OSX Hacked in Under 30 Mins


Recommended Posts

Yvo

Exactly as already been said mac is the most secure o/s out PERIOD END OF DISCUSSION, is it hack prrof no but most secure yes, enough said.

It is the most secure OS for the common user. Yes. However server wise it still has quite aways to go. For one they need to stop bundling apps like the iPod updater, iCal, and client apps in their server distro. That really bugs the poop out of me.

hardly, but that's another story.

Any OS can be hardened to the point of being very secure, but any OS can also be pathetically vulnerable when used by a person who doesn't know any better.

You both are what markjensen described as disgruntled windows user and so is a guy from 2 pages back (rootweller). All you care about is seeing an alternative OS fail so you can stomp on it, shame on you both. This test that they performed isn't that great and it has been mentioned time and time again in this thread. Not to mention that if I install Windows on a box (whether XP, 2003 or 2003 R2) it catches something nasty on it by a default installation within 15 minutes of just sitting online.

At least on an unsecure Mac with users having SSH access and what not it took a full 30 minutes and the hacker had to know the IP for the machine. That brand new Windows box? It took 15 minutes without handing out the IP to anyone.

I'm no a full fledged fan boy, but you two obviously have some major bias. Shame on you once again for attempting to start an obvious discussion that would turn negative.

Edited by Yvo
Link to post
Share on other sites
xxdesmus

You both are what markjensen described as disgruntled windows user and so is a guy from 2 pages back (rootweller). All you care about is seeing an alternative OS fail so you can stomp on it, shame on you both.

I'm no a full fledged fan boy, but you two obviously have some major bias. Shame on you once again for attempting to start an obvious discussion that would turn negative.

Are you kidding me? As stated about 5-6 posts above, I don't love Windows, but I also don't like OSX. They both have a few strengths, but they also have a fair amount of flaws. It's just a matter of selecting which sucks less. I would be very interested in seeing the difference in your opinion between a disgruntled Windows user and someone who just doesn't like your precious OSX. lol... :rolleyes:

As for starting a discussion that would turn negative? What else should I do? Pat him on the head and say "Sure, you are absolutely correct, I don't disagree with you." Yeah, that's not going to happen. :whistle:

Link to post
Share on other sites
C-M

No need to turn this into a flame thread. But eh, of course OS X could be hacked, Windows and Linux can be hacked too, everything can be hacked, so I really don't see this as much as a surprise.

Link to post
Share on other sites
gryffin

lets say mac had windows shere of the market

mac would be ****ed in a few hours, i mean seriously ****ed

you fail to realize that theres massive amounts of money involved here. Cracking groups make millions of 0-day exploits etc, they work damn hard in exploiting windows, and look at the amount of patching microsoft does, mac would be damaged badly until patches caught up with the early damage (years imo)

Link to post
Share on other sites
C-M

Right, and Windows has had a perfect record with security.

They're both far from perfect. >:\

Link to post
Share on other sites
Miuku.

Aftering reading this several times - it boils down to this:

This is not a competition to see whether the OS was exploitable remotely but rather how to gain root access by local privilege escalation.

It's comparable to giving a user an account on an XP/2k3 machine with full remote desktop capabilities and asking them to gain Administrator privileges. Not asking them to break into the box from the outside without any real access to the box.

Link to post
Share on other sites
w1r3d

after readin a couple of posts about how all of u experts know about OS security and how it was the guy who configured the boxs fault and not the OS, or that because apache was installed or php and blah blah blah... i thought i should let u know a little about hacking

as you can see this machine was setup to be accesible on the internet and for that u need apache and it apears they also setup php like any other decent server out there....

ok so php is vuln and u gain acces, php doesnt give u root so somethin else had to be done, so maybe apache was vuln and he got more priviliges but hey.... not root... now... to prove osx is vuln just do a search on google for local root exploits for osx and you will see that once u gain some kind of acces in a osx box u can get root because the OS itself is VULN....

http://milw0rm.com/parse.php?platform=osX

see???

Link to post
Share on other sites
dyl4n

after readin a couple of posts about how all of u experts know about OS security and how it was the guy who configured the boxs fault and not the OS, or that because apache was installed or php and blah blah blah... i thought i should let u know a little about hacking

as you can see this machine was setup to be accesible on the internet and for that u need apache and it apears they also setup php like any other decent server out there....

ok so php is vuln and u gain acces, php doesnt give u root so somethin else had to be done, so maybe apache was vuln and he got more priviliges but hey.... not root... now... to prove osx is vuln just do a search on google for local root exploits for osx and you will see that once u gain some kind of acces in a osx box u can get root because the OS itself is VULN....

http://milw0rm.com/parse.php?platform=osX

see???

Maybe you should concentrate more on spelling than on "hacking".

Link to post
Share on other sites
mikeyj
after readin a couple of posts about how all of u experts know about OS security and how it was the guy who configured the boxs fault and not the OS, or that because apache was installed or php and blah blah blah... i thought i should let u know a little about hacking

as you can see this machine was setup to be accesible on the internet and for that u need apache and it apears they also setup php like any other decent server out there....

ok so php is vuln and u gain acces, php doesnt give u root so somethin else had to be done, so maybe apache was vuln and he got more priviliges but hey.... not root... now... to prove osx is vuln just do a search on google for local root exploits for osx and you will see that once u gain some kind of acces in a osx box u can get root because the OS itself is VULN....

http://milw0rm.com/parse.php?platform=osX

see???

Hey listen, that explanation is not good enough...but I'll give you the benefit of the doubt as you demonstrate to the rest of us how this hacker hack OSX..

Link to post
Share on other sites
fels

A little fact alot of you seem to be missing is that the page was defaced, but he wasn't rooted. Apache exploitation, deface the bage, bam. Easy.

Link to post
Share on other sites
w1r3d

Maybe you should concentrate more on spelling than on "hacking".

maybe not

and... defacing a site is alot diferent than gettin root acces, but once u have enough acces to deface a site u most likly have the oportunity to get root acces IF the OS is VULN which in this case it is... and let me tell you something, this is nothing new, it is to all of u who dont do this, hackers that r smart enough to be able to hack a linux box or a windows box can also hack a osx box, is the same thing, i know haha is just that if u go raging in google hacking every site u find u r pobably gonna en up hacking 100 linux servers 20 windows and 1 osx and u know why is that??? cuz theres alot more linux servers out there and more windows than osx, thats the same reason why theres less exploits for OSX but that doesnt make it safe.

Link to post
Share on other sites
Slimy

I've been saying this for quite a while and this proves my point. It's just not as popular, and hence there's not as many people that actually care to find security holes. It probably has more than windows, just because less have been found and patched. Same goes for firefox + opera, the more popular they get the more holes will be found. Either way, use what you want and don't be stupid. That works 99% no matter what os or browser you use.

Link to post
Share on other sites
lawtai

heh pretty funny.

Link to post
Share on other sites
Andrew Lyle

mac has more security holes then windows, they just haven't been discovered yet..

Link to post
Share on other sites
w1r3d

mac has more security holes then windows, they just haven't been discovered yet..

i wont be so sure, but yeah why not... we?ll never know, all i know is that both windows and osx can be hacked even by someone not so talented like..... me lol

Link to post
Share on other sites
hotwire

this is interesting

would be cool to see a video of that hacker in act.

Link to post
Share on other sites
User6060

Whenever Apple releases security updates does anyone ever wonder why you never hear about these vulerabilities until they've been fixed?

eg.

About Security Update 2006-001 Mac OS X 10.4.5 Client (Intel)

Security Update 2006-001 is recommended for all users and improves the security of the following components.

apache_mod_php

automount

Bom

Directory Services

iChat

IPSec

LaunchServices

LibSystem

loginwindow

OpenSSH

rsync

Safari

Syndication

could you find these issues and exploits on security websites and in the news that things needed patching before this was released?

Link to post
Share on other sites
Intersect

was this mac behind any sort of firewall software or hardware?

Link to post
Share on other sites
fr8t

WOW... never saw this coming from a mile away. ;)

Who in their right mind would ever try to delude themselves into believing that OSX was anymore secure than any other OS... Oh my bad, the zealots and narrow minded fanatics do. :p

Mark my words... This silly arse debate will be repeated once again when Vista is out. Hahahaha

Link to post
Share on other sites
mr_daemon

I'd like all of you to read this again, because obviously nobody grasped the point.

http://www.neowin.net/forum/index.php?show...#entry587277156

And also this:

after readin a couple of posts about how all of u experts know about OS security and how it was the guy who configured the boxs fault and not the OS, or that because apache was installed or php and blah blah blah... i thought i should let u know a little about hacking

as you can see this machine was setup to be accesible on the internet and for that u need apache and it apears they also setup php like any other decent server out there....

ok so php is vuln and u gain acces, php doesnt give u root so somethin else had to be done, so maybe apache was vuln and he got more priviliges but hey.... not root... now... to prove osx is vuln just do a search on google for local root exploits for osx and you will see that once u gain some kind of acces in a osx box u can get root because the OS itself is VULN....

Is laughable.

Come back in a few years when you are no longer a script kiddy/wanna be hacker with a wee bit more experience under your belt, and when you no longer randomly state things that have no relevance whatsoever to the subject at hand.

And also, do work on your spelling a bit, it would help us understand your statements better. I mean, it doesn't take much longer to write vulnerable than "VULN".

I'd like to point out that Apache and PHP had nothing to do. You were given a shell account. The guy then escalated privileges.

That could have been done in any way, I just described one earlier in the post I linked.

I really wonder why I bother.

this machine was setup to be accesible on the internet and for that u need apache and it apears they also setup php like any other decent server out there....

This made me shake my head in disaproval.

PHP is not vulnerable in itself. Crappy applications like phpBB and PHP Nuke are.

But yeah, I'll stop wasting my time explaining all this over again. You go back to running metasploit, kid.

Link to post
Share on other sites
freedom77

ok soo whats the deal with this.. is this real.

Of course the mac is just as vunerable to a virus as any computer, and the fact that mac used much much less than windows, perhaps apple saw they didn't need to have high security just yet.

or maybe iam wrong maybe they have a super secure system.

Link to post
Share on other sites
DAaaMan64

I've been saying this for quite a while and this proves my point. It's just not as popular, and hence there's not as many people that actually care to find security holes. It probably has more than windows, just because less have been found and patched. Same goes for firefox + opera, the more popular they get the more holes will be found. Either way, use what you want and don't be stupid. That works 99% no matter what os or browser you use.

agree

Link to post
Share on other sites
NienorGT

For me, Windows can be hacked in 5 minutes, OSX in 30 Minutes and Linux in 1 hour...

This mean: Nothing is secure and can be hacked at the end of the story... :rolleyes:

Link to post
Share on other sites
Denis W.

Please let me.

One fact that the ZDnet article failed to mention is that they were giving away local user account to everybody who wanted it, so anybody could access the machine through SSH. Therefore, this was not a remote exploit, it was a local exploit. If you really want to challenge yourself and "hack" a Mac go here.

Give me local access on Windows, Linux or any operating system and I'll find a way to gain administrator (root) access in 30 minutes. This proves nothing. It might prove that there are local "unpublished" exploits for the Mac, but you have to be inside the machine first to be able to use them.

Mac OS might not be the most secure OS out there - and it isn't, no system is - but by default it is secure enough. Besides the test was done on a desktop machine. Do the test on a server Mac and we'll see who can hack it. I might be wrong but the US Army won't go wrong. I'm sure of that one fact.

According to the article the hacker's name was "gwerdna." Now that sounds pretty random until you write it backwards: Andrew G. Matter fact here's his/her/its website. I am probably wrong but a "hacker" who might use that name is not really a hacker. At least not a good one.

:blink: That last paragraph's very interesting.

Link to post
Share on other sites
aristotle-dude

I don't know if it was mentioned in this thread yet but the hacker did not break in within 30 minutes but rather it took 30 minutes to finish the hack job after taking hours to hack and discover the "local" vulnerability.

This was not a remote vulnerability and the box was setup totally open rather than how the default configuration of the client version is setup.

I'm sure Apple will release a patch for the local vulnerability soon.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.