Re: Mac `owned' in hacking competition
- From: Tim Auton <tim.auton@xxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Apr 2007 13:36:34 +0100
PeterD <pd.news@xxxxxxxxxxxxxxxxx> wrote:
[snip]
The difference between LAN and WAN access is that if the target machine
is inside a firewall, simply running a Java applet isn't going to give
you the necessary access to the machine. That java applet won't change
the router's port forwarding rules. That's why the guy that wrote the
website code wasn't the guy who won the MacBook Pro, because he didn't
have the physical proximity to get onto the machine's LAN.
The firewall or a NAT router only stops connections initiated from
outside. That doesn't matter, because you can just set up a connection
from inside. You can set up the connection from inside because you can
execute code on the target machine. Once the connection is up and
running, data can travel both ways. You just need to set up the right
sort of connection.
As an example, ssh will let you set up forwarded ports in both
directions. You start an ssh session from the target machine (this is
what the payload in your Safari exploit does), which connects to your
machine running an ssh server, anywhere on the internet. The firewall
allows this, because the connection comes /from/ the target machine.
From now on, everything runs through that one connection. Specifically,the payload sets up an ssh port forwarding session (port X on server is
'tunnelled' to port Y on target); you now have a tunnel which allows you
to access any port you desire on the target machine by connection to the
right ports on your shh server. Your payload also installs an ssh key on
the target machine, which bypasses the need to enter a password when
you, the attacker, connect. Thus, there is no need to actually know the
user's password. You can now ssh to port X on your server, which will be
forwarded to port 22 (ssh) on the target machine down the tunnel you set
up earlier (the connection goes into port X on your ssh server, down the
tunnel, then out of an arbitrary port on the target machine and then back
in to port 22 on the target machine). You enter the passphrase you
configured when you installed the ssh key and there you have it, one
shell on the target machine, straight through the firewall, using only
the tools already installed on any OS X machine.
Requiring a password to turn on Remote Login (ie. the ssh server) in
System Prefs won't help, the attacker can just install their own ssh
server. Or they could use a custom application which provides the
necessary remote access without all the faff with ssh. I could knock
something up in half an hour.
The firewall thing is really not a difficult problem to solve once you
can execute your code on the target machine.
Tim
.
- References:
- Mac `owned' in hacking competition
- From: Ben Shimmin
- Re: Mac `owned' in hacking competition
- From: PGG
- Re: Mac `owned' in hacking competition
- From: Ben Shimmin
- Re: Mac `owned' in hacking competition
- From: Ian McCall
- Re: Mac `owned' in hacking competition
- From: PeterD
- Re: Mac `owned' in hacking competition
- From: Robert Moir
- Re: Mac `owned' in hacking competition
- From: PeterD
- Re: Mac `owned' in hacking competition
- From: Robert Moir
- Re: Mac `owned' in hacking competition
- From: PeterD
- Re: Mac `owned' in hacking competition
- From: Robert Moir
- Re: Mac `owned' in hacking competition
- From: Chris Ridd
- Re: Mac `owned' in hacking competition
- From: PeterD
- Mac `owned' in hacking competition
- Prev by Date: Re: SPOILER: Bahrain, and the season so far.
- Next by Date: Re: Mac `owned' in hacking competition
- Previous by thread: Re: Mac `owned' in hacking competition
- Next by thread: Re: Mac `owned' in hacking competition
- Index(es):
Relevant Pages
|
Loading
