• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Mac OS X hacked under 30 minutes

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Originally posted by: loup garou
Originally posted by: stash
windows is worse...if you have physical access...you can gain admin access in a matter of minutes
Click to expand...
if he had true physical access, he could pull out the hard drive and work offline
Click to expand...
If it was an iMac, I'd say it was extremely secure if he had physical access. Have you ever tried to open one of those things??? :laugh:
Click to expand...


true 😀

but still....most OS's don't require pulling the HDD to gain access

/pets a G5 case 😎
 
Originally posted by: n0cmonkey
Originally posted by: kamper
Also: http://www.trustedbsd.org/ I believe it's meant to be merged back into FreeBSD when it's considered finished.
Click to expand...

I think they've been slowly merging things back over time. Not positive though.

Some people use systrace to lock down everything on OpenBSD. Don't know if that's the same idea or not...
Click to expand...

Not really.

The closest I've seen anyone come in OpenBSD (besides removing ACL type stuff that wasn't being used) is Trusted Path Execution, and I don't think that falls in the category of MAC. Interesting stuff though, worth looking into if you've got an older machine (the Stephanie patches weren't maintained).

Linux has SELinux, LIDS, and AppArmour (subdomain?) for MAC. There's also GRSecurity for RBAC. Interesting stuff.
Click to expand...

Yep. The difference between Linux's MAC and everybody else's, except Solaris's, is that it's in active use in the real world right now. Of course that can change.

Looked up that TrustedFreeBSD thing. Kinda interesting. They ported SELinux to FreeBSD, in turn they ported the FreeBSD version to OpenDarwin which in turn gets ported to OS X. So maybe OS X will get MAC after all. 🙂

Out of SELinux and AppArmor I think that AppArmor is more interesting. The rules are much simplier for AppArmor. Basic read/write/execute for file access, for instance and use of familar wildcards.

Also there are tools for automaticly monitoring the execution of a program and build a profile for that program based on that. It has the ability to learn and build profiles for your applications which later you can use to help lock down the program.
http://en.opensuse.org/AppArmor_Detail
http://developer.novell.com/wiki/index.php/Apparmor_FAQ

Basicly a apparmor is something that a average administrator can actually use were as SELinux is for the more hardcore security systems.

I read in a blog were a person used the tools to automaticly generate a profile for a version of Firefox with a known buffer overflow with publicly aviable exploits. Then he implimented it and tried to exploit it and basicly just couldn't. So it's actually something that may help protect your system from zero-day exploits... At least for the applications you have 'locked down'.

edit:
It's already being ported to other distros..
Here is a page for a version built for Slackware.
http://danieldk.org/apparmor/
Also includes a example of building a profile for traceroute
http://danieldk.org/apparmor/profile-example.html
 
Mac OS X hacked in 30 minutes?

Not quite.
Click to expand...

That story just points out what has already been mentioned here numerous times. And even though a local exploit was used, that's not too much better than a remote exploit. Sure it causes the plan of attack to be altered a bit, but usually you need at least 2 steps anyway. Even if there was some sort of daemon listening, you would still need to break that daemon to get a local shell and then most likely use the local exploit to get root. The fact that no daemons are listening is good, but it just makes you change your attack vector to use something else like web page or email exploit.
 
I keep reading about this thing going on at U of Wisconsin, but I'm not sure I see the point. The guy points out that it was a local exploit, not a remote exploit, which as we've discussed here, is a valid point.

But then he goes and sets up a box with SSH and local accounts? Am I missing something? This seems a lot like the first contest.
 

s0
I haxxored a m$ winbl0ze mach1ne in 2 m1inut3s w1th my l1v3 cD

(Please read the sarcasm in the above posting)
 
Originally posted by: stash
I keep reading about this thing going on at U of Wisconsin, but I'm not sure I see the point. The guy points out that it was a local exploit, not a remote exploit, which as we've discussed here, is a valid point.

But then he goes and sets up a box with SSH and local accounts? Am I missing something? This seems a lot like the first contest.
Click to expand...
Other than the huge difference that he didn't give out names/passwords for the enabled accounts? Probably not.
 
Other than the huge difference that he didn't give out names/passwords for the enabled accounts? Probably not
Click to expand...
Hmm...guess I missed that part. I don't see that in the article linked above.
 
Originally posted by: drag
Originally posted by: n0cmonkey
Originally posted by: kamper
Also: http://www.trustedbsd.org/ I believe it's meant to be merged back into FreeBSD when it's considered finished.
Click to expand...

I think they've been slowly merging things back over time. Not positive though.

Some people use systrace to lock down everything on OpenBSD. Don't know if that's the same idea or not...
Click to expand...

Not really.

The closest I've seen anyone come in OpenBSD (besides removing ACL type stuff that wasn't being used) is Trusted Path Execution, and I don't think that falls in the category of MAC. Interesting stuff though, worth looking into if you've got an older machine (the Stephanie patches weren't maintained).

Linux has SELinux, LIDS, and AppArmour (subdomain?) for MAC. There's also GRSecurity for RBAC. Interesting stuff.
Click to expand...

Yep. The difference between Linux's MAC and everybody else's, except Solaris's, is that it's in active use in the real world right now. Of course that can change.

Looked up that TrustedFreeBSD thing. Kinda interesting. They ported SELinux to FreeBSD, in turn they ported the FreeBSD version to OpenDarwin which in turn gets ported to OS X. So maybe OS X will get MAC after all. 🙂

Out of SELinux and AppArmor I think that AppArmor is more interesting. The rules are much simplier for AppArmor. Basic read/write/execute for file access, for instance and use of familar wildcards.

Also there are tools for automaticly monitoring the execution of a program and build a profile for that program based on that. It has the ability to learn and build profiles for your applications which later you can use to help lock down the program.
http://en.opensuse.org/AppArmor_Detail
http://developer.novell.com/wiki/index.php/Apparmor_FAQ

Basicly a apparmor is something that a average administrator can actually use were as SELinux is for the more hardcore security systems.

I read in a blog were a person used the tools to automaticly generate a profile for a version of Firefox with a known buffer overflow with publicly aviable exploits. Then he implimented it and tried to exploit it and basicly just couldn't. So it's actually something that may help protect your system from zero-day exploits... At least for the applications you have 'locked down'.

edit:
It's already being ported to other distros..
Here is a page for a version built for Slackware.
http://danieldk.org/apparmor/
Also includes a example of building a profile for traceroute
http://danieldk.org/apparmor/profile-example.html
Click to expand...

There was a recent article about LIDS in a Linux magazine (Linux journal, march 2006). IT seemed like the easiest one. I'm interested in tyring them all out, but I have to get a Xen machine working first. The machine I intended to use for it crapped out (first bad memory, then maybe bad video card (PCI of course)).

It's not a MAC or RBAC sorta thing, but systrace is nice. There are a couple of screenshots of it stopping a backdoor from working. Interesting stuff, but difficult if you don't know what you're doing.
 
Originally posted by: stash
Other than the huge difference that he didn't give out names/passwords for the enabled accounts? Probably not
Click to expand...
Hmm...guess I missed that part. I don't see that in the article linked above.
Click to expand...
The article linked in the op? No, it didn't mention it and that's what all the uproar is about.

But really, the one where they did give out the password was more relevant. It proved that not having the user run as root isn't really security, it just raises the bar for how competent the hacker needs to be. It also shows that using a mac for a large, multi-user system is not a good idea (unless you're really sure your users are either quite benevolent or not very technical).

The new challenge will only prove that it's difficult to break in via httpd or sshd the hard way, but that's probably not how most exploits are going to happen anyways.
 
Originally posted by: kamper
Originally posted by: stash
Other than the huge difference that he didn't give out names/passwords for the enabled accounts? Probably not
Click to expand...
Hmm...guess I missed that part. I don't see that in the article linked above.
Click to expand...
The article linked in the op? No, it didn't mention it and that's what all the uproar is about.

But really, the one where they did give out the password was more relevant. It proved that not having the user run as root isn't really security, it just raises the bar for how competent the hacker needs to be. It also shows that using a mac for a large, multi-user system is not a good idea (unless you're really sure your users are either quite benevolent or not very technical).

The new challenge will only prove that it's difficult to break in via httpd or sshd the hard way, but that's probably not how most exploits are going to happen anyways.
Click to expand...

pretty much every OS has some privilage escalation vulnerabilities active. You can minimize it, but bottom line is don't let untrusted users log into your machine.
 
Originally posted by: stash
The article linked in the op? No, it didn't mention it and that's what all the uproar is about
Click to expand...
No, the article linked on this page about the Wisconsin contest.
Click to expand...
Originally posted by: http://test.doit.wisc.edu/
The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.
Click to expand...
The (lack of) local ssh access was the whole point of the second contest 😛
 
Yeah I guess that's somewhat clear. When I first read the article, I saw that there were two local accounts and ssh was enabled. I made an (incorrect) assumption that the passwords for those two accounts were made available.
 
ok, if I'm reading this correctly...

they did hack it remotely, but with prior knowledge of local account and password. that account does not have admin rights, but because the account was hacked, they were able to promote that acocunt to admin access and therefore were able to modify the web page?

If that's the case, it's still valid that remote hacks can occur with mac osx...why? it will be extremely easy to socially engineer the local accounts and password...after that with priv. escalation you in.

like other people said, that's probably not how vulnerabilities will be created anyways, because there are a million other ways to do it.

on that note, really how many organizations out there will just flat out put a box out there? I mean lets get real here...most organizations that know what they're doing will most likely put that box behind a firewall with intrusion prevention and a proxy gateway. All of those devices are smart enough to stop the more sophisticated attacks like buffer over flow, cross-site scripting and zero day attacks....

who in their right mind would use mac osx as a web server and put it out there without any protection?

Does anyone know if the x-server runs with the same engine as osx? it might become an issue if the x-server runs on the same os as regular macs...then you're talking about all the vulnerabilities for MACs are for their servers as well, which can't be a good thing.

with all that said, if they come out with a version of osx that we can install on regular intel white boxes...I would definitely dual boot with xp 😀
 
they did hack it remotely, but with prior knowledge of local account and password. that account does not have admin rights, but because the account was hacked, they were able to promote that acocunt to admin access and therefore were able to modify the web page?
Click to expand...
No, they didn't hack it remotely. They used SSH over a network and used local accounts that they already knew the password to, but that is not a remote elevation of privilege. It's essentially the same level of access you would have if you were standing in front of the box, except you can't remove the drive. There was still a local elevation of privilege vulnerability that was used to get root, though. But that doesn't really prove anything.
 
Originally posted by: stash
they did hack it remotely, but with prior knowledge of local account and password. that account does not have admin rights, but because the account was hacked, they were able to promote that acocunt to admin access and therefore were able to modify the web page?
Click to expand...
No, they didn't hack it remotely. They used SSH over a network and used local accounts that they already knew the password to, but that is not a remote elevation of privilege. It's essentially the same level of access you would have if you were standing in front of the box, except you can't remove the drive. There was still a local elevation of privilege vulnerability that was used to get root, though. But that doesn't really prove anything.
Click to expand...


What a local elevation of privilage exploit proves though is that OS X is not invunerable to viruses and worms even if your not running as a administrator.

But no general purpose OS yet created is invunerable to stuff like that.
 
But no general purpose OS yet created is invunerable to stuff like that.
Click to expand...
Right, that was my point. Anyone who is not a rabid fanboy (from any side) and that understands security knows this. Which is why it proves nothing.
 
The rest of the story at the UofW 'contest'. Inq story

Cliffs:
It was not boredom that shut it down, but the University.
The guys who would could have done it, did not hear about it until it was already down.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top