OS X hacked in under 30 minutes?

bbloke

bbloke

Registered
ZDNet Australia is carrying a story about a hacker who has claimed to be able to hack into OS X in under 30 minutes. He said he used unpublished vulnerabiliy to get in, and managed to get root access in 20 to 30 minutes. He also added that, although there are ways to tighten security, these methods would not have prevented access in this particular case.
"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia.

According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users… There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.
Click to expand...
Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.

"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.
Click to expand...
I must admit to being a bit surprised by this. Then again, the competition involved using the Mac as a web server. I don't know whether the exploit involved Apache or some other aspect of OS X...

There are things one can do to improve the security of OS X, but probably one of the most important is: don't run any services that you don't need. If you do require the running of services, then don't run them for longer than you need them.

This probably will start some commotion within the Mac community but, as ever, the sky is not falling. ;)
 
The (above) post, the article, the self proclaimed hacker (gwerdna), and / or the alleged victim - failed to produce the actual (step by step) process(es) of hacking into the Mac Mini. So, until then ...
 
barhar said:
The (above) post ... failed to produce the actual (step by step) process(es) of hacking into the Mac Mini...
Click to expand...
:confused: Errr, thanks...

Anyway, do you really think that an article would ever publish step-by-step hacking instructions? Surely that would be irresponsible in the extreme...
 
ANY system that sits on the Internet unprotected from firewalls (either hardware or software) risk being vulnerable to attack and being compromised. I don't doubt for a second that this report has the potential to be correct - even - if the guy is lying himself
 
If it were legitimate, would the "testers" also provide their instructions and finding to Apple so that the alleged holes could be fixed?
 
I read into this extensively. Scott is right about having 'remote services" running with out some kind of firewall is very irresponsible! Mac OS X security does need attention although because press like this is already pounced upon the story by the typical Apple haters. This then will be filtered down to biased IT managers. So Apple needs to nip this in the bud before OS X server sales go into the tank.
 
Close but no cigar. The computer was setup as a test. It had all Unix services turned on. "Gwerdna" did not hack his way onto the computer. He was given a user account on it. From there, he supposedly escalated his privileges to root. Rest assured, he would have required much more than 30 minutes otherwise. He apparently used old unpatched Unix exploits to do the deed. He tried other things first.
 
Some of the comments at http://rm-my-mac.wideopenbsd.org/notes say that the weakness is in ping, traceroute and malloc. If true, it's certainly a problem. But not a problem any normal user needs to worry about, since it requires the hacker to have an account to exploit.

If I had my own account on a machine, I think I'd be able to do that in half an hour or so, too, and I wouldn't need to do anything all that fancy. There are several password crackers for OS X and other Unix variants. I've helped people use them a couple times (for perfectly legitimate reasons!). Once you get the admin password, you just call 'sudo rm...' and you're done. Of course, a solid admin password might make that impractical.

The lack of confirmed details makes it hard to say anything for certain. But I'm not worried.
 
barhar said:
The (above) post, the article, the self proclaimed hacker (gwerdna), and / or the alleged victim - failed to produce the actual (step by step) process(es) of hacking into the Mac Mini. So, until then ...
Click to expand...
And if they had posted the instructions for all to read, how many people would be screaming about the irresponsility of such an action? This is nothing new. Another Australian security expert, who works for my employer, brought to light several issues with Mac OS X, and with the fact that he has contacted Apple more than once and they have still not patched the issues. Things like this are going to start surfacing.
 
MisterMe said:
Close but no cigar. The computer was setup as a test. It had all Unix services turned on. "Gwerdna" did not hack his way onto the computer. He was given a user account on it. From there, he supposedly escalated his privileges to root. Rest assured, he would have required much more than 30 minutes otherwise. He apparently used old unpatched Unix exploits to do the deed. He tried other things first.
Click to expand...
I may be reading your comment wrong, so please forgive me if I am...
In one breath you are stating that this is close, but not close enough. In another you are stating that he used unpatched Unix exploits to get things done. If the latter is true, and those exploits exist, this guy could still be lying about what he did and it wouldn't matter one bit. If the issues are there, and they are unpatched, that's all that matters.
 
ElDiabloConCaca said:
I vote we start calling him "AndrewG," just to make him feel silly and come up with a better hacker name... ;)
Click to expand...
LOL. Good one. I didn't even notice that. How obvious!
 
dmetzcher said:
I may be reading your comment wrong, so please forgive me if I am...
In one breath you are stating that this is close, but not close enough. In another you are stating that he used unpatched Unix exploits to get things done. If the latter is true, and those exploits exist, this guy could still be lying about what he did and it wouldn't matter one bit. If the issues are there, and they are unpatched, that's all that matters.
Click to expand...
Without getting too much into it, I think it safe to say that Satcomer and I were making essentially the same point. Gwerdna was being given more credit than he was due and that Apple was being given more blame than it is due. It is pretty much universally understood now that Gwerdna did not hack into the Mac. He was given a personal account on a deliberately softened target machine. We have only Gwerdna's word for what he did, but he clearly indicates that he tried other exploits before using a familiar unpatched Unix exploit. Of course, it is significant that Apple has not patched the vulnerability. Our favorite fruit company should be called to account for leaving the hole open if it did. If Gwerdna is to be believed (and this is by no means certain), it begs the question of the entire Unix community--not just Apple--about this vulnerability and why it hasn't been completely eliminated.

Specifically, is it real? Is it an oversight? Is it patched on some systems and not on others? Is it so deeply embedded in the OS that it will require a major rewrite to fix? Is it so insignificant that it doesn't matter in the real world and the rest is just hype? Is it ...?
 
It's true that there seems to be more to this than first meets the eye. If the attack was created using a local account and escalation of local privileges, then that is very different from a machine simply being hacked when operating as a web server. Someone at the University of Wisconsin feels the article is misleading, and so has created his own challenge:

http://test.doit.wisc.edu/
 
I agree with bbloke. There is a world of difference between someone gaining root access when they already have an account on the machine, and someone doing so when they haven't.

I also would like to know a little more about what vulnerability has supposedly been exploited. Was the firewall on? Had any services been activated?

Whenever I make major changes to my machine or network configuration, I perform a few basic hacking tests such as port-scanning and packet sniffing to ensure it is secure. My machine does not even respond to ping with the firewall's "stealth mode" turned on, so I'm not too worried for myself.

As for the "in under 30 minutes" angle, I'd say this is true media hyperbole. A fresh-from-CD install of Windows XP, connected to the Internet, will be infected by a virus in under 30 minutes - before most users even get a chance to get all the patches loaded - and yet we rarely hear about this in the media. So a skilled hacker using unpublished vulnerabilities might be able to hack into a Mac, if said hacker had an account, in the same time an RPC overflow virus can get into a Windows XP machine. I'm not exactly shaking in my shoes here.
 
http://test.doit.wisc.edu/

This site is now down - earlier than sceduled. Was it hacked, or did Apple ask for it to be removed (I seem to remember they did that last time someone set a "hack OSX" task)?

Or is there an entirely other explanation?
 
I don't normally bother talking to myself, but I just found the answer!

They closed it early due to strong response and say they will publish results at a later date. Apparently they had quite a few DoS attacks.
 
Aha, interesting find, Quietly. I had a look on OSNews:

OSNews said:
Here are the results of the challenge launched by the Unversity of Wisconsin to test OS X against hacking. "The response has been very strong; traffic to the host spiked at over 30 Mbps. Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus. The machine was under intermittent DoS attacks. During the two brief periods of denial of service, the host remained up. The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, had two local accounts, and had ssh and http open with their default configurations. There were no successful access attempts during the 38 hour duration of the test period."
Click to expand...

The results page still seems to be down, though.
 
You must log in or register to reply here.
Back
Top