Re: Mac OS X hacked under 30 minutes

this story should be titled: "hackers given keys to house", police
report: home entered 30 minutes later. so now that we all know it wasn't
an exploit, this is what "actually" happened:

Late last month, a Swedish Mac fan posted a web site that challenged all
comers to "rm my Mac," referring to the age-old Unix utility used to
delete files. The machine was a PowerPC-based Mac mini. According to the
site owner,

It runs a default install of Mac OS X Tiger, plus fink and some
decent versions of Apache, MySQL and PHP. Software Update recently
updated it to Mac OS X 10.4.5 and fixed some security issues. Yup, I
should be pretty secure, shouldn't I?

Six hours later, the machine was hacked and the web page defaced. While
the web site author said he was "quite confident this poor Mac will get
rm'd at some point in time" the six hour time to hacking was quite a
surprise to him. As there was no cash prize associated with the contest,
just a friendly challenge by an enthusiast to the web community, the
story gained very little traction. However, following a ZDNet interview
with the hacker, the Internet was suddenly abuzz with people talking
about the story. The hacker, known only as "gwerdna," explained what he
did to gain root on the machine:

"It probably took about 20 or 30 minutes to get root on the box.
Initially I tried looking around the box for certain mis-configurations
and other obvious things but then I decided to use some unpublished
exploits--of which there are a lot for Mac OS X," the hacker said.

So is this a major story of a Mac OS X vulnerability, or a non-issue?
The answer is that it's neither. To dig a little deeper, let's start by
looking at the technical details of the hack.

Firstly, the hack was that of privilege escalation, not a pure remote
exploit. The web site author had enabled SSH, the Unix "Secure Shell"
tool that has replaced telnet as a means for accessing networked
machines from the command line. He then configured an LDAP (Lightweight
Directory Access Protocol) database and added a web-based interface so
that visitors to the site could add their own shell accounts to the
system. These shell accounts were given limited user access, so in
theory they should not have been able to access or modify any files that
were owned by the system or by other accounts. The hacker used a
vulnerability in OS X to promote the privileges of this account, thus
"gaining root" and becoming able to modify any file on the computer at
will.

Needless to say, most web servers are not set up with the ability to
give out free shell accounts to anyone who wants one. SSH is not even
enabled by default on OS X, although server administrators can choose to
do so if they wish. So the "hacking" contest was not very indicative of
the security of an OS X computer, even a web server, that is set up open
to the Internet. However, this does not mean that the contest was of no
significance whatsoever.

The Macintosh community has had a long fascination with "hacking
contests." As early as 1997, Apple Europe endorsed a German-based
"Hack-A-Mac" contest, where the winner had to deface a web page hosted
on Mac OS 8 in order to win. That contest ended in controversy, with the
site owner claiming that the winner, who did indeed modify the site's
contents, exploited a vulnerability in a non-Apple third-party software
package and so was not entitled to his reward. Ever since then,
Macintosh owners have submitted dozens of hacking competitions, some of
which have been hacked, and some of which have not. In fact, a new
contest has just gone up in response to the one talked about in this
story.

The real significance to this particular contest is not that the site
was hacked (it was) or that the operator gave would-be hackers far more
initial access than was necessary or even sensible (he did). It was not
even that there are potential security holes in OS X, as this is
well-known to any Macintosh user who reads the notes accompanying
Apple's security patches in Software Update (the most recent of which
fixed 20 known issues in the OS). No, the real lesson from this contest
should be this: security is a non-trivial problem, and simply choosing
one operating system or platform over another does not automatically
solve the problem with no further thinking required.

Security has always been a balance between features and protection.
After all, one can take any machine, disconnect it from the Internet and
lock it in a steel safe, and have perfect security, but this would
render the machine useless. The server operating system widely regarded
as being the most secure, OpenBSD, gains much of its impressive record
by merely not installing any services unless the administrator takes
steps to deliberately enable them. Interestingly enough, the one remote
hole found in the default install of OpenBSD over the last eight years
was a flaw in OpenSSH. Yet despite the implications for security, SSH is
a useful tool that many people wish to use on their servers to make
their jobs easier.

And sometimes, security isn't even about the operating system at all. In
2004, a vulnerability in the popular PHPBB web-based bulletin board was
exploited by a Google-using attack bot. Over 70 thousand systems were
defaced by this worm, which slipped right through a hole in the PHP
server. Windows, Macintosh, and Linux systems were affected equally.
Security by obscurity did not help one bit, as Google leveled the
playing field for everyone on the Internet. As our computing systems
become more complex and we continue to layer more and more third party
software on top of our operating systems, everyone needs to be aware of
the issues and practice Skeptical Computing.

http://arstechnica.com/news.ars/post/20060306-6321.html
.

Relevant Pages

  • Re: which PC
    ... has issued fixes for 10 security holes that have been rated as "critical" by security firms. ... The patches, which are available through Apple's Web site, fix vulnerabilities in versions 10.3.9 and 10.4.2 of the company's Mac ... The hacker who penetrated the system called the Mac "easy pickings." ... OS X and Microsoft Windows have roughly the same vulnerabilities. ...
    (rec.photo.digital)
  • [Full-Disclosure] Administrivia
    ... directly related to security concerns per se. ... I consider myself to be a hacker, ... >> was the motivation in days gone by. ... >> The idea that with great power comes great responsibility is one that I ...
    (Full-Disclosure)
  • Re: the exploit that wasnt
    ... The other Mac Book Pro? ... brought Microsoft into a security discussion about Mac OS X. ... The number of security patches, ... if you were to scan random machines on the internet for a week, ...
    (comp.sys.mac.advocacy)
  • Re: 13 MASSIVE holes found in Safari...
    ... And yet Apple releases monthly security updates. ... But most malware use the normal http port, ... that it's OK because he's on a Mac and Macs are 100% safe). ...
    (comp.sys.mac.advocacy)
  • RE: 0-day exploit..do i hear $1000?
    ... security industry, then after money is confirmed deposited to fund, hacker ... Security firm 123 implement patches for brain dead clients. ... CUA codes the exploit ...
    (Pen-Test)