OSX Hacked in Under 30 Mins

[kin]

i had plans to buy a mac in a couple weeks :blink:

[highsea]

okay guys lets put this into perspective.

this is a b.s comp it's like giving hackers restricted limited user accounts on an XP RDC and ask them to compromise the admin profile... It's sorta rediculous if you ask me.

Okay first person to rape my wife in bed gets a cookie.... here are the keys to my house and this is where the room is... that puts it into perspective hey? :pinch:

[smooth_gt]

BS

plz read this

"CNet is reporting on a competition set up by a Sweden-based Mac site called "rm-my-mac".

The competition set up a Mac mini as a server and invited hackers to break in and gain root control. The winner, identified as "Gwerdna", claims that he exploited a "vulnerability that has not yet been made public or patched by Apple Computer."

Arstechnica explores the exploit a little further and reveals that the competition was a bit unusual in that it didn't represent an entirely remote exploit:

The web site author had enabled SSH [ ... ] and added a web-based interface so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.

The University of Wisconsin has posted a rebuttal challenge due to the "woefully misleading" coverage.

...this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box.

While this means your Mac OS X machine is still generally safe when connected to the internet, it shows you do need to be careful in providing accounts to individuals you do not trust."

[+virtorio MVC]

There are so many problems with this "test" I could go on for some time, but I'm not and am simply going to save time and disregard it.

i had plans to buy a mac in a couple weeks

Don't let this piece of high-school quality journalism change your mind.

[Joni_78]

Wow, that was fast.

[Matt T]

IMO mac's and there OS is junk so... LA LA LA

Just like your spelling?

I don't see why this is so interesting to a lot of you. Of course OS X can be hacked. Any computer connected to the Internet can. However the fact remains that OS X is far more secure than Windows XP. Whether or not that is because of it's low market share is irrelevant - but Apple made some very wise engineering choices when they built OS X. It is far from perfect - of course it will have problems, holes, and eventually viruses and malware.

[bobbba]

mac has more security holes then windows, they just haven't been discovered yet..

If they haven't been discovered yet, how do you know they are there? Oh wait, you don't...

[Yvo]

Well thankfully it seems someone has the right senses to put up a properly configured machine and then call it a security challenge....

http://test.doit.wisc.edu/

I'm hoping that it will be still online by Friday. If it is, it truly is a huge blow to the Windows zealots hanging around in this thread. As it stands I can still plugin a Windows computer with its default configuration and it will have junk "inside its trunk" within hours.

[.Neo]

If they haven't been discovered yet, how do you know they are there? Oh wait, you don't...

:laugh:

[Wickedkitten Veteran]

an extrended link from macworld

http://www.macworld.co.uk/news/index.cfm?email&NewsID=14029

Mac OS X hacker tale rebuked

By Macworld staff

A new Mac OS X hacker competition has been launched at the University of Wisconsin.

The competition ends on Friday March 10. Hackers are being asked to change the front page of a website that's stored on a Mac mini: "Running Mac OS X 10.4.5 with Security Update 2006-001, two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."

The competition is a response to a report on ZDNet news this week, which claimed a hacker had managed to break into Mac OS X in under half an hour.

What that report didn't explain was that anyone who wanted to try to hack that test Mac was given a local account on the machine which could be accessed using SSH. This effectively put the hacker in front of the machine and made the exercise much easier to accomplish.

The organisers of the new Mac hack competition said: "Yes, there are local privilege escalation vulnerabilities for OS X; likely some that are 'unpublished'. But this machine was not hacked from the outside just by being on the internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction."

Most consumer Macs won't hold user accounts for unknown people, won't have any ports open and will most likely be behind a firewall, making the earlier Mac OS X hacking exercise unrepeatable.

Macs cannot be hacked "just by being on the internet", the competition organisers stressed.

[bobbba]

This whole test has been discredited because of the way it was setup. Gag the trolls, put out the flames and end the debate :yes:

[Qumahlin]

i wont be so sure, but yeah why not... we?ll never know, all i know is that both windows and osx can be hacked even by someone not so talented like..... me lol

Want to bet? I have faith you couldn't hack a OSX box with a default setup.

Just like the supposed hacker in this contest...sure if you give every joe schmo a key to your house (which is that the contest holded did when he allowed ANYONE to actually create an account on the box) someone is going to break in

You seem to fail to understand the issues with how the contest was held and how it was held badly and how no security "test" would ever make the horrible mistakes and setup that this person did.

If you think your mediocre talent is enough to break into windows/osx then I can gladly setup a OSX box for you to attempt on that has nothing but OSX and the webserver running. You of course will NOT get an account on the machine because that is asinine and noone would do that ever (except for the idiot that held that first contest)

Sorry, but you seem to lack the grasp of basic security fundamentals and how they were not followed.

When you don't follow even the most basic of security of course any OS can be hacked, the difference is without someone CREATING AN ACCOUNT FOR HIM ON THE BOX he has no way of repeating what he did.

Do you understand yet?

if u go raging in google hacking every site u find u r pobably gonna en up hacking 100 linux servers 20 windows and 1 osx and u know why is that??? cuz theres alot more linux servers out there and more windows than osx, thats the same reason why theres less exploits for OSX but that doesnt make it safe.

This argument has been proven wrong repeatedly. I suggest you start googling as to why the whole "its not hacked because it has less market share" is BS to a large extent.

The reason there is not alot of hacks running wild is because currently its very hard for anyone to hack a OSX box without cooperation by the user. Any sort of install or change to key system featuresrequires the admin password be inputted MANUALLY. Now while there are privledge execution exploits on OSX the thing is to take advantage of them you must FIRST GET ON THE BOX. Now how do you plan on getting the box unless you have an account on it? Which exploit are you going to use to do that? Oh thats right, there currently isn't one.

This means spyware/adware/trojans and other typical infections vectors are rendered impossible because to infect the box they must first gain access to it which they can't do without SOMEONE typing in the admin password. This requires user intervention which means to get infected the user has to be an idiot, or has to do it knowingly. Unlike the various RPC overflows which allowed anyone to do anything they want and the person using the box wouldn't have a clue....whereas on OSX if this even began to occur the user would be prompted to enter the admin password

Unlike the various windows exploits which were self spreading without any human intervention whatsoever. Just machines running scripts effecting other machines. This is not possible on OSX.

If you fail to see why this is not currently possible on OSX, it means you have never used OSX and have no idea what your talking about.

have you begun to understand the difference yet? From your posts you make it out like you know what your talking about, but all you've accomplished is showing off your lack of knowledge into the subject and atrocious spelling

[mr_daemon]

Thank you good sir, for using your brains, there are too few of your kind. Too bad most will just skim over your highly relevant post.

[smooth_gt]

respect to Qumahlin for the great post

[Wickedkitten Veteran]

indeed

[boogerjones]

From the dude who hosted the original "contest":

To make things more exciting, I have decided to not backup anything on this box. Backups are for *******. Real men can live with the pain of an accidential and/or misdirected rm. And then construct everything from scratch again.

LOL, I'm sure this guy gets all the women. What a ****ing loser. Backups are for *******, LOL.

[Matt T]

Kudos to Qumahlin for the superb post. (Y)

[Spacedog]

The University of Wisconsin "hacking test" has been closed. Result: OS X 1, hackers 0.

Next! :D

[thetechroom]

Interesting thread, back to the drawing boards you "l33t" Mac OS hackers you :D

[slickice11]

Excellent use of my tuition :wacko:

[w1r3d]

so it seems people didnt really understood what i said, if i somehow gain acces to a server runing osx instead of the so popular linux it would be almost the same proces to get root, there are lots of exploits out there for macos to get root and to get acces to the box in the begining in a normal situation is either to buy hosting in a osx machine or simply hack a site hosted by a osx machine and try and get root with the exploits that you can find all over the internet, including does who havent been fixed that are harder to find but are out there.

some have called me a wannabe hacker and a script kiddy but i dont consider myself either one of them, i just have enough knowledge to go to google search for what i need and get it done, including hacking a osx server, although if the machine is fully updated and there hasnt been a exploit released for the latest updated i myself mostlikly wont be able to hack it unless what im looking for requires almost no coding since im not very good at it.

for does of you who somehow ge mad because of my statements: im not a hacker, im not a script kiddy, i dont go arround hacking everyhitng i find vulnerable in google so save your comments if you are just gonna bitch about it.

[am_fek]

simply hack a site hosted by a osx machine and try and get root with the exploits that you can find all over the internet, including does who havent been fixed that are harder to find but are out there.

So why didn't you, or any of the other thousands of people who were trying for 36 hours, hack the site being run in the last challenge? If it's that simple, I'm just saying...

[markwolfe Veteran]

so it seems people didnt really understood what i said, if i somehow gain acces to a server runing osx... <snip>

Let me explain it this way to you, kid, since you are seeming to also have problems really understanding...

You start off with a statement of "somehow" being able to gain access to a server. The OSX experiment here was a nearly wide open box. They granted server login rights to any Joe Malicious User. They were running unspecified versions of Apache, etc. It did not clarify the versions of these other apps and whether they were updated and properly secured - but, from the goal of this so-called 'project', it is quite clear that they intended on deliberately placing holes to be found. And, in that case, they were able to find an exploit in Apache that let them deface the web page. But they were not able to root the whole box (which they did specify they were running current, I believe).

I am sure you are quite the 1337 black hat, using Google and all, but I think that your inflated sense of self-importance needs to be taken down a notch before you enter the real world.

What was proven? Nothing really. Just another little piece of anecdotal evidence that shows

• an updated OS is pretty secure
  
• letting arbitrary people have login accounts to a server is a bad idea
  
• an admin needs to know what versions of 3rd party apps are on the server, and ensure they are properly updated and configured.
  
• a mis-configured box is more vulnerable than a properly configured one
  

Other than that, there is nothing particularly interesting about this original experiment.

[Wickedkitten Veteran]

how would you manage to gain root access on a machine that has root disabled?

[mr_daemon]

Wow, Markjensen with his claws out. A first in my existence so far :)

As for getting root on an operating system with the root account disabled, that is faisable.

The root account is disabled on os x in the sense that it has no password. Hence you cannot directly connect to it.

However, if you use, say, sudo to elevate your privileges to root and run a shell, I think you will find that you are indeed now root.

Try it for yourself:

$sudo su -

Password: <your password here>

#whoami

root

The same could apply to a daemon running in background as root. If you find a way to make the running program walk off the buffer and run a shell, you would gain the effective privileges of root.

I hope this answers your question, Wickedkitten :)

As for you, w1r3d, you just acknowledged that anyone can run metasploit and follow the instructions. However understanding how they work is another thing, and the fact that you just admitted to not having a clue about what the heck was going on behind the scenes makes you in a bad position for making such brash comments on how you "know this stuff".