since blackhats aren't going to tell you if they already know about the exploit, it's better to disclose the existence of the exploit sooner than later so that the public can take measures to protect themselves until an official fix is rolled out.

  • Reply 22 of 46
    nagrommenagromme Posts: 2,834member
    Thanks for finding the flaw AND handling it responsibly! Two things that help us all.
  • Reply 23 of 46
    asdasdasdasd Posts: 5,678member
    rob53 wrote: »
    I thought at one time the OSX install process set up the initial, admin account, then suggested/required the setup of a non-admin, regular user account. This is how it should be done, otherwise OSX is setup exactly like Windows, which we all complain about being easy to install software without authentication. It's how I do it but that comes from years of managing government systems.

    To configure sudo for a non-admin account, you also need to specifically edit the sudo users file using the admin account. This might be too much for non-technical users but then again, sudo'ing isn't something regular users should be doing.

    If you go to the users login pane in the preferences app you can see the default user is admin. Apple doesnt stop the admin user from installing but the OS warns on unknown devs.
  • Reply 24 of 46
    shaminoshamino Posts: 490member
    Quote:

    Originally Posted by IndyFX View Post

    Its' not clear from the report if the user needs to have root enabled (root is disabled by default) for this to work.

     

    Actually, it is clear.  The article says that it works via the "sudo" command, somehow bypassing its need to ask for your password.  So, no root does not have to be active.

     

    Quote:

    Originally Posted by tarfungo View Post

    Everybody on our network except actual 'admins'.  No 'general user' has 'admin' privileges.  100+ Macs.

     

    Even admins shouldn't actually log in from an admin account.  Any GUI activity that requires admin privileges will pop up a dialog asking for an admin user ID and password - so you can just authenticate when you need it and remain unprivileged at other times.

     

    Quote:

    Originally Posted by lkrupp View Post

    Once again it looks like we have a flaw that requires the bad guy to be sitting in front of your computer and logged in as an admin to accomplish the hack.


     

    Where did you get that impression?  If software running in administrator account will run the exploit, then a user logged in as administrator can be fooled into downloading and running code that will run the exploit.  The actual bad guy doesn't have to be at the console, he just has to trick you into running his program.

     

    Quote:

    Originally Posted by rob53 View Post

    I thought at one time the OSX install process set up the initial, admin account, then suggested/required the setup of a non-admin, regular user account. This is how it should be done ... To configure sudo for a non-admin account, you also need to specifically edit the sudo users file using the admin account. This might be too much for non-technical users but then again, sudo'ing isn't something regular users should be doing.

     

    Sadly, Apple's installer doesn't force you to create a non-admin account.  Most Linux distributions do, and I think recent versions of Windows do (IIRC, Win7 does this) but I don't think Apple does yet.

     

    I wonder, if this exploit involves sudo, if it can also work in a non-administrator account whose name is added to the sudoers file.  That would be worse, since I usually configure my personal account that way.



    Of course, I also don't run software from unknown sources, so I think the odds of being hit by this are less than for the general public.

  • Reply 25 of 46
    djsherlydjsherly Posts: 1,031member



    I have a pretty much vanilla Yosemite install, from terminal I can "sudo su -" and I wind up as root.

     

    That doesn't sound disabled to me? The article says I have to reenter my password but that's true of sudo in most cases anyway, so I was expecting that. It's certainly not 'disabled' however.

     

    I haven't set up a secondary account yet, this machine is only a week or so old.

     

    "Dubbed "Rootpipe," the flaw allows software running under an account with admin privileges to gain root access via the "sudo" command without actually authenticating. Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password. This mechanism could potentially be used by malware to install itself without requiring an admin password, just like Windows."

     

    Trojan horse possibilities. Useful software with a not-so-useful secondary function. The not-so-useful function doesn't disappear when the primary application is uninstalled.

     

  • Reply 26 of 46
    shaminoshamino Posts: 490member
    Quote:

    Originally Posted by djsherly View Post

    I have a pretty much vanilla Yosemite install, from terminal I can "sudo su -" and I wind up as root.

     

    That doesn't sound disabled to me? The article says I have to reenter my password but that's true of sudo in most cases anyway, so I was expecting that. It's certainly not 'disabled' however.


     

    You can always use "sudo" to switch to root.  I frequently do a "sudo tcsh" to get to a root shell.

     

    What everyone means by disabled is that there is no password configured for the account.  So if you try to "su -", it won't work, because there is no password you can type to make the switch work.  And if you try to log-in as root, that also won't work.

     

    If you enable the root account, then you will give it a password and you will be able to log-in to a desktop as root and run "su" without pushing the command through sudo.

     

    WRT the exploit in question, it is apparently a way to allow sudo to run code as root without asking for your password.

  • Reply 27 of 46
    indyfxindyfx Posts: 321member
    Quote:

    Originally Posted by shamino View Post

     

     

    Actually, it is clear.  The article says that it works via the "sudo" command, somehow bypassing its need to ask for your password.  So, no root does not have to be active.

     

     

    Even admins shouldn't actually log in from an admin account.  Any GUI activity that requires admin privileges will pop up a dialog asking for an admin user ID and password - so you can just authenticate when you need it and remain unprivileged at other times.

     

     

    Where did you get that impression?  If software running in administrator account will run the exploit, then a user logged in as administrator can be fooled into downloading and running code that will run the exploit.  The actual bad guy doesn't have to be at the console, he just has to trick you into running his program.

     

     

    Sadly, Apple's installer doesn't force you to create a non-admin account.  Most Linux distributions do, and I think recent versions of Windows do (IIRC, Win7 does this) but I don't think Apple does yet.

     

    I wonder, if this exploit involves sudo, if it can also work in a non-administrator account whose name is added to the sudoers file.  That would be worse, since I usually configure my personal account that way.



    Of course, I also don't run software from unknown sources, so I think the odds of being hit by this are less than for the general public.


     

    Root?Administrator on OS X

    Why virtually all linux distro's (I run a render farm on Debian) don't want users running as "admin" is because admin=root, and even leaving a shell logged as root is a dangerous thing to do  (for so many reasons) much less actually running an x session as root. (which would be really stupid) Also understand that administrators (in OS X, and in windows) are unique users, whereas root (in linux and in OS X) is root (there are not different root users (there is no equivalent to root in NT5.) Some Linux Distro's have attempted a shell around root to emulate the concept of "admin" users (Ubuntu for one) 

     

    In summary what you thought they said they specifically did't. Nowhere did they specify how they can enable root.

    While I take all security flaws seriously, until we have all the facts I suspect this one might be (another in a long line of) OS X publicity stunts.

  • Reply 28 of 46
    > "Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password."

    This is incorrect. When using sudo, the "admin password" is not required or even acceptable; the user's own login password is verified before sudo proceeds.

    This vulnerability will affect users regardless whether they have "enabled" the root account or not. The root user is always enabled, just not with a password set for you to log in directly as root - but much of your system is running as root.

    The sudo binary can execute as root (user 0) because it has the UNIX setuid bit set (mode -r-s--x--x in this case). Anything with this bit set runs as root as soon as you execute the binary.
    In the case of sudo, its designed to execute arbitrary commands, but only after authenticating that you are allowed to. Its designers definition of %u201Callowed to%u201D is that your name or group is in the /etc/sudoers file (the admin group being there by default) and that you know your own password (or have recently entered it to sudo).

    I assume that, given the name, if you pipe some content into sudo (perhaps something arbitrarily large to cause a buffer overflow), you can make it do something before you even enter any password.

    As with all setuid programs on UNIX, it must be bulletproof or you risk a privilege escalation vulnerability. It%u2019s quite conceivable that it%u2019s not bulletproof, especially as a vulnerability stood in bash for ~11 years.

    Not every reported deficiency in OS X is media hysteria. A little objectivity goes a long way%u2026
  • Reply 29 of 46
    Quote:

    Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password. 

     



    This is incorrect. When using sudo, the "admin password" is not required or even acceptable; the user's own login password is verified before sudo proceeds.

     

    This vulnerability will affect users regardless whether they have "enabled" the root account or not. The root user is always enabled, just not with a password set for you to log in directly as root - but much of your system is running as root.

     

    The sudo binary can execute as root (user 0) because it has the UNIX setuid bit set (mode -r-s--x--x in this case). Anything with this bit set runs as root as soon as you execute the binary. In the case of sudo, its there to execute arbitrary commands but only after authenticating that you are allowed to. Its designers definition of “allowed to” is that your name or group is in the /etc/sudoers file and that you know your own password (or have recently entered it to sudo). 

     

    I assume that, given the name, if you pipe some content into sudo (perhaps something arbitrarily large to cause a buffer overflow), you can make it do something before you even enter any password. 

     

    As with all setuid programs on UNIX, it must be bulletproof to there will be a privilege escalation vulnerability. It’s quite conceivable that it’s not bulletproof, especially as a vulnerability stood in bash for ~11 years. 

     

    Not every reported deficiency in OS X is media hysteria. A little objectivity goes a long way…

  • Reply 30 of 46
    Originally Posted by shamino View Post

    Sadly, Apple's installer doesn't force you to create a non-admin account.


     

    Good. Screw that.

     
    ...I think recent versions of Windows do...

     

    Even with full administrative access, you don’t have full access in Windows. You literally cannot delete some files without accessing the partition from some other OS and forcibly deleting them. It’s complete insanity.

  • Reply 31 of 46
    djsherlydjsherly Posts: 1,031member
    Quote:

    Originally Posted by shamino View Post

     

     

    You can always use "sudo" to switch to root.  I frequently do a "sudo tcsh" to get to a root shell.

     

    What everyone means by disabled is that there is no password configured for the account.  So if you try to "su -", it won't work, because there is no password you can type to make the switch work.  And if you try to log-in as root, that also won't work.

     

    If you enable the root account, then you will give it a password and you will be able to log-in to a desktop as root and run "su" without pushing the command through sudo.

     

    WRT the exploit in question, it is apparently a way to allow sudo to run code as root without asking for your password.




    aye, got it.

  • Reply 32 of 46
    hillstoneshillstones Posts: 1,490member
    Quote:

    Originally Posted by IndyFX View Post

     



    Yeah I saw it... two weeks is not considered much notice,

    I would love to know the particulars, did he say he wasn't going to reveal till January and then gave this little press release? (which unfortunately is almost like a zero day, as it gives criminal hackers huge hints as to the area of the problem and even gives the mechanics of the exploit)

    Question is, was this November announcement a surprise to Apple. I'm betting it was.

     

    In any case, two weeks in not sufficient (nor the generally accepted) lead time to reveal a security exploit.


    You still cannot read.  He gave Apple notice two weeks ago once it was discovered, and he won't reveal how the exploit works until January.  This gives Apple 90 days to issue a patch before anyone knows how it works.

     

    "In a security context, "responsible disclosure" generally means that researchers who discover a serious flaw will notify the software vendor with details at least 90 days before publicly disclosing how the flaw actually works and how it can be exploited, allowing time for the issue to be addressed and patches to be distributed to users."

  • Reply 33 of 46
    smalmsmalm Posts: 671member
    Quote:
    Originally Posted by lkrupp View Post

     

    Once again it looks like we have a flaw that requires the bad guy to be sitting in front of your computer and logged in as an admin to accomplish the hack. So I’m pretty sure the average user doesn’t really have to worry much about with this. Business or educational settings maybe but not individual home users. Should it be patched? Yes. Is it a BIG DEAL? Nope.




    The bad guy sitting in front of the computer is Joe Average, the owner, logged in as an admin clicking on something found in the internet.

     

    Quote:

    Originally Posted by shamino View Post

     

    WRT the exploit in question, it is apparently a way to allow sudo to run code as root without asking for your password.

     

    I wonder, if this exploit involves sudo, if it can also work in a non-administrator account whose name is added to the sudoers file.  That would be worse, since I usually configure my personal account that way.


    Your personal account is doomed :D 

    BTW sudo doesn't allow to run code as root but to run code with the privileges of root. 

     

  • Reply 34 of 46
    Quote:
    Originally Posted by aplnub View Post



    How many operate in a non-admin account on their mac?



    I do.

     

    It's computing "best practice" for any platform-- Mac, Windows, or Linux.  And this exploit exemplifies exactly why everyone should, running your day-to-day in a regular user account usually negates attacks like this.

     

     

     

     

     

    Quote:

    Originally Posted by Tallest Skil View Post

     

    Good. Screw that.


     

    hahaha!  That made me laugh!  (Oh, and good luck with that.)

  • Reply 35 of 46
    chris_cachris_ca Posts: 2,543member
    Quote:

    Originally Posted by IndyFX View Post

    Yeah I saw it... two weeks is not considered much notice,


    Not much notice of what?

    Two weeks ago, he discovered an exploit.

    Then two weeks later, he announced he discovered an exploit.

    Why does it matter how long after he discovered it that he announced he discovered it?

  • Reply 36 of 46
    welshdogwelshdog Posts: 1,784member
    Quote:

    Originally Posted by aplnub View Post



    How many operate in a non-admin account on their mac?

    I had about 20 Macs in a video post facility and all of them were Admin accounts.  I did not have time to run around typing in admin passwords every time an editor needed a new font or plug-in or any number of other things requiring Admin access.  Not feasible in an environment where clients are paying hundreds of dollar an hour for the editor or designer to work - not go find me to come type in a password.

  • Reply 37 of 46
    The fact that he suggests using filevault might suggest one needs physical access to the machine.
  • Reply 38 of 46
    shaminoshamino Posts: 490member
    Quote:

    Originally Posted by IndyFX View Post

    Root?Administrator on OS X

    Why virtually all linux distro's (I run a render farm on Debian) don't want users running as "admin" is because admin=root, and even leaving a shell logged as root is a dangerous thing to do  (for so many reasons) much less actually running an x session as root. (which would be really stupid) Also understand that administrators (in OS X, and in windows) are unique users, whereas root (in linux and in OS X) is root (there are not different root users (there is no equivalent to root in NT5.) Some Linux Distro's have attempted a shell around root to emulate the concept of "admin" users (Ubuntu for one) 

     

    In summary what you thought they said they specifically did't. Nowhere did they specify how they can enable root.

    While I take all security flaws seriously, until we have all the facts I suspect this one might be (another in a long line of) OS X publicity stunts.


     

    I think you need to re-read my post.  I think you may be replying to someone else, because your comments don't seem to be related to my message.  Nowhere did I claim that root is the same as administrator.  Nor did I say that they enabled root access via an exploit.  I wrote just what the original article said - that they claim to be able to run code as root via "sudo" without providing a password, which is a serious problem, if true.

     

    Apple's administrator level account does what many Linux distros do with their "admin" concept - it puts your account in an "admin" group.  This is similar to the "wheel" group used by other UNIX/Linux installations.  It typically grants members the ability to use "sudo" and may grant access to some specific applications and devices.

     

    You may believe the original report is fake.  That's your choice.  But it doesn't automatically mean those of us who think it may be correct don't know what we're talking about.

  • Reply 39 of 46
    cornchipcornchip Posts: 1,865member
    aplnub wrote: »
    How many operate in a non-admin account on their mac?

    This guy.
  • Reply 40 of 46
    kpluckkpluck Posts: 500member
    Quote:
    Originally Posted by aplnub View Post



    How many operate in a non-admin account on their mac?

    I don't know but it is foolish to have your day to day account be an admin account on any modern OS (Windows, OS X, Linux). A very large percentage of security vulnerabilities are nullified by using a standard account.

     

    -kpluck

Sign In or Register to comment.