whistler Posted March 6, 2006 Share Posted March 6, 2006 Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. read more Link to comment Share on other sites More sharing options...
skn Posted March 6, 2006 Share Posted March 6, 2006 A new hack challenge just launched by the University of Wisconsin: http://test.doit.wisc.edu/ According to them, the MacOSX was hacked LOCALLY by someone who was allowed to have a local account on the box, not from the outside... Here is the nmap output. The machine is (still) running OS X 10.3.x... # nmap -sS -P0 -O test.doit.wisc.edu Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-06 Interesting ports on test.doit.wisc.edu (128.104.16.150): (The 1659 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 427/tcp closed svrloc 443/tcp closed https Device type: general purpose Running: Apple Mac OS X 10.3.X OS details: Apple Mac OS X 10.3.0 - 10.3.3 Nmap finished: 1 IP address (1 host up) scanned in 61.196 seconds Link to comment Share on other sites More sharing options...
ElectricSheep Posted March 7, 2006 Share Posted March 7, 2006 Fingerprinting has been updated in nmap 4.00, and reports the box as running MacOS X 10.4-10.4.4 (the latest revision of MacOS X as of 4.00 release). I would bet that the box is running 10.4.5 as reported by the challenge site. Link to comment Share on other sites More sharing options...
skn Posted March 7, 2006 Share Posted March 7, 2006 Fingerprinting has been updated in nmap 4.00, and reports the box as running MacOS X 10.4-10.4.4 (the latest revision of MacOS X as of 4.00 release). I would bet that the box is running 10.4.5 as reported by the challenge site. Thank you for the information! However I've just updated it to version 4.01 and it still reports OS X 10.3.x... That's weird! Link to comment Share on other sites More sharing options...
xSuRgEx Posted March 7, 2006 Share Posted March 7, 2006 Local hacking is easyer than an outside hack anyway. people shoulent be put off buying a mac because of this. as long as they have tight security and a good firewall (eg) some thing hardware based and properly configured they shouldent have any problems, right ?!? Link to comment Share on other sites More sharing options...
domino Posted March 7, 2006 Share Posted March 7, 2006 According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple. This is what I am afraid of. There are so much flaws that aren't addressed by Apple what giving anyone a simple local client access to a normal Mac with personal server running isn't advisable anymore. I guess that's where .MAC gets it's fundings from. Link to comment Share on other sites More sharing options...
A Nonny Moose Posted March 7, 2006 Share Posted March 7, 2006 ars technica has a great analysis of the issue, with less FUD than any other article I've seen on this subject. I'm also blogging about it. This is what I am afraid of. There are so much flaws that aren't addressed by Apple what giving anyone a simple local client access to a normal Mac with personal server running isn't advisable anymore. I guess that's where .MAC gets it's fundings from. But .Mac (as well as Apple.com) runs on XServes that can be hacked. So here are your choices: 1. Either set it up yourself and practice safe computing OR 2. Set it up using a web hosting service and hope and pray they're using safe computing on their central servers. Link to comment Share on other sites More sharing options...
domino Posted March 7, 2006 Share Posted March 7, 2006 I didn't say Apple gave there production servers the same priority as the people that buy them out of the box. You have better control running a server OS than the normal OS build. The personal Firewall that comes with Tiger is a joke. This article or any Mac security article doesn't even cover MySQL, PHP, and Apache vulnerabilities that can cause problems with your home built personal server. Then you also have the option to make /var, /tmp, /home partitions and restrict suexec on your partitions. All this falls under any Unix OS, so whether you are running a server or not, it is still applicable. Let's not even talk about the webscripts that aren't exactly safe to use. Anyway, if you have nothing of interest, people shouldn't get discouraged about all these warning signs. Just be aware of them . Link to comment Share on other sites More sharing options...
xtraa Posted March 8, 2006 Share Posted March 8, 2006 Hey, imho, the whole challenge was a FAKE: gwerdna? gwerdna is Andrew Griffiths, look him up at Phrack: http://www.pulltheplug.org/news/index.html http://www.phrack.org/show.php?p=63&a=14 His mate set up the machine with special versions of Fink, PHP, MySQL, Apache, LDAP. The domain wideopenbsd.org is known for BSD-Bashing btw. I cannot proof it, but it must have been worked like this: Andrew told him, how to set up the machine, and what versions of the above named soft to use. He did so, and after that it was a walk in the park to apply the exploits on the software to gain higher rights. I think he made it via Fink but it is always good to have some old php around. Why "higher rights" and not root? Well, the competition wasn't even finished. I already posted this, but the mission was to do an rm -rf, to proof the Root- status. But Andrew just defaced the site, what makes a big difference, cause you can deface a site easily with an local LAMP exploit. You don't need to be root for that. So thats the whole story IMHO. (he is still a good hacker maybe but thats another story) Just guessing I don't want to say OSX is bulletproof. Also I know that it is a worse thing to enter the system even from within a gues account, becaue this is a bad thing for bigger intranets. BUT. I doubt the whole story. Seems like one BSD hater and a 1337 haxx0r just married. jm2c Link to comment Share on other sites More sharing options...
skn Posted March 8, 2006 Share Posted March 8, 2006 I don't want to say OSX is bulletproof. Indeed. No OS is bulletproof. However, MacOSX succesfully passed the Security Test launched by Dave Schroeder: - There were no successful access attempts of any kind, including during the 38 hour duration of the test period, nor have their been any claims of success. The host is still the same host and configuration used for the test. Check out the test results here: Mac OS X Security Test Link to comment Share on other sites More sharing options...
xtraa Posted March 9, 2006 Share Posted March 9, 2006 Indeed. No OS is bulletproof. However, MacOSX succesfully passed the Security Test launched by Dave Schroeder: Check out the test results here: Mac OS X Security Test Yes, it was a good action message to set up a second challenge with real conditions. Anyway, It will never really proove the target itself, it always prooves vulnerabilities of the software used, mostly mysql and php. The first competition was simply not fair. I mean, if a mac got hacked, I am fine with it, {censored} happens. But that had nothing to do with it. This was big style Apple bashing, and I am simply upset about ZDNet and all the other Copy&Paste Media, that jumped on the bandwagon. The good thing is, that most forums on slashdot etc. corrected this unfair behavior. Like I said, no prob with a real mac hack. Also no prob with fanboy bashing in forums But to hype a fake story that big wasn't fair. No matter if it's Apple, Dell or Microsoft. Link to comment Share on other sites More sharing options...
Recommended Posts