Hack Mac OS X With Installer Packages

nezmar writes, "MacGeekery has a short but insightful piece with examples on how to use a malformed Installer package (.pkg) on Mac OS X to 'insert user accounts with administrator rights and change root-owned system configuration or binary files without prompting the vast majority of Mac OS X users for a password of any kind.'" The article notes that this issue was brought up on the Apple Discussion Boards 6 weeks back and that it was noted there as a duplicate / known issue. It also gives as an example the installation of Parallels, the popular virtualization software, which uses the described technique, but not for nefarious purposes.

Well...

[Anonymous Coward]

At the very least, until this is fixed, this is yet another reminder not to install things without knowing what they are.

it still asked me for a password

[crashelite]

i run as a admin account and it still asks me to use my password to gain access even the program they listed it asked for my password to be entered to install. so it still is all good for me... i dont install things that i dont know what they are in the first place so those kiddies trying to hack on a mac will have problems downloading their haxzor programs cause it will crash their mac and allow some one to access it no big. just one less user in the world that cant learn how to get into ppls computers oh well

Hacking OS X? Hardly

[morgan_greywolf]

You still have to install the package as an admin user. Lots of tools on Linux create admin user accounts without prompting for a password when run as root. The Debian Advanced Package Tool (APT), in fact, is one of them. It's perfectly possible to create a .deb package that sets up admin user accounts without prompting, as long as you are running as root. Does that mean you can hack Debian or Ubuntu with .deb packages?
   

Let me get this straight ...

[khasim]

There exists a pretty significant interface problem with the Apple Installer program such that any package requesting admin access via the AdminAuthorization key, when run in an admin user account, is given full root-level access without providing the user with a password prompt during the install.

So, when you're logged in as admin, and you install a package, that package can add whatever is in that package. Isn't that how it is supposed to work?

I'm not seeing the problem here. Am I missing something?

So, in summation

[banky]

1. If you're sitting at the box, you might be able to 0wnz0r it. Same as for Linux, BSD, and Windows.
2. Regular folk should only install software from reasonably trusted sources.

I would assume that second point would be clear, given 10 years of watching Windows users open every last attachment that arrives in their inbox, while we sit at our Macs and laugh, but something tells me, probably not.

Re:Ouch

[Anonymous Coward]

No, Apple should fix the freaking thing, a "OS X security update", small sized, why should they hesitate?

Latest Quicktime and iTunes update was 60 MB, let me remind you.

I liked the guys attitude, it is not like "Installer is evil" things probably by some Unix geeks that hates everything easy and automatic. There is a easy solution. Ask the admin password, kernel extensions area is NOT a toy, no regular user would need to install such a deep system level, it is not like some shareware in Applications to try and trash.

Getting rid of Installer is not solution, it is Apple, OS vendor to fix it. Installer still needs some enhancements to feature "deploy" mechanisms over network etc. Ask Mozilla guys why they moved to MSI method on windows.

Re:Let me get this straight ...

[CaymanIslandCarpedie]

How the heck is this modded flamebait? Are most OS/X users as security-stupid as Windows users?

Maybe because you add nothing to the discussion. You simply agree and then toss in a cheap (flame) insult. And then in your whining about accurately being modded, you simply toss another flame (Are most OS/X users as security-stupid as Windows users?) on the fire.

If your goal is to add nothing and just toss bitchy insults out there, don't be suprised of you are modded as such.

Re:Well...

[LiquidCoooled]

People wouldn't install things if they don't know what they are, they obviously want to install [legitsoftware_name] on their system.
However its important to make sure they trust the source they recieve the software from.

As in the rest of life, use common sense and apply good judgement, stay away from the shady parts of the internet and you won't get stung. A reputable company would not risk the lawsuits with distributing known hacked packages.

Re:Let me get this straight ...

[yroJJory]

This is not about smugness; it's about a legitimate security issue.

Are you saying that the insane quantity of malware, virii, and other attacks on Windows is the fault of the users? Most don't even know that something was just install on their system or that it is running, and that includes experienced users.

This same type of issue is what is being discussed.

At least in this case, the issue requires a user to run an installer, but they should still be prompted for root-level access. In a case like this, it IS Apple's job to protect the user. Just because Microsoft doesn't give a shit about their users doesn't mean it's the correct way to behave.

Re:Hacking OS X? Hardly

[Wm_K]

That's what I just said. It asks me for my password and only then I get promoted to the admin user (by means of sudo I assume). The point of the article is that "without prompting the vast majority of Mac OS X users for a password of any kind". If someone then says "most OSX users run as admin by default" that makes it sound as if users are running a root account by default. Which is not simply true.

Re:Let me get this straight ...

[ahknight]

Many points, yes.

1. The default user Apple makes is an admin. Non-computer-literate folks don't know this.
2. Without providing a password, this gives an installer script root access.
3. People will double-click anything.

Re:Hacking OS X? Hardly

[Wm_K]

I believe you misunderstand. sudo is a command that takes a user listed in the sudoers file and gives them root priviledges.

Exactly! But when do you get root priviledges? Only after you give your password to sudo (either on the cli or in the installer). Before that point you have as much privileges as a ordinary user.

The little thread started because cgenman said "OSX users run as admin by default" with which he seemed to imply that Mac OS X users run with root priviledges by default and therefor don't get prompted for a password. But this is not the case.

I don't even think we're making a different point. My definition of admin is just more confusing I guess. You're indeed right that the default user is a user from the admin group, but my point is that even though the user might be an admin, he doesn't have root priviledges without giving a password first.

Re:So, in summation

[banky]

I have a number of games on my PS2. I fail to see what that has to do with Mac OS X privilege escalation via installer packages.
 

Once you're penetrated...

[argent]

There's a great security T-shirt out there that carries the slogan "Once you're penetrated, you're ****ed" (except with the canonical 4LW instead of ****).

Once an attacker has gained the ability to run unrestricted code on your computer, they can cause you grief even if they have no ability to install applications, install kernel components, run as root or Administrator, or even access the network. Being able to prevent applications from gaining extra privileges is good, at least it makes the cleanup easier, and possibly limits exposure to one account (though anyone who had an account on a shared timesharing system in college knows that's not guaranteed). But for most people, that account has everything they care about on the computer anyway, so once they're penetrated they're ****ed.

Apple needs to make the following changes to reduce the probability of penetration here.

1. Don't treat files (like, say, installers) as "safe". Treat applications that operate on files as "safe" or "unsafe", with "safe" limited to applications that are designed to deal with untrusted files.

2. INSTALLERS AREN'T DESIGNED TO DEAL WITH UNTRUSTED FILES. Don't run an installer automatically.

3. The user is allowed to shoot himself in the foot, but he has to actually pick up the gun and aim it aware that it might go off. It doesn't go in the bathroom cabinet with the hair dryer.

Don't mix untrusted and trusted files by default... downloads go in a "Downloads" folder, not on the desktop. Don't automatically install downloaded files, let the user request that. Don't run helper applications that are selected for the Finder or Windows Explorer, keep a separate list of helpers for web browsers and mail software...

PS: Mozilla folks: the same issue applies to XPI. You've got a big red tag on XPI installer saying 'THIS IS A GUN', but you're still leaving it in the bathroom cabinet next to the hair dryer. Cut that out.

Seems nobody really got it.

[l0ne]

Admin user in OS X are regular users on the admin group. The default setup creates an admin user. Installer.app allows PKGs run by admin TO RUN AS ROOT AND WRITE ON ROOT:WHEEL OWNED FILES WITHOUT A PASSWORD PROMPT. It's more-or-less OK for admins to write to /Applications. It's not to change /etc/sudoers or similar nefarious things without a prompt.