Jump to content

Mac OS X hacked in less than 30 minutes


11 posts in this topic

Recommended Posts

A new hack challenge just launched by the University of Wisconsin:

 

http://test.doit.wisc.edu/

 

According to them, the MacOSX was hacked LOCALLY by someone who was allowed to have a local account on the box, not from the outside...

 

Here is the nmap output. The machine is (still) running OS X 10.3.x...

 

# nmap -sS -P0 -O test.doit.wisc.edu

 

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-06

Interesting ports on test.doit.wisc.edu (128.104.16.150):

(The 1659 ports scanned but not shown below are in state: filtered)

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

427/tcp closed svrloc

443/tcp closed https

Device type: general purpose

Running: Apple Mac OS X 10.3.X

OS details: Apple Mac OS X 10.3.0 - 10.3.3

 

Nmap finished: 1 IP address (1 host up) scanned in 61.196 seconds

Link to comment
Share on other sites

Fingerprinting has been updated in nmap 4.00, and reports the box as running MacOS X 10.4-10.4.4 (the latest revision of MacOS X as of 4.00 release). I would bet that the box is running 10.4.5 as reported by the challenge site.

 

Thank you for the information!

However I've just updated it to version 4.01 and it still reports OS X 10.3.x... That's weird! :D

Link to comment
Share on other sites

Local hacking is easyer than an outside hack anyway.

 

people shoulent be put off buying a mac because of this. as long as they have tight security and a good firewall (eg) some thing hardware based and properly configured they shouldent have any problems, right ?!? :weight_lift:

Link to comment
Share on other sites

According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.

This is what I am afraid of. There are so much flaws that aren't addressed by Apple what giving anyone a simple local client access to a normal Mac with personal server running isn't advisable anymore. I guess that's where .MAC gets it's fundings from.

Link to comment
Share on other sites

ars technica has a great analysis of the issue, with less FUD than any other article I've seen on this subject. I'm also blogging about it. :weight_lift:

 

This is what I am afraid of. There are so much flaws that aren't addressed by Apple what giving anyone a simple local client access to a normal Mac with personal server running isn't advisable anymore. I guess that's where .MAC gets it's fundings from.

 

But .Mac (as well as Apple.com) runs on XServes that can be hacked. So here are your choices:

 

1. Either set it up yourself and practice safe computing

 

OR

 

2. Set it up using a web hosting service and hope and pray they're using safe computing on their central servers.

Link to comment
Share on other sites

I didn't say Apple gave there production servers the same priority as the people that buy them out of the box. You have better control running a server OS than the normal OS build. The personal Firewall that comes with Tiger is a joke.

 

This article or any Mac security article doesn't even cover MySQL, PHP, and Apache vulnerabilities that can cause problems with your home built personal server. Then you also have the option to make /var, /tmp, /home partitions and restrict suexec on your partitions. All this falls under any Unix OS, so whether you are running a server or not, it is still applicable. Let's not even talk about the webscripts that aren't exactly safe to use.

 

Anyway, if you have nothing of interest, people shouldn't get discouraged about all these warning signs. Just be aware of them :angry:.

Link to comment
Share on other sites

Hey,

 

imho, the whole challenge was a FAKE:

 

gwerdna? gwerdna is Andrew Griffiths, look him up at Phrack:

 

http://www.pulltheplug.org/news/index.html

http://www.phrack.org/show.php?p=63&a=14

 

His mate set up the machine with special versions of Fink, PHP, MySQL,

Apache, LDAP. The domain wideopenbsd.org is known for BSD-Bashing btw.

 

I cannot proof it, but it must have been worked like this:

 

Andrew told him, how to set up the machine, and what versions of the above

named soft to use. He did so, and after that it was a walk in the park to apply

the exploits on the software to gain higher rights. I think he made it via Fink

but it is always good to have some old php around.

 

Why "higher rights" and not root? Well, the competition wasn't even finished.

I already posted this, but the mission was to do an rm -rf, to proof the Root-

status. But Andrew just defaced the site, what makes a big difference, cause

you can deface a site easily with an local LAMP exploit. You don't need to be

root for that.

 

So thats the whole story IMHO. (he is still a good hacker maybe but thats

another story) Just guessing :guitar:

 

I don't want to say OSX is bulletproof. Also I know that it is a worse thing to

enter the system even from within a gues account, becaue this is a bad thing

for bigger intranets. BUT. I doubt the whole story. Seems like one BSD hater

and a 1337 haxx0r just married.

 

jm2c

Link to comment
Share on other sites

I don't want to say OSX is bulletproof.

 

Indeed. No OS is bulletproof. However, MacOSX succesfully passed the Security Test launched by Dave Schroeder: :)

 

- There were no successful access attempts of any kind, including during the 38 hour duration of the test period, nor have their been any claims of success. The host is still the same host and configuration used for the test.

 

Check out the test results here:

 

Mac OS X Security Test

Link to comment
Share on other sites

Indeed. No OS is bulletproof. However, MacOSX succesfully passed the Security Test launched by Dave Schroeder: :D

Check out the test results here:

 

Mac OS X Security Test

 

Yes, it was a good action message to set up a second challenge with real conditions. Anyway, It will never really proove the target itself, it always prooves vulnerabilities of the software used, mostly mysql and php.

 

The first competition was simply not fair. I mean, if a mac got hacked, I am fine with it, {censored} happens. But that had nothing to do with it. This was big style Apple bashing, and I am simply upset about ZDNet and all the other Copy&Paste Media, that jumped on the bandwagon.

 

The good thing is, that most forums on slashdot etc. corrected this unfair behavior. Like I said, no prob with a real mac hack. Also no prob with fanboy bashing in forums :D But to hype a fake story that big wasn't fair.

 

No matter if it's Apple, Dell or Microsoft.

Link to comment
Share on other sites

 Share

×
×
  • Create New...