Mac OS X Security Competition Ends in 30 Minutes

ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest. According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.

Re:Why keep SSH on?

[Daedala]

It's a Mac. You don't _keep_ SSH on. It's disabled by default. You have to turn it on deliberately.

Re:Why keep SSH on?

[foniksonik]

in fact with OS X you have to turn it on... it's a Sharing preference called Remote Login... hello, yes I'd like people to remotely login to my machine.. I'll just start this right up. OTH there should be a little more help info on what SSH is for those who think being able to remotely login is a good idea even though they really don't know how to do it.

Re:Why keep SSH on?

[AKAImBatman]

The problem wasn't even that he had SSH running. It was that he was giving out accounts [nyud.net]! I don't know what this guy was trying to prove, but his blind faith in Apple got him burned.

Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.

Parent is a troll.

[Anonymous Coward]

SSH (secure shell) is one of the services that's relatively OK to keep on.

What's interesting in this case (and different from real world servers) is that they gave SSH login accounts to the people testing the system.

The idea was to test that even *if* someone had all the access that SSH allows, how easy it would be to get further.

(my guess is that the parent is a msft troll trying to suggest that windows terminal services is safer than ssh because ssh was enabled here)

Stock Mac OS has never once had remote exploit!

[Anonymous Coward]

This "30 min" contest was for people with an actual SSH account given to them for a LOCAL exploit, so its not a remote exploit, it also is not the most secure version of the Mac OS, but for SERVERS, nothing is as secure as MacOS.

Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.

Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinly using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.

The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.

http://uptime.netcraft.com/up/graph/?host=www.army .mil [netcraft.com]

http://www.google.com/search?q=army+webstar+ [google.com]"os-9"

Check it out yourself. This entire post is full of factual citations and 100% facts.

No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers

This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward

Re:Why keep SSH on?

[Frangible]

Excellent point, I'd mod you up if I had the points. I suppose it wasn't much of a true competition, then.

RTFM guys...

[d3ac0n]

Before the Mac-o-philes here start getting all bent out of shape, perhaps reading the article in question would be a good start...

Here's a salient quote:

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users... There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.

"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.

Bad anagram for a name or not, the guy sounds like he knows what he is talking about. There is a link to another article as well that talks about Apple's lack of diligence on security issues. Here's a link:
http://zdnet.com.au/news/security/soa/Ancient_flaw s_leave_OS_X_vulnerable_/0,2000061744,39234678,00. htm [zdnet.com.au]

The point is that Security is everybody's business, and no company can afford to slack. Not even the lily-white Apple is immune.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Lord, save us from morons

[AKAImBatman]

BTW, in case I wasn't clear enough above, his automated webpage to create SSH accounts is here [nyud.net]. That will allow you to remotely login to his machine within minutes of entering your information. (Assuming he hasn't disabled it by now.)

The guy should feel thankful that the hacker (gwerdna) was nice enough to only deface his site rather than actually "rm -rf /" his box. (Which was what this guy was asking people to do, "if they can".) :-/

Re:Why keep SSH on?

[BrokenHalo]

I turn SSH on on machines I routinely have to maintain. It's very useful. But I make damn sure I don't use an idiotic password crackable by any snotty-nosed little 11-year-old script-kiddie...

andrewg = gwerdna

[numacra]

Andrewg does know what he talking about. andrewg has published papers (not on mac security) and is part of some wonderful communities pulltheplug.org [pulltheplug.org] and felinemenace.org [felinemenace.org] . I assure you that this machine would of been hacked... with SSH access or not. I think it shows the importance of having patches that minimize possible exposure (i.e grsec/pax etc) that would of decreased the chances of successful exploitation dramatically.... but then again nothing is bullet proof

Re:gwerdna?

[maccalvin5]

additionally

gwendra [felinemenace.org]

Re:Why keep SSH on?

[bombadillo]

True, a Mac Mini isn't typically going to be used as a server, but if Apple decides to make some kind of Intel based server, this kind of thing is a HUGE problem.

Not necessarily. The mac mini is a desktop and has a lot of software installed on it that would be deemed a security risk in production environment. Ever hear of using a complier to shell out? That is why compilers are usually left off of servers for security reasons. Your average linux/bsd desktop box with all the goodies installed probably would not have lasted much longer.

Perhaps with a desktop Mac

[Sycraft-fu]

We have a Mac server here at work for testing, we set it up 100% default mainly because none of us are Mac people. A quick nmap (using just well known ports) reveals not only is SSH open, but several others. Also, non-open ports report closed, not filtered indicating no firewall, at least none with respect to it's local subnet.

Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.

Re:Mac OS X Security Challenge

[NatasRevol]

New here, huh?

Dave works and is a rather high profile Mac admin at UWisc.

Re:Perhaps with a desktop Mac

[Johnny Mnemonic]

Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.

Of course SSH is on by default on a Mac Server--it is designed to run, and be configured from first boot, headless. That would be pretty difficult to do if you had no services. Other default services are Apple Remote Desktop, for GUI control, and the Server Admin Suite; even the Apple Server Admin Tools can be port forwarded through SSH if you prefer.

The assumption is that servers will be managed by those with a clue, whereas desktops will not usually be. Also, no Mac desktops are expected to be configured and maintained headless from first boot, whereas you have to specify a video card for an Xserver for it to be graphical at all. I don't think those are unreasonable assumptions to make.

Re:Perhaps with a desktop Mac

[frankie]

Yes, OSX Server ships with some remote admin ports open. Apple assumes that anyone who shells out the extra cash for Server should at least poke around Server Admin.app (or Terminal if you prefer) for a few minutes. sshd and ipfw are easily controlled by either method.

Re:Why keep SSH on?

[AKAImBatman]

Are you telling me that they're no better than Windows when it comes to privilege separation and preventing a low-privilege user account from taking control over the system?

Yes and no. If your admin locks the machines down tight, then it's quite possible that the Mac servers are more secure than the Windows servers. Left with default settings, they're both highly vulnerable to anyone who already has access to the machine and is determined to find a hole. (Whether it be a buffer overflow in a priviledged service, or a soft link that gave elevated permissions.)

Systems are extremely hard to secure once untrustworthy individuals have access to them. That's why there's a market for products like Trusted Solaris and Trusted Linux. If you need high security against local users, you can't trust anyone. Not even root.

Re:Lord, save us from morons

[AKAImBatman]

Funny. Sourceforge gives out SSH accounts to anyone and their dog.

Indeed. And every once in a while, Sourceforge gets hacked [sourceforge.net]. And they have a trained staff of admins who attempt to very carefully lock down the systems and separate the user logins from the systems that run web services and code repositories. (Which is why you can't blow away your own code tree. You have to ask SF to do it.)

The only thing that's funny here (which isn't even funny) is that an inexperienced admin made his box 100% public without taking the standard precautions that every admin worth his salt would take. He blindly trusted that his Mac would be configured to do something it wasn't designed for, and he got burned. Well, DUH. I had a friend who's RedHat Linux box was remotely rooted several times without the attacker being given a shell account. Does that mean that Linux sucks at security?

Re:Why keep SSH on?

[wbd]

Really? Took me all of 2 minutes to find a lot of examples, WITHOUT even using Google.

How about the U.S. Army building a supercomputer cluster from 'em?

http://news.com.com/Apple+sells+supercomputer+sequ el/2100-1010_3-5242487.html?tag=macintouch [com.com]

And several university's such as this one doing so too:

http://news.com.com/Apple+shooting+for+supercomput er+heights/2100-1008_3-5070403.html?tag=nl [com.com]

Many, many Hollywood studios and special effects houses are using them as well, such as these and many more:

The makers of Jarhead:
http://www.apple.com/pro/film/murch2/ [apple.com]

The maker of Underworld Evolution
http://www.apple.com/pro/film/lumapictures/ [apple.com]

And how about the Minneapolis Star/Tribune

http://www.apple.com/itpro/profiles/startribune/ [apple.com]

and the Atlanta Journal-Constitution:

http://www.apple.com/pro/design/atlantajournal/ [apple.com]

and Harvard Med School:

http://www.apple.com/science/profiles/harvardmed/ [apple.com]

and MANY other examples at :

http://www.apple.com/pro/archive/ [apple.com] (this pageis especially good)

http://www.apple.com/pro/ [apple.com]

http://www.apple.com/itpro/ [apple.com]

http://www.apple.com/server/ [apple.com]

Re:Why so many apologists?

[99BottlesOfBeerInMyF]

What good is a door if it's welded shut? Wouldn't a proper lock be more useful? Security should be about maximizing functionality securely, not limiting it.

Ideally, any user should be restricted to the behaviors intended by the administrator and there should be no local privilege escalations. Realistically, however, this does not really happen except in a few special cases of extremely security oriented OS's. The first line of defense is how many services you have, think of them as gates in a castle. The second is the firewall, how many gates are open for business. The third is the username/password, do the guards know you and will they let you in. These guard against most threats except for someone who can impersonate someone else or insider threats who have access but want more access. In this case the "hackers" was given legitimate access to come in through the open gate. (A gate the admin specifically had to open and using the username and password the admin gave them.)

Once inside there is still security, but it is much, much less. On the average Windows machine at this point there is no security at all and even on a well secured Windows machine there are thousands of unpatched privilege escalation exploits. At this point on either a Mac OS X desktop or the average Linux machine a knowledgeable security person will be able to gain admin access. That is a sad fact, but it is the case for the vast majority of systems. Exceptions might be a locked down OpenBSD box running jails, an SELinux box, or some other specialized ultra-secure OS running virtual machines. Very few people run those machines as desktops and those that due generally don't have the best experience because they sacrifice a lot of usability to gain that level of security.

This "test" was no surprise to anyone with a clue. That is exactly what would be expected to happen. Also, some of the better security guys out there can definitely gain remote access to machines using unpublished vulnerabilities. If they really want in they will get into the average OS X or Linux box. So what are we talking about here? Well obviously this is still much better than Windows, but not impregnable. What it does is make you pretty safe from automated worms and your average script kiddie, which far outnumber the knowledgeable crackers out there.

Ideally, all desktop OS's would be locked down more tightly. They would do more security auditing and they would implement ACLs, VMs, or jails for all remote access and all applications. Some day perhaps they will. But for right now it is not a big concern, simply because market does not call for it. Not many people really have data that needs to be kept secure against experts and those that do have specialized OS's to use. Of course they can't run photoshop or World of Warcraft and the users would not trust their internet connection to talk to WoW servers anyway using all closed source. That is a task better allocated to a regular desktop, not a locked down, ultra-secure server. And that is what this "test" has shown. OS X is a desktop and if you bypass all the primary security on it, it will not stand up to a cracker from the inside like OpenBSD might. Of course anyone who really cares already knew that.

Re:considering

[minus_273]

go look at the original page where the challenge is posted [wideopenbsd.org]. TFA is just that a FA. It was written by some idiot who didnt read the actual challenge and wrote an article trying to be as ambigious as possible. It was 6 hours and not 30 minutes as the article calims (though, with a shell i've gotten root in a couple of minutes on some macs)

  people set up ssh accounts on the machine and they were supposed to rm -rf the thing and no one has.

if you look on the page people can remotely add accounts to the server in order to get shell access VIA THE FUCKING WEB PAGE

Belt and suspenders.

[Kadin2048]

Why would he need to do that, since if you go to http://test.doit.wisc.edu/ [wisc.edu], the machine itself presents a page explaining the competition?

The only function that signing the invitation here on Slashdot would do, is positively link the owner of the Slashdot account daveschroeder to the machine...but really, what does that matter? The owner of the machine, even if it's not daveschroeder (and I'm not implying that this is the case, but speaking hypothetically -- especially since his name is at the bottom of the page) is inviting people to hack it. I think that pretty much makes it valid, signature or not.

Re:Why keep SSH on?

[AKAImBatman]

Um, you are talking about OSX vs OSX Server. Which *Does* ship with these services enabled by default.

Which was also not what was compromised. Kind of nice for the GP to switch topics like that. :-/

I want to know more details about this incident.

The machine was a Mac Mini "running a default install of OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues." It's colored orange for some odd reason, and sits on a bookshelf sideways. He, "set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine."

This is all available on his webpage [nyud.net].

Basically, the guy is a moron. He thinks he's proving something by making a Desktop configured machine do server-class work, and then expect it not to get rooted.

Was it a local privelage escalation flaw?

Yes. The exact hole has been withheld, but it probably doesn't matter anyway. In a contest of machine vs. hacker where the owner is doing nothing to stop the hacker (and in fact, inviting him by removing barriers!), my money is on the hacker.

Was it a remote flaw in SSH or Apache? Maybe an SSH password attack?

The guy gives out [nyud.net] SSH accounts. There was no need to penetrate this layer of security, because he left the door wide open.

How long would this contest lasted on Windows?

[argent]

I mean, really. You have local root exploits on OS X. I'm not surprised, when you have companies like Adobe shipping apps containing setuid root shell scripts. Suppose you set them up with an Interix or Cygwin ssh login on Windows, how long would it take to deface IIS? Or would you even bother calling that an "exploit"?

If you need to give potentially hostile users shell, you want them in a FreeBSD jail at a minimum.

Re:Why keep SSH on?

[Anonymous Coward]

Try this http://test.doit.wisc.edu/ [wisc.edu]

Re:Why keep SSH on?

[soft_guy]

MacOS X Server is in fact meant for remote multi-user usage. And it has been around since MacOS X started shipping (i.e. day one.) Where are you getting this stuff?

Is the standard desktop version of MacOS X configured for that purpose straight out of the box? No. That's why they sell MacOS X Server. OTOH, MacOS X (non-server) is properly configured for its intended purpose and does not ship with a bunch of things turned on that make the machine particularly vulnerable to outside attacks.