# OS X hacked in under 30 minutes?



## bbloke (Mar 6, 2006)

ZDNet Australia is carrying a story about a hacker who has claimed to be able to hack into OS X in under 30 minutes.  He said he used unpublished vulnerabiliy to get in, and managed to get root access in 20 to 30 minutes.  He also added that, although there are ways to tighten security, these methods would not have prevented access in this particular case.


> "It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told _ZDNet Australia_.
> 
> According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.
> 
> ...





> Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.
> 
> "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.


 I must admit to being a bit surprised by this.  Then again, the competition involved using the Mac as a web server.  I don't know whether the exploit involved Apache or some other aspect of OS X...

There are things one can do to improve the security of OS X, but probably one of the most important is: don't run any services that you don't need.  If you do require the running of services, then don't run them for longer than you need them.

This probably will start some commotion within the Mac community but, as ever, the sky is not falling.


----------



## barhar (Mar 6, 2006)

The (above) post, the article, the self proclaimed hacker (gwerdna), and / or the alleged victim - failed to produce the actual (step by step) process(es) of hacking into the Mac Mini. So, until then ...


----------



## bbloke (Mar 6, 2006)

barhar said:
			
		

> The (above) post ...  failed to produce the actual (step by step) process(es) of hacking into the Mac Mini...


   Errr, thanks...

Anyway, do you really think that an article would ever publish step-by-step hacking instructions?  Surely that would be irresponsible in the extreme...


----------



## ScottW (Mar 6, 2006)

ANY system that sits on the Internet unprotected from firewalls (either hardware or software) risk being vulnerable to attack and being compromised. I don't doubt for a second that this report has the potential to be correct - even - if the guy is lying himself


----------



## joe_burban (Mar 6, 2006)

If it were legitimate, would the "testers" also provide their instructions and finding to Apple so that the alleged holes could be fixed?


----------



## Satcomer (Mar 6, 2006)

I read into this extensively. Scott is right about having 'remote services" running with out some kind of firewall is very irresponsible! Mac OS X security does need attention although because press like this is already pounced upon the story by the typical Apple haters. This then will be filtered down to biased IT managers. So Apple needs to nip this in the bud before OS X server sales go into the tank.


----------



## MisterMe (Mar 6, 2006)

Close but no cigar. The computer was setup as a test. It had all Unix services turned on. "Gwerdna" did not hack his way onto the computer. He was given a user account on it. From there, he supposedly escalated his privileges to root. Rest assured, he would have required much more than 30 minutes otherwise. He apparently used old unpatched Unix exploits to do the deed. He tried other things first.


----------



## Mikuro (Mar 6, 2006)

Some of the comments at http://rm-my-mac.wideopenbsd.org/notes say that the weakness is in ping, traceroute and malloc. If true, it's certainly a problem. But not a problem any normal user needs to worry about, since it requires the hacker to have an account to exploit.

If I had my own account on a machine, I think I'd be able to do that in half an hour or so, too, and I wouldn't need to do anything all that fancy. There are several password crackers for OS X and other Unix variants. I've helped people use them a couple times (for perfectly legitimate reasons!). Once you get the admin password, you just call 'sudo rm...' and you're done. Of course, a solid admin password might make that impractical.

The lack of confirmed details makes it hard to say anything for certain. But I'm not worried.


----------



## ScottW (Mar 6, 2006)

Yes, it appears to be a questionable hack.


----------



## ElDiabloConCaca (Mar 6, 2006)

I vote we start calling him "AndrewG," just to make him feel silly and come up with a better hacker name...


----------



## dmetzcher (Mar 6, 2006)

barhar said:
			
		

> The (above) post, the article, the self proclaimed hacker (gwerdna), and / or the alleged victim - failed to produce the actual (step by step) process(es) of hacking into the Mac Mini. So, until then ...


And if they had posted the instructions for all to read, how many people would be screaming about the irresponsility of such an action? This is nothing new. Another Australian security expert, who works for my employer, brought to light several issues with Mac OS X, and with the fact that he has contacted Apple more than once and they have still not patched the issues. Things like this are going to start surfacing.


----------



## dmetzcher (Mar 6, 2006)

MisterMe said:
			
		

> Close but no cigar. The computer was setup as a test. It had all Unix services turned on. "Gwerdna" did not hack his way onto the computer. He was given a user account on it. From there, he supposedly escalated his privileges to root. Rest assured, he would have required much more than 30 minutes otherwise. He apparently used old unpatched Unix exploits to do the deed. He tried other things first.


I may be reading your comment wrong, so please forgive me if I am...
In one breath you are stating that this is close, but not close enough. In another you are stating that he used unpatched Unix exploits to get things done. If the latter is true, and those exploits exist, this guy could still be lying about what he did and it wouldn't matter one bit. If the issues are there, and they are unpatched, that's all that matters.


----------



## dmetzcher (Mar 6, 2006)

ElDiabloConCaca said:
			
		

> I vote we start calling him "AndrewG," just to make him feel silly and come up with a better hacker name...


LOL. Good one. I didn't even notice that. How obvious!


----------



## wnowak1 (Mar 7, 2006)

Article mentioned to use anti spyware programs on  your mac.  Are there any?


----------



## MisterMe (Mar 7, 2006)

dmetzcher said:
			
		

> I may be reading your comment wrong, so please forgive me if I am...
> In one breath you are stating that this is close, but not close enough. In another you are stating that he used unpatched Unix exploits to get things done. If the latter is true, and those exploits exist, this guy could still be lying about what he did and it wouldn't matter one bit. If the issues are there, and they are unpatched, that's all that matters.


Without getting too much into it, I think it safe to say that *Satcomer* and I were making essentially the same point. Gwerdna was being given more credit than he was due and that Apple was being given more blame than it is due. It is pretty much universally understood now that Gwerdna did not hack into the Mac. He was given a personal account on a deliberately softened target machine. We have only Gwerdna's word for what he did, but he clearly indicates that he tried other exploits before using a familiar unpatched Unix exploit. Of course, it is significant that Apple has not patched the vulnerability. Our favorite fruit company should be called to account for leaving the hole open if it did. If Gwerdna is to be believed (and this is by no means certain), it begs the question of the entire Unix community--not just Apple--about this vulnerability and why it hasn't been completely eliminated.

Specifically, is it real? Is it an oversight? Is it patched on some systems and not on others? Is it so deeply embedded in the OS that it will require a major rewrite to fix? Is it so insignificant that it doesn't matter in the real world and the rest is just hype? Is it ...?


----------



## bbloke (Mar 7, 2006)

It's true that there seems to be more to this than first meets the eye.  If the attack was created using a local account and escalation of local privileges, then that is very different from a machine simply being hacked when operating as a web server.  Someone at the University of Wisconsin feels the article is misleading, and so has created his own challenge:

http://test.doit.wisc.edu/


----------



## symphonix (Mar 7, 2006)

I agree with bbloke. There is a world of difference between someone gaining root access when they already have an account on the machine, and someone doing so when they haven't.

I also would like to know a little more about what vulnerability has supposedly been exploited. Was the firewall on? Had any services been activated?

Whenever I make major changes to my machine or network configuration, I perform a few basic hacking tests such as port-scanning and packet sniffing to ensure it is secure. My machine does not even respond to ping with the firewall's "stealth mode" turned on, so I'm not too worried for myself.

As for the "in under 30 minutes" angle, I'd say this is true media hyperbole. A fresh-from-CD install of Windows XP, connected to the Internet, will be infected by a virus in under 30 minutes - before most users even get a chance to get all the patches loaded - and yet we rarely hear about this in the media. So a skilled hacker using unpublished vulnerabilities might be able to hack into a Mac, if said hacker had an account, in the same time an RPC overflow virus can get into a Windows XP machine. I'm not exactly shaking in my shoes here.


----------



## Quietly (Mar 9, 2006)

http://test.doit.wisc.edu/

This site is now down - earlier than sceduled. Was it hacked, or did Apple ask for it to be removed (I seem to remember they did that last time someone set a "hack OSX" task)?

Or is there an entirely other explanation?


----------



## Quietly (Mar 9, 2006)

I don't normally bother talking to myself, but I just found the answer!

They closed it early due to strong response and say they will publish results at a later date. Apparently they had quite a few DoS attacks.


----------



## bbloke (Mar 9, 2006)

Aha, interesting find, Quietly.  I had a look on OSNews:



			
				OSNews said:
			
		

> Here are the results of the challenge launched by the Unversity of Wisconsin to test OS X against hacking. _"The response has been very strong; traffic to the host spiked at over 30 Mbps. Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus. The machine was under intermittent DoS attacks. During the two brief periods of denial of service, the host remained up. The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations. There were no successful access attempts during the 38 hour duration of the test period."_



The results page still seems to be down, though.


----------



## lurk (Mar 9, 2006)

There was a message on the machine yesterday that the CIO for the university had heard about the project and had them ax it.  So that might just be the ultimate DOS attack, get the higher-ups tweaked off


----------



## billbaloney (Mar 9, 2006)

Of course OS X is fairly secure, but I think all of this publicity surrounding its security has a bit of smoke-and-mirrors to it.  Security holes are found, posted, and exploited in various libraries, apps, and OSes every day; the real question is always how quickly the problem gets addressed.

Apple has to find the right balance between over-frequent security updates, which is often perceived as nothing so much as an admission of security weaknesses on the part of the vendor (witness our general perception of Windows XP as insecure not only because of its well-publicized exploits, but also because of the frequency of the security updates), and under-frequent updates, leaving the user base with the feeling that Apple's trying to bury its problems.

This will become more of an issue as the OS gains popularity, and subsequently becomes a higher-value target for malicious hackers.  I think Apple's been good about it so far.


----------



## fryke (Mar 9, 2006)

I wish they'd react earlier, though. I'm not sure about the current state, but last year Samba had serious flaws when turned on, and Apple was using packages that were 6-8 months old and weren't patched. So if you had Windows Sharing turned on, you definitely _had_ those security issues. It didn't make huge splashes, but it looked to me as if Apple just didn't care. No good...


----------

