U of Wisconsin's Mac OS X Security Challenge 401
digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet
Generic smear campaign (Score:5, Interesting)
So far each article has been based on unique situations that lack credibility to begin with, give little detail, and take focus away from the fact that it's basically a machine running a collective of industry proven software (such as apache and openssh.)
Also of note is that Mac OSX currently has an a user base of over 10 million machines. So the argument that it's too small a target is ridiculous. In fact it's a bigger target as it's untouched territory with a bonus of headline making news.
Re:Hackorama Windows (Score:1, Interesting)
Well, they *could*, but they probably know better.
Re:A Different Test (Score:3, Interesting)
But for a server, all the time. If you're considering a timesharing system, there may be thousands of users. The central ITS computers at every university I've been to (the ones you SSH to, and run Pine to check your email) have thousands of user accounts. Everyone at the school has one. (An older book, but still a good read about the important of priviledge escalation bugs - look for "The Cukoo's Egg")
Now you can argue that you're only giving accounts to people at the university, and they're trustworthy (or at least you can punish them if they try to crack the server). But out of ten thousand accounts, someone's going to have a guessable password. Or they'll answer a phishing scheme. Or (if you let people put CGI/php scrips on their webpages) someone will write a buggy script. Or your SSH/web/ftp daemons will be found to have a bug (don't know what Apple's using, but OpenSSH/wsftpd/apache all have bugs in the past and are likely to still have some bugs).
Now, I run linux at home because I need something which plays well with the network. I can log in remotely, run programs, upload and retrieve files, etc. I tend to find the distinction between "desktop" and "server" blurs, because I want to be able to access my computer from anywhere.
Contest closes March 10? (Score:3, Interesting)
If this was a legit challenge, then don't close the challenge. Leave it open, so that when you least suspect it, someone has hacked your site.
But is this challenge stating the security of OSX? Defacing a website is the same as having a Trojan virus installed that wipes out your applications or formats your system? Why not offer a challenge to find out if someone can write a virus that will adversely affect OSX. The delivery is unimportant, as long as there are people happily downloading apps from P2P, opening email attachments, and downloading security updates from email warnings. No OS is truly secure from human ignorance.
I guarantee that some hacker will deface the website, but I question the legitimacy of imposing a time limit on the challenge. Certainly hackers don't have a time limit when they corrupt Linux or Windows based website servers, so why impose one for Mac. I think someone is closely monitoring the challenge website, ready to counter any possibility of it being hacked in order to solidify the OSX security myth.
Re:A Different Test (Score:3, Interesting)
The other thought that passed my mind is that since it is a University what is the likely hood that this Mac is really a Honeypot of some sort? Sure it may be hardened, but they may be trying to figure out how secure Mac OS X is and just trying to get at the ego of hackers.
Re:Logs (Score:3, Interesting)
Or perhaps just published after the challenge.
Re:A Different Test (Score:3, Interesting)
How can a vendor fix the claimed local privilege escalation vulnerabilities when they are not informed of the issue?
The answer to the first question is pretty easy. Local access can be gained by the cleaning crew in most buildings, by students in others, and don't forget your friendly neighborhood coworkders. The answer to the second question is just as easy. Spouse, kids, kids friends.
I don't have an answer to the third one, but I know how similar questions get answered when Microsoft is the vendor. The answer is: they have the vulnerability. The vulnerability is bad. They should make a "more secure" operating system.
I think you're attacking the article justifiably, but I think you're also defending the vendor without justification. If they can really be owned by a local user exploit, then that is a serious problem.
TW
Re:Hackorama Windows (Score:3, Interesting)
win2k was a completely different story. i did this test with that and people were in by the end of the day.
Re:A Different Test (Score:3, Interesting)
Whilst I agree with you that the original article was a typical zdnet troll attempting to stir the angry mac masses into page views, your statement: left people with the impression that a Mac OS X machine could be owned in 30 minutes just by being connected to the internet, without the user "doing" anything, is not really true if you read the whole article.
For instance, the original article contained the line: You also say:- How might a Linux or BSD distribution, other commercial UNIXes, or Windows stand up to a similar challenge, where anyone who wishes is given local account access?
I don't know about Windows / Commerical Unix, but under linux you have the option of using grsecurity [grsecurity.net] to harden against unkown vulnerabilities. Nothing like this exists for the Mac that I'm aware of.
I understand the point of your test - that a mac can sit on a hostile network & not get hacked. But you seem to completely miss the concludion I drew from the outcome of the original test - do not underestimate the seriousness of local privilege escalation.
For instance (as I've written before), an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article [slashdot.org] could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)
Re:A Different Test (Score:5, Interesting)
Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system. There have been serious vulnerabilities in Mac OS X that could be taken advantage of; however, most Mac OS X "vulnerabilities" to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities. The recent Safari vulnerability was promptly addressed by Apple, as are any exploits reported to Apple. Apple does a fairly good job with regard to security, and has greatly improved its reporting processes after pressure from institutional Mac OS X users: Apple is responsive to security concerns with Mac OS X, which is one of the most important pieces of the security picture.
The "Mac OS X hacked under 30 minutes" story doesn't mention that local access was granted to the system. While local privilege escalation exploits can certainly be dangerous - and used in conjunction with things like the above Safari exploit - this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet.
Of course, I'd have no problem with this if the original article had actually talked about it meaningfully in the context of a local privilege escalation and explored the implications; instead, they just made it sound like you could throw a patched OS X box onto the internet and it'd get owned. The average reader would leave with that *distinct* impression, and most of the subsequent coverage of it talked about it exactly in that fashion.
Mac OS X has had several local privilege escalation vulnerabilities, just as other OSes have had. Apple fixes them when they become known. (Also, and this is another discussion, but what can Apple do if the "hacker's" claims are correct, i.e., that the vulnerability is unknown to Apple? It doesn't prove that Mac OS X is "insecure"; all it "proves" is that open scrutiny is difficult with closed source pieces, and that some people intentionally and knowingly refuse to give vendors a chance to fix problems.)
Server Version - What would be my favorite vector (Score:4, Interesting)
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
Much better analogy! (Score:5, Interesting)
Okay- I like that analogy better. I've got deep deadbolts on my outside doors; the door between my basement and house has a cheap handle lock that can be popped with a long, thin screw driver.
Not to get lost in the analogy details, but I think you'll find most security skews the same way.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
I think this ability to elevate privs should be analyzed on a case by case basis for all programs; as such if you are concerned about what applications a user can and can't run, remove the ability to run those applications from the machine.
However with most desktop machines your biggest worry isn't normally* an attack from within; its usually from without.
*)people on slashdot aren't normal and typically have needs that extended beyond normal users. Feel free to contribute some examples that counter this assertion.
Original Test Was More Interesting (Score:5, Interesting)
If the original hacker Gwerdna (Andrew G?) was right that there are many undisclosed priviledge escalation bugs, that is a case for concern, not something to be dismissed as a mere "local" vulnerability. BSD, Linux and even Windows already have patches for NX [wikipedia.org] to contain buffer offerflows, where is Apple on this?
I think that, especially if you're an Apple user, it is very important to test the claim that the OS is rifle with local priviledge escalation issues. And that's why I think the first test was much better than this one. I don't expect this U of W box to be hacked anytime soon. But this proves very little. You can even setup a Windows SP2 ISS+Remote Desktop box like this, and I don't think it will be hacked anytime soon either. But if you redo something like the original box (give normal user ssh accounts to anyone) and get hacked very quickly again, it proofs a lot. Namely that the local security measures of OS X that many have come to thrust amount to very little.
Re:Our tax dollars at work (Score:5, Interesting)
Also, I can't say I've *ever* gotten a "freebie" anything from Apple in 22 years other than a couple of T-shirts. Oh, and a nice pen once. I've also never heard of anyone in enterprise or education getting free flat panels and iPods from Apple (except for the free iPod promotions they've had when people buy certain laptops).
Also, since Mac OS X is used *heavily* in education, particularly at large research universities, and diversity of computing platforms is important to avail faculty, staff, and students of the best resources to do their jobs, I'm sure many are interested in the general security of a typical Mac OS X machine with a couple of typical services running on the internet, especially in the wake of such misleading press coverage of the same. The only interests I represent are those of the University of Wisconsin - Madison.
And yes, this challenge is sanctioned. I'm glad that the University of Wisconsin supports the genuine interests of its faculty, staff, and students, and encourages individual thought, research, discovery, and exploration. That's why it's a great place to be!
Don't play this down (Score:2, Interesting)
Just because a vulnerability is 'local' doesn't mean you have to be sitting at the computer. Take the U of Wisconsin's honey pot box running Apache and ssh. Both Apache and ssh run in a lower privileged user account whenever they can, so that if there's a flaw in code which runs in the lower user account it can only do damage within that lower user account.
Right now if you found a hole in low privilege context code you could use it to get admin access in OS X; this is a serious problem and it makes the UNIX security model, which Apple gives as the reason for OS X's great security, useless.
This doesn't mean OS X is insecure and everything else is, but it is a very serious flaw (especially being unreleased) and I don't understand why everyone is downplaying it.
A more "real-world" test? (Score:3, Interesting)
I would prefer to see test break-in attempts set up like this:
an unprivileged "test account" is created on OS X and set up with email, web browser, and other common desktop programs
the "test account" is set up with several common methods of communicating with the outside world: email, IM, commonly-browsed web sites, webmail, banking sites, etc
the test account's email address and IM account are made public to the would-be attackers
someone regularly checks the test account's email and acts like a "gullible user" would, eg click on spam and phishing links, go to hostile web sites, follow dubious instructions received via IM from supposed friends
the challenge: attacker must be able to do something "bad": control box resources (think spyware), steal critical system information (think remote root), get bank account information (think phishing), whatever
A few years ago, this was trivial on Windows. I hear they've cleaned up their act to some extent. How well would OS X hold up? How about a standard desktop version of Linux?
Data General used to Boast (Score:4, Interesting)
Then IBM bought Data General and that was the last we heard of DG/UX B2 Secure. Pity really. They should have ditched AIX instead. But I digress...
OSX is pretty damn secure right out of the box, but Apple could do more to make it tighter by default. They've already managed the security versus usability balance far better than Microsoft has managed so far. I think Apple could push a little more over to the security side of the thing without noticably affecting usability. I also think that Apple users would accept slightly less user friendly systems in order to continue to walk around with that air of I-can't-get-spyware-or-virusses smugness that no Windows user will ever understand until they've seriously used an Apple machine for a few days. Apple's selling more than a machine. They're selling the ability to not have to live in fear every time you connect that machine to the Internet. They're selling the ability to not have to run so many third party security applications that the shiny new machine runs like a shiny new machine from 5 years ago. I think that is worth any percieved price premium.
Re:A Different Test (Score:3, Interesting)
Ok, let's look analogy given :
And as a reminder, the test allowed users into the box, and they then had to escalate their priviledges in order to alter the contents of the web site.
Specific problems with the analogy?
Compare this to a computer, where an attacker may try to get access many *millions* of times (depends on how he's trying to get in) and unless there is some sort of intrusion detection system running, it's unlikely that anyobdy will notice, and even more unlikely that they'll notice quickly enough to do anything about it. He may also be able to attempt to break into thousands of computer systems simultaneously.
But yeah, other than that, the analogy holds VERY well. Uh-huh.
If you must make an analogy, don't even use a house. It's a public train station, with no police, and the attacker is challenged to write his name on a piece of paper. But the challenge is that the piece of paper is in a locked viewing cabinet behind bullet proof glass.
And yet companies do it (Score:3, Interesting)
Re:A Different Test (Score:5, Interesting)
The point is even with proper design of user separation, local security is hard to get right. Every OS has this problem, to various degrees. And if you want a sample of what this type of problems mean, here is one: malware will not be required to ask you for a password to elevate privileges - see? all those 'this is not a virus, it asks for your password and that should set your alarm bells going' argument goes puff! in smoke. This is the same type of issue that plagued non-administrator users in Windows for a long time now. So let me put it this way:
So, to come back - your test is utterly irrelevant for the type of people that would be interested in the original one. What you are trying to test is the security of the OpenSSH and Apache installs + your setup (yeah, and password strength - expect to be hit by automated dictionary attacks from scripts that couldn't care less about your test). If I had an XServe machine with several users having ssh access I would really want to know whether any of those users really can get root on the machine or not (if they can, XServe has no place in such enviroment). And I would be really worried. As it stands, I still have worries, but at least I know that I have a certain amount of protections in place against such problems (this not being OSX though - no OS names since I'm not interested in 'my OS is more secure than your OS' flames) But this is a real security concern and yet you turn around and say 'but these other things are secure.' Yeah, the article could have sounded misleading for anyone not willing to check the site and see the conditions (but few people would do that anyway) but how are you any better? All this is countering journalistic sensationalism with more of the same, since your box is neither set up as a home user's nor your setting is pertinent to the original multiuser problem.
To toss in my 2c of an analogy - the original test was to check whether a bank's employees (with access to the bank building) can empty the main safe to which they do not have the combination[*] while yours is to check whether a customer can; all this on a Sunday when the bank is closed.
And now mods feel free to mod me down - although a more rational answer would be welcome.
[*] to all those saying 'by dfault root is not even enabled in OSX': bah! 'enabled' pertains to login and privilege escalation couldn't care less about login restrictions; the account is still there. And in fact, the thing that 'get root' means is 'get uid=0 access'
Re:A Different Test (Score:5, Interesting)
No, they weren't. If all the filesystems that customers have write access to are mounted "noexec", then self-compiled binaries don't present a lot of exposure.
I'm not saying that it's not a good idea to remove GCC, just that its presence isn't an automatic compromise.
Re:A Different Test (Score:3, Interesting)
Not to be an ass, but there are 100s of open accounts all of the internet with TS enabled and client and guest logins allowed for companies to showcase their software.
This is one of the things people actually do with TS is use it for software demonstration purposes, and people are 'encouraged' and 'allowed' to sign into Windows 2003 servers to test software or concepts the companies are selling or demonstrating.
If you think that there are no Windows Servers on the Internet that meet the exact same setup criteria as the MacOSX orginal test had, you really need to get your head out of Steve Job's butt and see what the real world is doing and not just what he wants you to see.
And BTW the same is true for many different OSes and *nix variations, there are 'guest' and local account access for public use, this has been around a LONG time, I don't understand how Mac Users think this is unfair or even unique? What do you freaking think XWindows was designed for? Do you realize that it is used for 'guest' accounts and distributed applications all the time?
As for SSH not 'usually' being open, you would be surprised of the number of people that DO run with either SSH, an XServer or even MS's RDP type of technologies on and enabled, like for example 99% of the Web with headless servers.
If it weren't common or safe, you wouldn't see different OSes have remote 'guest' accounts for customers all over the place.
Here just to demonstrate I'm not making up the remote access account senerio and how predominate it is, do a search on on like Web Hosting, SSH, XServer, RDP(Remote Desktop/Terminal Services) access...
I know of several examples of companies that use Remote Desktop type of technologies (not just SSH) to allow ANY customer to have full login access via (TS/RDP) to Windows Servers to testdrive their software. Do a search on these for yourself to see they exist, I won't post links to watch these companies get
Re:No, you're still wrong about the REAL problem (Score:3, Interesting)
1) Confirm that your hack/exploit really works, but DON'T CHANGE ANYTHING
2) Wait until the contest ends and the system is declared "uhackable"
3) Wait a bit longer until the "unhackable" sytem is adopted by a bunch of big businesses
4) Make a lot more than the original prize fee by pillaging the "unhackable" systems.
oh.... I suppose it should have read
4) Profit!
Re:try it for Windows or Linux...Re:A Different Te (Score:2, Interesting)
How could you infer that from what I wrote? I never once mentioned any other OS. I have little doubt that XP is less secure, but that's not the issue. Up until a few days ago, no one was claiming to be able to escalate user privileges under OS X. Now someone is claiming that. And if it's true, it's a problem not to be taken lightly. And if it can be done programatically, then it's a very serious issue.
For what it's worth, I don't run XP. I don't run Linux. I run OS X, and I've done so since it first came out. And I ran Mac OS 9, and 8, and 7, and 6, and even had a original Mac with only a floppy drive. So I'm not looking to bash Macs. In fact, my friends who I drive nuts with my "Mac talk" would laugh at the idea.
But that still doesn't mean this is a trivial issue. And it doesn't really matter that's it's "less bad" than XP. I take that to be a given.
Re:try it for Windows or Linux...Re:A Different Te (Score:3, Interesting)
Paradise Pete: How could you infer that from what I wrote? I never once mentioned any other OS.
Precisely, you never mentioned any other OS with regards to privilege escalation attacks... and you'll notice I was really just _asking_ if you were trying to imply something about another OS, so actually, I didn't infer it as much as I wondered if you meant to infer it.
I have little doubt that XP is less secure, but that's not the issue. Up until a few days ago, no one was claiming to be able to escalate user privileges under OS X. Now someone is claiming that. And if it's true, it's a problem not to be taken lightly. And if it can be done programatically, then it's a very serious issue.
Um. Ok. Here's the thing: just about every form of *nix under the sun has had a history of problems with privilege escalation. Go to this CERT document [us-cert.gov] and search for "elevated privileges"... as just one example of how widespread and ( fairly ) well-known this type of problem is. While you're there, note that OpenSSH is what OS X uses. I'm sorry that you ( and apparently a lot of other people ) weren't aware of this as a problem, and usually such attacks are fairly difficult and too obscure for most people to do, but... they are a real problem, and always have been.
For what it's worth, I don't run XP. I don't run Linux. I run OS X, and I've done so since it first came out. And I ran Mac OS 9, and 8, and 7, and 6, and even had a original Mac with only a floppy drive. So I'm not looking to bash Macs. In fact, my friends who I drive nuts with my "Mac talk" would laugh at the idea.
Well, consider for a minute then that OS 9 has pretty much *no* such concept as privileged and unprivileged users... it does have some user restrictions, but they never worked terribly well in part because they weren't implemented by much more than the Finder and system services. Would you have given someone an account on your OS 9 machine if you didn't know who they were? I doubt it.
But that still doesn't mean this is a trivial issue. And it doesn't really matter that's it's "less bad" than XP. I take that to be a given.
Yup... definitely not a trivial issue. Definitely an issue that Apple ( and, clearly, developers and system designers in general ) would like to ignore... because it's complicated and restricts what you can do. Apple needs to step up and treat privilege escalation as a more serious threat than it seems they have in the past. Hackers need to step up and do the right thing by reporting these problems when they find them. But most importantly, users like you and I need to remember that there is no such thing as giving someone "safe" access to your machine... if you're going to open up SSH or any other avenue that could be used for attack, do it carefully, check out OpenSSH CERT reports, and remember that you're not invulnerable, no matter what operating system you're using. They have not built an unsinkable ship, nor have they built an operating system that you can give someone "some" ability to directly execute arbitrary code on. You might think OS 9 did that, but it didn't- it made it really, really hard to execute arbitrary code from anything but the console, but once you were a user, it was easy to do whatever you wanted. OS X is an improvement on that, really... even *if* you give anyone who wants one a login account and ask them to own your machine. And it's definitely an improvement on WindowsXP, though I do wonder if OpenBSD or something might be more safe.
It really is like locking somone in the garage or basement and daring them to get into the rest of the house. If you actually *want* to be safe, you'll lock them out at the gate outside your house, and not let them in where they can start to attack through the drywall.
MiniSlashdotting (Score:3, Interesting)
- Former Badger, glad I ordered one of those new MacBooks
Re:A Different Test (Score:3, Interesting)
This test was spun in such a way to make it appear that someone could merely put their machine on the Net and have it hacked. The truth was, there was a remote login opened for the hacker. Was there still an exploit? Absolutely! Should Apple address it? Definitely. But was it a fair and open test? Wait, was the COVERAGE fair and clear? No.
Ok, I actually apologize, as my initial response was to be directed at your comments, but went more into a general rant directed at all the people that don't realize this is more common than they realize and not a biased test of OSX.
So I do apologize for it seemingly be directed at you, when it wasn't after I was done writing.
As for the Unix/OSX debate, this is something you have to give and take on. Mac OSX is not Unix, but a Unix type OS. However, it common in the 'new' Mac world to see OSX in the same class as other standard classic and new Unix OSes. Mac users can't have it both ways, and use this as an excuse when OSX fails to live up to hype that Apple actually generated.
But with that said, WindowsXP (non-server) does not allow a non-administrative level user to use RDP(Remote Desktop), so there is no way to compare WindowsXP in the same scenario, the only commonality here is Windows 2003 server is the 'same code base' as WindowsXP, but does allow guest (TS/RDP) logins, and is something used quite a bit. In the Windows world SSH and Telnet type of technologies are not predominate, so there is not a good comparison here, even though a WindowsXP or Windows Server can be fully administrated using this type of technology.
Oddly, Windows has actually surpassed the 'non-command line' model, and 99% of all remote access and administration is done using a GUI and GUI based tools. (Which is strange as the ease of administration has passed XWindows technologies and even the inherent Mac world technologies for use and management.) - For example, in Windows you don't ever have to drop to a *nix type terminal (or Command Prompt) to change settings or do things locally or remotely, which we are now finding advanced Mac OSX users doing, and are still common in most of the other *nix OSes. XWindows was originally the poster child of a GUI protocol to leave command line usage and administration in the past, and 20 years later, it has been fragmented by its openness to still not deliver this. (Not that openness is a bad thing, but when some standards are left a bit loose, they don't ever get tightened by any leaders.)
You are right about the ZD article being jaded, and I do get it. However, what is being missed here is the article is basically demonstrating OSX is not any better than any other OS, which a lot of Mac and OSX users are finding a slap in the face. Even with OSX abstracting the root from the basic level of user operations, it is not 100%, even though it 'appears' to be, and Apple would love for people to believe it is. Other *nixes do a better job of abstracting User Login levels from root than OSX does.
OSX does well, but it is not perfect, not better than other OSes in this regard and certainly NOT 100% safe, even if permissions have been reduced to nothing. Policy management on Windows can do the same, but it still isn't 100% either.
(And no I am not arguing Windows is one of the OSes that does the root abstraction right, in fact they are the poster child of being the opposite, and this is also the evil double edge sword for MS. Their OS is built upon years of 3rd party application compatibility that allows programs to run unfettered on NT without regard to the NT security system. If Microsoft would have forgone t
Test Now Closed (Score:3, Interesting)