Results 1 to 11 of 11

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Unpatched OS X Security Flaw Allows Users to Gain Root Access to Macs

  1. #1
    MMi Staff Writer Akshay Masand's Avatar
    Join Date
    Sep 2011
    Location
    New York City
    Posts
    4,385
    Thanks
    3
    Thanked 144 Times in 129 Posts

    Default Unpatched OS X Security Flaw Allows Users to Gain Root Access to Macs


    An unaddressed bug in Apple’s Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer’s files. While the security flaw has been around for roughly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs, renewing interest in the issue according to ArsTechnica.

    The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files though that level of control is password protected. Instead of putting in a password, the flaw works around authentication by setting a computer’s clock to Jan. 1, 1970 or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac’s clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

    According to H.D. Moore, the founder of the open-source Metasploit and Chief Research Officer at security firm Rapid7:

    The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit.
    Apple’s Macs are specifically vulnerable to the bug as OS X doesn’t require a password to change the clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds but many of those iterations password protect clock changes.

    Although powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged into a Mac with administrator privileges and have run sudo at least once before. As pointed out by the National Vulnerability Database, the user trying to attempt to gain unauthorized privileges must also have physical or remote access to the target computer.

    As of right now, Apple hasn’t responded or issued a patch for the bug. Moore said the following regarding the issue:

    I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package.
    Source: ArsTechnica, CVE, Metasploit

    Twitter: @AkshayMasand

  2. #2
    If you have "Require an administrator password to access system-wide preferences" checked in Security & Privacy, it prevents you from changing the system clock (at least under 10.9). Not sure if this can be bypassed by a terminal command.

    *Edit:
    I just tested this using this post as the exploit command. You can't change time from Terminal if you do what I've mentioned and require a password to access system-wide prefs.
    Last edited by WaLLy3K; 08-29-2013 at 03:47 AM.

  3. The Following User Says Thank You to WaLLy3K For This Useful Post:

    Colwood (08-29-2013)

  4. #3
    You need physical or remote access... who would have guessed.

  5. The Following User Says Thank You to LaddersRCool For This Useful Post:

    quidam_brujah (08-30-2013)

  6. #4
    Livin the iPhone Life slim.jim's Avatar
    Join Date
    Apr 2009
    Location
    Maryland, US
    Posts
    1,011
    Thanks
    116
    Thanked 128 Times in 98 Posts

    Quote Originally Posted by LaddersRCool View Post
    You need physical or remote access... who would have guessed.
    And you need admin access, how is this a vulnerability?

  7. #5
    Quote Originally Posted by slim.jim View Post
    And you need admin access, how is this a vulnerability?
    Because even the admin isn't supposed to be able to access the root.

  8. #6
    Livin the iPhone Life slim.jim's Avatar
    Join Date
    Apr 2009
    Location
    Maryland, US
    Posts
    1,011
    Thanks
    116
    Thanked 128 Times in 98 Posts

    Quote Originally Posted by Scotty Manley Silberhorn View Post
    Because even the admin isn't supposed to be able to access the root.
    sudo -s gives root permissions without messing with the root user so what is this going to change.

  9. #7
    Quote Originally Posted by slim.jim View Post
    sudo -s gives root permissions without messing with the root user so what is this going to change.
    Thank you for actually noticing that all of this is of no concern to apple or users because it's not a flaw, it's there pretty much on purpose.

  10. #8
    Livin the iPhone Life slim.jim's Avatar
    Join Date
    Apr 2009
    Location
    Maryland, US
    Posts
    1,011
    Thanks
    116
    Thanked 128 Times in 98 Posts

    Having admin access isn't difficult if you have access to the machine unless single user mode is disabled. Boot into single user mode and just change the admin password and reboot and login as the admin or if you have an install disc handy change the admin password that way. Windows admin access can be had just as easily.

  11. #9
    Quote Originally Posted by LaddersRCool View Post
    You need physical or remote access... who would have guessed.
    I love these 'vulnerabilities' that are as about as vulnerable as someone stealing the box. If you have physical access, all bets are off. If you don't have remote access enabled, there's no problem. And in my case, only my 'admin user' is actually on the sudoers list. That's the easiest way to avoid that problem: don't make your accounts admins -- Apple should stress that. Similar problem in Windows land.

  12. #10
    What's Jailbreak?
    Join Date
    Aug 2010
    Location
    Spokane WA
    Posts
    2
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Quote Originally Posted by WaLLy3K View Post
    If you have "Require an administrator password to access system-wide preferences" checked in Security & Privacy, it prevents you from changing the system clock (at least under 10.9). Not sure if this can be bypassed by a terminal command.

    *Edit:
    I just tested this using this post as the exploit command. You can't change time from Terminal if you do what I've mentioned and require a password to access system-wide prefs.
    System 10.8.4 does not have that option :-(

  13. #11
    Other flow - The FBI MoneyPak Virus Now Affects Mac OS X - her are recommendations on fixing the issue regarding the FBI Cyber Department MoneyPak virus for Mac OS X, as well as a description - source - How to remove FBI MoneyPak Virus on Mac OS X

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •