OSX Hacked in Under 30 Mins

[The_Decryptor Veteran]

... Did they enable Apache and all that stuff? ...

an SSH server was setup, and configured to create an account for anybody who connected (via a web form)

[mr_daemon]

Well, everything has holes.

However if the guy iinstalled fink and began running strange software, then he just opened the door a bit wider.

OpenBSD is secure by default because the code is audited, and everything provided with it is bound to be "secure". The default install runs almost nothing, hence, why it is also secure.

Slap your non-OpenBSD audited apache in there with heaps of junk you compiled yourself and don't keep up with, you just opened the door.

I kinda wish they gave more details, so far this is drivel.

I could set up a Linux box and add a bunch of services that should not necessarily be exposed to the internet (ldap is one), not filter/firewall, misconfigure it and then act all surprised when my box is rooted.

I know of one vulnerability in OS X that was there until 10.3 that was truely frightening. Applications installed via the GUI by drag and drop had their bundle folder (Application.app) set world writable.

If that doesn't mean anything to you, let's see... I could, say, move the true executable in the Resource folder away, create a script with the same name as the original executable that will do three things:

1) Copy zsh to somewhere else that is writable (i.e., my account's dropbox)

2) run chmod u+s on the zsh I just copied so that it always runs as the user who ran our wrapper script (this is why we picked zsh here, since it honours the suid flag)

3) run the actual executable.

The result would be that whenever someone ran the now trojaned application, I would end up with a shell that runs with their privileges in my account's dropbox.

Nice way to elevate privileges, no?

That's just the tip of the iceberg. Don't be surprised stuff has holes in it. Only OpenBSD can be slightly trusted due to the massive code audits. But the second you install something they have not audited, all bets are off.

EDIT:

an SSH server was setup, and configured to create an account for anybody who connected (via a web form)

Well, there.

When untrusted people have local access, all bets are off.

This is not really significant, then. If you give local access to untrusted parties, you WILL get rooted. Faster than you could possibly imagine.

[evil1337]

I have to say, having just switched to a mac, and playing with things, i don't doubt a mac can be hacked in 30 min or so. However...

If you do leave blatant doors open, i can't really be suprised. I'd like to see this test run in a more....home user sort of way.

Dispence with apache/php, don't bother with the LDAP authentication etc. Just use the recovery discs to install, update to 10.4.5, maybe put a copy of Office 04 and Pages in, and a nice trophy file somewhere outside the users home directory...

I think testing it as a server is weak as he didnt use the SERVER version of OSX (unless i missread), which has numerous extra features, security patches, and a different way of running things IIRC.

And ok, if the guy takes an hour to break the box, and even then can only access certain areas, then fair enough. But i have to say, without SMB, FTP and SSH enabled (all disabled out the box), i cant see this being a very fruitfull hack without some sort of interaction (i.e. a trojan).

[fudgetunnel]

Finally someone says something valid and credible

Translation; Someone finally told me what I wanted to hear. :rolleyes:

[jackwanders]

This is exactly what I have been saying since day one, there is no such thing as security by obscurity (or minority).

Discuss. Go.

Erm, doesn't your post actually prove security by obscurity? OSX users aren't overrun by hackers and virii not because the OS is more secure, but because it's more obscure...the definition of 'security by obscurity'.

[tunafish]

If you listen carefully you can hear fan boys hearts breaking..... come to mind :whistle:

Like i said macs are like any other OS and are bound to get hacked. No OS is 100% secure. even with the ammount of security stuff you bundle on and the ports you close and the apps you stop using, it will still get hacked. its a matter off time, no ammount of protection can protect anything. It's like a car to keep it working you need to change a few things mainly the tyers so it can run smooth well the same thing will have to happen to a mac as well. It adapts like any other os thats getting targeted. It will adapt to fix the issues, as if you dont adapat you die out.

It's also a matter of time before apple catch onto the holes in the OS. Would be nice for us mac users if the guy running this sent the logs and such to apple so they can patch it and release a fix and such.

[Nick H. Supervisor]

Translation; Someone finally told me what I wanted to hear. :rolleyes:

Heh, yeah.

This is not going to end though. Each side is going to stick to their guns. People are going to say "This is a load of bull" because they don't believe there is enough evidence (although for some, there will never be enough evidence :rolleyes: ). Others are going to say "It was bound to happen" because nothing connected to the Internet is secure, no matter how much you want it to be.

I'm with the latter group. You cannot expect something to be safe if you put it on to the Internet.

Regardless of whether it is true or not, it was an interesting read. Thanks for sharing with us.

[obsolete_power]

Translation; Someone finally told me what I wanted to hear. :rolleyes:

Translation: Someone actually agreed with the fact that not much is known about the experiment and you cannot make a valid statement based on assumptions.

[fudgetunnel]

Translation: Someone actually agreed with the fact that not much is known about the experiment and you cannot make a valid statement based on assumptions.

Does that mean you're done pouting now? :sleep:

[obsolete_power]

Heh, yeah.

This is not going to end though. Each side is going to stick to their guns. People are going to say "This is a load of bull" because they don't believe there is enough evidence (although for some, there will never be enough evidence :rolleyes: ). Others are going to say "It was bound to happen" because nothing connected to the Internet is secure, no matter how much you want it to be.

I'm with the latter group. You cannot expect something to be safe if you put it on to the Internet.

Regardless of whether it is true or not, it was an interesting read. Thanks for sharing with us.

No one is saying that Mac OSX is perfectly safe; can you not flip a couple pages back and read comments? Of course nothing is safe and only someone with a limited amount of experience can say that it is. But what is also not right is people automatically assuming something isn't safe because someone attempts a break-in and succeeds when the computer was specifically set up for that. When you create an experiment you do so in a way that won't render biased results. This guy set his computer up to be hacked so of course it could happen (it could happen either way). But if you take necessary precautions and use some common sense, you stand a better chance to be left alone by someone wanting access to your computer. Bottom line, as long as there will be internet, there will be a chance for security to be compromised and no amount of security equipment will guarantee a safe computer experience, as it has been previously stated multiple times. Now, people, stop calling me a fanboy because I am not "rooting" for anything. I am not the type of person that gets something and goes around telling people it is the best. I simply have a mac because my university asked for one, simple as that!

Edited March 6, 2006 by obsolete_power

[ThePitt]

I agree. Nothing is safe unless its unplugged from the internet.

I rather a hacked OS than a controlled OS by a corporation, where they can do anything (steal all your data, and use it agaisnt you) with your payed computer...

[obsolete_power]

I rather a hacked OS than a controlled OS by a corporation, where they can do anything (steal all your data, and use it agaisnt you) with your payed computer...

Yes but many don't have the alternative. To use Mac OS, you need to buy a mac and you can only buy it from the apple store or an authorized reseller. You cannot build your own to save money. You either buy the exact model that apple released or you take your business elsewhere. PC is great since you can get one based on your budget and needs. But the bad thing is that almost everyone will get windows because, frankly, linux is not a great alternative for the average user unless he uses the installed software and does nothing else such as install drivers and system files etc. People are pretty boxed in when it comes to computers. Microsoft can pretty much do anything they want and they will come out on top either way because they know that people have very limited alternatives, it is rather sad...

[tima89]

Whoever says that installing apache, mySQL, php, etc doesn't mean anything for the home users does not get the point of the test. I think everybody knows how well macs compare to windows in terms of safety for regular home users (for whatever reason), you don't need to make a hack-my-box competition to figure it out - statistics is well enough. The competition showed the vulnerability of the Mac OS as a SERVER, and they did not even think about you home users....Who would want to hack a particular mac computer anyways??? I am sure they care for our emails and apps :? The server is what is important in terms of hacking (do not mix with virii), for only servers are generally subjects for breaking into

[xxdesmus]

I rather a hacked OS than a controlled OS by a corporation, where they can do anything (steal all your data, and use it agaisnt you) with your payed computer...

lol..Oh ok Mr. Orwell :rolleyes: You must be referring to Google who is stealing all your data and using it against you.

I never said I disliked OSX, but I despise Apple, and there is a very big difference there. I will never buy an Apple computer just tp get OSX, I will simply ...seek alternatives. I don't love Windows either, but it works for me, sure it has it's problems, but it's hardly any worse than OSX.

[mufdvr3669]

Translation: Someone actually agreed with the fact that not much is known about the experiment and you cannot make a valid statement based on assumptions.

Oh, you mean nobody except you can make a valid comment on the experiment. Because you have made quite a few on the experiment. But of course you are right and everyone else is wrong. And people are calling you a fanboy based on your replies, you were making the typical short responses with no explanation needed.

[xxdesmus]

No one is calling anyone a fan boy, because we all know what that will lead to. So lets move a long and get back to the topic at hand...

[mr_daemon]

Sometimes I wonder why I bother...

[obsolete_power]

lol..Oh ok Mr. Orwell :rolleyes: You must be referring to Google who is stealing all your data and using it against you.

I never said I disliked OSX, but I despise Apple, and there is a very big difference there. I will never buy an Apple computer just tp get OSX, I will simply ...seek alternatives. I don't love Windows either, but it works for me, sure it has it's problems, but it's hardly any worse than OSX.

I have to agree with you on the second statement, unfortunate, but true

[RootWind]

Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability.

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".

The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users? There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.

Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system.

"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.

Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker.

In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers.

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.? If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.

An Apple Australia spokeswoman said today it was unable to comment at this stage.

http://www.zdnet.com.au/news/security/soa/...39241748,00.htm

Granted, it looks like he did give everybody SSH access. So it really shows that is unsuitable as a server as opposed to a desktop.

https://www.neowin.net/forum/index.php?show...#entry587277240

[+Warwagon MVC]

BOOOOOM BABY!!

[Barney T. Administrators]

Already posted:

https://www.neowin.net/forum/index.php?show...#entry587277240

Barney

[ollie_webbuk]

Sometimes I wonder why I bother...

I agree, you gave a very good explanation on the how's and why's, but people don't wanna read more then a few lines.

Fact is, Neowin is full of trolls.

[riahc3]

Is this suppose to be new? We all know that all OSes have security vulnerabilites.

[Miuku.]

And it took 5 minutes for an automated program to take over an XP machine without any concious effort.

What does this prove again? :p

[grimreaper]

if i remember correctly did apple or some other organization offer some $$$ for whoever could hack OSX? if the hacker really did hack that mac mini shouldn't he be getting the $$$ by now?