Practical Mac OS X Insecurity



Similar documents
Practical Mac OS X Insecurity. Security Concepts, Problems and Exploits on your Mac

Windows Operating Systems. Basic Security

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Discovering passwords in the memory

User's Manual. Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1

10 steps to better secure your Mac laptop from physical data theft

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Mac OS X Security Checklist:

Take Your Mac OS X Security to NSA Standards June 19, 2014 by Larry Chafin

Deep Freeze Mac User Guide

Virtualization System Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

How To Set Up A Macintosh With A Cds And Cds On A Pc Or Macbook With A Domain Name On A Macbook (For A Pc) For A Domain Account (For An Ipad) For Free

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

DeployStudio Server Quick Install

Using Network Attached Storage with Linux. by Andy Pepperdine

AN OVERVIEW OF VULNERABILITY SCANNERS

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

The safer, easier way to help you pass any IT exams. Exam : 9L OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6

Homeland Security Red Teaming

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

End User Devices Security Guidance: Apple OS X 10.10

UNCLASSIFIED Version 1.0 May 2012

1. Open the Account Settings window by clicking on Account Settings from the Entourage menu.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Using Mac OS X 10.7 Filevault with Centrify DirectControl

Example of Standard API

Instructions for Adding a MacOS 10.4.x Client to ASURITE

Sophos SafeGuard Disk Encryption for Mac Startup guide

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Guidance End User Devices Security Guidance: Apple OS X 10.9

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Firewalls and Software Updates

User's Manual. Intego Remote Management Console User's Manual Page 1

Cloud Server powered by Mac OS X. Getting Started Guide. Cloud Server. powered by Mac OS X. AKJZNAzsqknsxxkjnsjx Getting Started Guide Page 1

Hacking Database for Owning your Data

Review Quiz 1. What is the stateful firewall that is built into Mac OS X and Mac OS X Server?

Binding an OS X computer to Active Directory at NEIU (Existing User)

How To Harden Ancient Mac Xp On Mac Moonlight (Mac) On A Macbook V.Xo (Apple) With A Hardening Mode On A Windows Xp On A

Activation and Licensing Model Explained

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Worms, Trojan Horses and Root Kits

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

QuickStart Guide for Managing Computers. Version 9.2

System Image Backup and Recovery

FileMaker Server 7. Administrator s Guide. For Windows and Mac OS

Apple Security Checklist Companion A practical guide for automating security standards in the Apple Enterprise with the Casper Suite

Getting Started With. Mac OS X Server. Includes installation and setup information for Mac OS X Server version 10.2

Sophos Endpoint Security and Control Help. Product version: 11

White Paper BMC Remedy Action Request System Security

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

GFI White Paper PCI-DSS compliance and GFI Software products

Rootkit: Analysis, Detection and Protection

System Security Policy Management: Advanced Audit Tasks

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

Thick Client Application Security

Shellshock Security Patch for X86

OnCommand Performance Manager 1.1

Administering FileVault 2 on OS X Mavericks with the Casper Suite v9.2 or Later. Technical Paper October 2013

Wolfr am Lightweight Grid M TM anager USER GUIDE

Apple Server Diagnostics User Guide. For Version 3X106

Microsoft SQL Server Guide. Best Practices and Backup Procedures

Microsoft SQL Server Security Best Practices

QuickStart Guide for Client Management. Version 8.7

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Sophos SafeGuard File Encryption for Mac Quick startup guide. Product version: 6.1

Getting Started with Dynamic Web Sites

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Workflow Templates Library

/ Preparing to Manage a VMware Environment Page 1

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Section 12 MUST BE COMPLETED BY: 4/22

Sophos Anti-Virus for Mac OS X Help

Install Sophos SafeGuard Native Device Encryption on Mac OS X

SEAGATE BUSINESS NAS ACCESSING THE SHELL. February 1, 2014 by Jeroen Diel IT Nerdbox

Online Backup Client User Manual

Perl In Secure Web Development

Top 10 Database. Misconfigurations.

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

Using a login script for deployment of Kaspersky Network Agent to Mac OS X clients

Witango Application Server 6. Installation Guide for OS X

Security Considerations White Paper for Cisco Smart Storage 1

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Linux FTP Server Setup

Transcription:

Practical Mac OS X Insecurity Security Concepts, Problems, and Exploits on Your Mac Angelo Laub al@rechenknecht.net December 11, 2004 1 Introduction While rumors have it that Mac OS X is extremely secure due to its open-source Darwin core and the elaborate Unix security model, little is known about practical problems that hide under its hood. The fact that so far no serious worms or viruses exist for the Mac might give users a false sense of security. The system has its vulnerabilities and it is only a matter of time until they will be exploited. The openness of the Objective-C language and the Mach kernel allows the user to perform modifications deep in the system even at runtime. This paper intends to give an overview of the worst current security holes and possible fixes. 2 Security Concepts in Mac OS X In Mac OS X, many of the more obvious security problems known from other operating systems such as MS Windows are not present. The most important among them is the fact, that the user is never logged in as root. Although the normal user is usually in the admin group, system critical access normally will not be granted without further authentication. Malware that wants to install itself system-wide therefore has to rely on some sort of privilege escalation exploit, or trick the user into entering his or her password. There is a danger though, that Mac users are too unsuspicious about entering their password. Most Mac users feel pretty safe due to their system having a reputation of being invulnerable. Otherwise damage is only inflicted on the current user without permanently damaging the system. In the Mac OS X default installation, no unnecessary services are listening, so none of them can be exploited from remote. The real danger consists in local vulnerabilities, of which, unfortunately, Mac OS X currently has quite a few, as this paper shows. Most of them stem from the fact that Apple tries to combine the Unix security model with easy and convenient usability and closed source. The private Admin Framework that Apple uses for carrying out administration tasks is the most prominent and interesting among the closed-source components. For user authentication and privilege delegation, Apple has integrated the closed-source programs Security Server and Security Agent which rely on both on the private Admin Framework and the Security Framework. Since they internally rely on SUID root programs to carry out administration tasks, it is possible that one discovers more security holes as one tries to reverseengineer them. 1

Currently there is no widely known way to create link viruses for Mach-O, Mac OS X s binary format. This, of course, can change as soon as the Macintosh platform gains more and more importance. 3 Vulnerabilities We will now have a closer look at some of the more serious local vulnerabilities in Mac OS X. None of these are currently fixed in the latest Security Update 2004-12-02 for Mac OS 10.3.6. Please understand that this list is by no means comprehensive. However, typical vulnerabilities illustrating fundamental security flaws in various domains were picked. 3.1 System Preferences The application System Preferences is one example of Apple s problematic closed-source security components. In a default OS X installation, any user in the admin group can do pretty much without further authentication. He or she can start and stop services, change user interface settings and create new user accounts. While this does not look like a major problem so far, this ability can also be used to create users and add them to the admin group without authentication. With this, an attacker can immediately get root within five seconds. This is something the author discovered together with Jan Manuel Tosses. The author reported this to Apple together with a simple exploit [4] written in AppleScript in October. As it is AppleScript wrapped in shell, the exploit even works from remote via ssh and as a normal user who is not even in the admin group as long as a user of the admin group is logged in. So far, Apple has not fixed the issue. A fix would be to enable the Require password to unlock each secure system preference radio button in the Security pane of the System Preferences. 3.2 Bad Installers and Wrong Permissions Apple has specified the directory /Library/StartupItems for application specific startup items. The executables in this directory will be executed with root permissions during startup. Unfortunately, the directory does not exist by default and must be created by the installer. Many installers will set the wrong permissions, so that this directory is user- or even world-writable. Now every user can execute arbitrary code by putting it in /Library/StartupItems and restarting the machine. In order to counter-balance permissions problems, Apple provides Disk Utility, which lets you repair disk permissions. Unfortunately, it will not repair the permissions of /Library/StartupItems, which is a serious bug. To fix this temporarily, I recommend putting a chown -R root:wheel /Library chmod -R og-w /Library into /etc/daily or /etc/rc. 3.3 Mach Injection The Mach kernel API allows to inject code into other running processes and remotely creating a new thread to execute it. Several libraries exist for this purpose ([5], [6] and [7]). 2

With them it is possible to extend Objective-C classes in running applications with categories or replace them by using the posing language feature. Together with the Objective-C Runtime Library it is also possible to selectively replace one method with another in arbitrary classes, which is called MethodSwizzling [2]. Again, this can all be done in runtime, even with closed source system applications like e.g. the Finder. While this gives programmers a very powerful tool to patch system and other closed source applications, an attacker could modify system applications at runtime in a malicious way. The whole range of security implications is yet to be explored. 3.4 Open Firmware An Open Firmware password can be set in order to protect your Mac from booting from a different than the default device. As a positive side-effect, it also disables Firewire DMA, so that the Firewire vulnerability described in the next section cannot be exploited anymore. Of course, there is a way around it. The Open Firmware password can be cleared by changing the amount of physical RAM and then resetting the Parameter RAM ( zapping the PRAM ) three times by pressing Option-Apple-P-R. There is also a comfortable way to read out the password from the shell: sudo nvram security-password Advice: There have been reports of corrupted passwords when installing firmware updates while the security-password is active. Make sure you disable it beforehand. 3.5 Firewire In Mac OS X, Firewire devices have access to the whole virtual memory, since Firewire DMA is activated by default. One could imagine a rogue ipod, that, once connected, reads out all passwords and steals data or crashes the ScreenSaver. As a fix, one can disable Firewire DMA by setting an Open Firmware password. 3.6 Single User Mode By pressing Command-S during startup, one is immediately presented a root shell. When having hardware access, this is a pretty sure and fast way to get root. One can force password authentication by changing the login style from secure to insecure in /etc/ttys. Since the DirectoryServices are not up yet when entering single-user mode, authentication will fail in any case, rendering the single-user mode unusable. In order to repair it one can generate a password with: openssl passwd -salt $salt $password and insert it in /etc/master.passwd next to root:. 3.7 Disguised Executables It is possible to disguise executables as any other file type wished. If one tries to rename a.app file to.mp3 in the Finder, it will still get the.mp3.app suffix. This security measure can be easily circumvented by renaming the file in the shell. One can now go ahead and 3

replace the application s symbol with the appropriate symbol for an mp3 file, and it will not be distinguishable from a real mp3 file by the average user. This fact can easily be used to create a trojan horse. Consider an AppleScript.app package containing the actual.mp3 file as a resource. When double clicked upon, the AppleScript will be started, opening the actual mp3 with itunes and then executing the malicious code. Any of the other described privilege escalation vulnerabilities described here can then be used by the script to install malware into the system. Imagine, then the malware would send the disguised installer via mail to all addresses in the user s Address Book. This would be a self-replicating trojan written in AppleScript. 3.8 Personal Filesharing Denial of Service Personal File Sharing is very useful to transfer files between Macs. Therefore, many people leave it enabled in the System Preferences. Unfortunately, a guest account is enabled with it, that lets anyone from the LAN and the internet connect without authentication. The guest user cannot do much, but he can write to the Drop Box. There is no limitation in the amount of data written to the guest Drop Box and there is no way to disable the guest user in the System Preferences. An attacker could write data to the Drop Box unnoticed until the victim s hard disk is full. In the worst case, this could crash the victim s Mac, since swapping fails when the Startup Disk is full. The guest account can be disabled by editing /Library/Preferences/com.apple.AppleFileServer.plist and changing <key>guestaccess</key> <true/> to <key>guestaccess</key> <false/> and then restarting the Apple File Server by typing: sudo killall -HUP AppleFileServer The guest account should be disabled by default and one should be able to activate it in System Preferences. 3.9 Clear Text Passwords in Swap File Apple s Security Framework does not use mlock() or equivalent to prevent passwords to be swapped to disk. Therefore it is likely, that user passwords and other passwords from the Keychain will be written to the swap file in clear text. You can verify this on your own Mac by typing: sudo strings /var/vm/swapfile0 grep -A 4 -i longname One may argue, that this is not such a big deal, because one needs root privileges to be able to read the passwords. Yet, there are two scenarios in which this can become a major problem. First, when an attacker has root or physical access as described in section 3.5. Second, it makes 4

OS X unusable for multiple users, because it is trivial for every admin user to read the other users passwords and therefore to decrypt the FileVault. In the future version Tiger, one will be able to activate swap encryption in the System Preferences. A way to enable encrypted swap in Panther is described in [8]. 4 What to do once you got root There exist at least two rootkits for Mac OS X, osxrk [3] and WeaponX [1]. The latter was written because the author of WeaponX felt that osxrk did not meet the standards of the Mac platform. WeaponX hides itself from kextstat, netstat, utmp and wtmp, and the source code is available as a nice Xcode project. I do not count Opener as a rootkit because it is merely a shell script without the possibility to hide itself. 5 Conclusion Mac OS X is not a Unix system where you want other people have shell accounts. All the described vulnerabilities can be fixed by the user if he wants to have a more secure system, but it is the default setting that counts. It is also very likely that more vulnerabilities will be discovered in the near future. In order to further evaluate the security situation in Mac OS X, it will be necessary to take a closer look at Apple s Admin Framework by taking advantage of the open nature of the Objective-C language and the Mach kernel. The security implications of Mach Injection also need to be explored further. One could imagine malware that works entirely with user privileges that patches the system in an evil way. Despite all these vulnerabilities, Mac OS X is still much more secure than Windows, because in Windows you are practically always root. We can only hope that Apple can manage this balancing act between ease-of-use, closed-source, and UNIX security in the long run and that OS X eventually deserves to be called secure again. References [1] Neil Archibald. WeaponX Rootkit for Mac OS X. http://neil.slampt.net/. [2] CocoaDev. MethodSwizzling. http://www.cocoadev.com/index.pl?methodswizzling. [3] g@pper. osxrk Rootkit for Mac OS X. http://packetstormsecurity.org.pk/unix/ penetration/rootkits/osxrk-0.2.1.tbz. [4] Angelo Laub. System Preferences Root Exploit. http://annulator.de/3sec2rewt.sh. [5] Unsanity LLC. Application Enhancer (APE). http://www.unsanity.com/haxies/ape/. [6] The Zaius Project. Zaius free MacOS X patching. http://zaius.sourceforge.net/. [7] Jonathan Rentzsch. mach inject. http://rentzsch.com/mach inject. [8] Andreas Schwarz. Encrypted Swap on Mac OS X 10.3 (Panther). http://andreas-s.net/osxencrypted-swap.html. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information