An unaddressed bug in Appleís Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computerís files. While the security flaw has been around for roughly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs, renewing interest in the issue according to ArsTechnica.
The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other usersí files though that level of control is password protected. Instead of putting in a password, the flaw works around authentication by setting a computerís clock to Jan. 1, 1970 or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Macís clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.
According to H.D. Moore, the founder of the open-source Metasploit and Chief Research Officer at security firm Rapid7:
The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit.
Although powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged into a Mac with administrator privileges and have run sudo at least once before. As pointed out by the National Vulnerability Database, the user trying to attempt to gain unauthorized privileges must also have physical or remote access to the target computer.
As of right now, Apple hasnít responded or issued a patch for the bug. Moore said the following regarding the issue:
I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package.