Mac OS X Security Competition Ends in 30 Minutes 388
ninja_assault_kitten writes "ZDnet is running an article on how a Swedish Mac OS X enthusiast held a competition to prove how good security was on his new fully patched Mac Mini was. Unfortunately, 30 minutes after the competition began, a hacker known as 'gwerdna' had broken in and defaced the website, thus winning the contest.
According to gwerdna, 'Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders.'." It's also worth noting a piece that says all the security news is much ado about nothing, in practical terms. The security contest also allowed people to have local access via SSH, so that had a lot to do with the crack.
Re:Why keep SSH on? (Score:5, Informative)
Re:Why keep SSH on? (Score:4, Informative)
Re:Why keep SSH on? (Score:5, Informative)
Somewhere inside of Apple, engineers are shaking their heads at this guy and the damage he's done to the Mac's reputation.
Parent is a troll. (Score:1, Informative)
What's interesting in this case (and different from real world servers) is that they gave SSH login accounts to the people testing the system.
The idea was to test that even *if* someone had all the access that SSH allows, how easy it would be to get further.
(my guess is that the parent is a msft troll trying to suggest that windows terminal services is safer than ssh because ssh was enabled here)
Stock Mac OS has never once had remote exploit! (Score:2, Informative)
Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.
Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinly using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.
The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.
http://uptime.netcraft.com/up/graph/?host=www.army
http://www.google.com/search?q=army+webstar+ [google.com]"os-9"
Check it out yourself. This entire post is full of factual citations and 100% facts.
No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.
Why?
Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.
That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers
This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward
Re:Why keep SSH on? (Score:2, Informative)
RTFM guys... (Score:2, Informative)
Here's a salient quote:
"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users... There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access.
"There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches -- good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," said gwerdna.
Bad anagram for a name or not, the guy sounds like he knows what he is talking about. There is a link to another article as well that talks about Apple's lack of diligence on security issues. Here's a link:
http://zdnet.com.au/news/security/soa/Ancient_fla
The point is that Security is everybody's business, and no company can afford to slack. Not even the lily-white Apple is immune.
Comment removed (Score:5, Informative)
Re:Lord, save us from morons (Score:3, Informative)
The guy should feel thankful that the hacker (gwerdna) was nice enough to only deface his site rather than actually "rm -rf
Re:Why keep SSH on? (Score:2, Informative)
andrewg = gwerdna (Score:3, Informative)
Re:gwerdna? (Score:2, Informative)
gwendra [felinemenace.org]
Re:Why keep SSH on? (Score:5, Informative)
Not necessarily. The mac mini is a desktop and has a lot of software installed on it that would be deemed a security risk in production environment. Ever hear of using a complier to shell out? That is why compilers are usually left off of servers for security reasons. Your average linux/bsd desktop box with all the goodies installed probably would not have lasted much longer.
Perhaps with a desktop Mac (Score:3, Informative)
Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.
Re:Mac OS X Security Challenge (Score:5, Informative)
Dave works and is a rather high profile Mac admin at UWisc.
Re:Perhaps with a desktop Mac (Score:5, Informative)
Not saying there's anything wrong with this, Solaris, FreeBSD, et al are the same, but while SSH may need enabling on a Mac desktop, it does not appear to on a Mac server.
Of course SSH is on by default on a Mac Server--it is designed to run, and be configured from first boot, headless. That would be pretty difficult to do if you had no services. Other default services are Apple Remote Desktop, for GUI control, and the Server Admin Suite; even the Apple Server Admin Tools can be port forwarded through SSH if you prefer.
The assumption is that servers will be managed by those with a clue, whereas desktops will not usually be. Also, no Mac desktops are expected to be configured and maintained headless from first boot, whereas you have to specify a video card for an Xserver for it to be graphical at all. I don't think those are unreasonable assumptions to make.
Re:Perhaps with a desktop Mac (Score:3, Informative)
Re:Why keep SSH on? (Score:5, Informative)
Yes and no. If your admin locks the machines down tight, then it's quite possible that the Mac servers are more secure than the Windows servers. Left with default settings, they're both highly vulnerable to anyone who already has access to the machine and is determined to find a hole. (Whether it be a buffer overflow in a priviledged service, or a soft link that gave elevated permissions.)
Systems are extremely hard to secure once untrustworthy individuals have access to them. That's why there's a market for products like Trusted Solaris and Trusted Linux. If you need high security against local users, you can't trust anyone. Not even root.
Re:Lord, save us from morons (Score:5, Informative)
Indeed. And every once in a while, Sourceforge gets hacked [sourceforge.net]. And they have a trained staff of admins who attempt to very carefully lock down the systems and separate the user logins from the systems that run web services and code repositories. (Which is why you can't blow away your own code tree. You have to ask SF to do it.)
The only thing that's funny here (which isn't even funny) is that an inexperienced admin made his box 100% public without taking the standard precautions that every admin worth his salt would take. He blindly trusted that his Mac would be configured to do something it wasn't designed for, and he got burned. Well, DUH. I had a friend who's RedHat Linux box was remotely rooted several times without the attacker being given a shell account. Does that mean that Linux sucks at security?
Re:Why keep SSH on? (Score:2, Informative)
How about the U.S. Army building a supercomputer cluster from 'em?
http://news.com.com/Apple+sells+supercomputer+seq
And several university's such as this one doing so too:
http://news.com.com/Apple+shooting+for+supercompu
Many, many Hollywood studios and special effects houses are using them as well, such as these and many more:
The makers of Jarhead:
http://www.apple.com/pro/film/murch2/ [apple.com]
The maker of Underworld Evolution
http://www.apple.com/pro/film/lumapictures/ [apple.com]
And how about the Minneapolis Star/Tribune
http://www.apple.com/itpro/profiles/startribune/ [apple.com]
and the Atlanta Journal-Constitution:
http://www.apple.com/pro/design/atlantajournal/ [apple.com]
and Harvard Med School:
http://www.apple.com/science/profiles/harvardmed/ [apple.com]
and MANY other examples at :
http://www.apple.com/pro/archive/ [apple.com] (this pageis especially good)
http://www.apple.com/pro/ [apple.com]
http://www.apple.com/itpro/ [apple.com]
http://www.apple.com/server/ [apple.com]
Re:Why so many apologists? (Score:4, Informative)
What good is a door if it's welded shut? Wouldn't a proper lock be more useful? Security should be about maximizing functionality securely, not limiting it.
Ideally, any user should be restricted to the behaviors intended by the administrator and there should be no local privilege escalations. Realistically, however, this does not really happen except in a few special cases of extremely security oriented OS's. The first line of defense is how many services you have, think of them as gates in a castle. The second is the firewall, how many gates are open for business. The third is the username/password, do the guards know you and will they let you in. These guard against most threats except for someone who can impersonate someone else or insider threats who have access but want more access. In this case the "hackers" was given legitimate access to come in through the open gate. (A gate the admin specifically had to open and using the username and password the admin gave them.)
Once inside there is still security, but it is much, much less. On the average Windows machine at this point there is no security at all and even on a well secured Windows machine there are thousands of unpatched privilege escalation exploits. At this point on either a Mac OS X desktop or the average Linux machine a knowledgeable security person will be able to gain admin access. That is a sad fact, but it is the case for the vast majority of systems. Exceptions might be a locked down OpenBSD box running jails, an SELinux box, or some other specialized ultra-secure OS running virtual machines. Very few people run those machines as desktops and those that due generally don't have the best experience because they sacrifice a lot of usability to gain that level of security.
This "test" was no surprise to anyone with a clue. That is exactly what would be expected to happen. Also, some of the better security guys out there can definitely gain remote access to machines using unpublished vulnerabilities. If they really want in they will get into the average OS X or Linux box. So what are we talking about here? Well obviously this is still much better than Windows, but not impregnable. What it does is make you pretty safe from automated worms and your average script kiddie, which far outnumber the knowledgeable crackers out there.
Ideally, all desktop OS's would be locked down more tightly. They would do more security auditing and they would implement ACLs, VMs, or jails for all remote access and all applications. Some day perhaps they will. But for right now it is not a big concern, simply because market does not call for it. Not many people really have data that needs to be kept secure against experts and those that do have specialized OS's to use. Of course they can't run photoshop or World of Warcraft and the users would not trust their internet connection to talk to WoW servers anyway using all closed source. That is a task better allocated to a regular desktop, not a locked down, ultra-secure server. And that is what this "test" has shown. OS X is a desktop and if you bypass all the primary security on it, it will not stand up to a cracker from the inside like OpenBSD might. Of course anyone who really cares already knew that.
Re:considering (Score:3, Informative)
people set up ssh accounts on the machine and they were supposed to rm -rf the thing and no one has.
if you look on the page people can remotely add accounts to the server in order to get shell access VIA THE FUCKING WEB PAGE
Belt and suspenders. (Score:2, Informative)
The only function that signing the invitation here on Slashdot would do, is positively link the owner of the Slashdot account daveschroeder to the machine...but really, what does that matter? The owner of the machine, even if it's not daveschroeder (and I'm not implying that this is the case, but speaking hypothetically -- especially since his name is at the bottom of the page) is inviting people to hack it. I think that pretty much makes it valid, signature or not.
Re:Why keep SSH on? (Score:5, Informative)
Which was also not what was compromised. Kind of nice for the GP to switch topics like that.
I want to know more details about this incident.
The machine was a Mac Mini "running a default install of OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues." It's colored orange for some odd reason, and sits on a bookshelf sideways. He, "set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine."
This is all available on his webpage [nyud.net].
Basically, the guy is a moron. He thinks he's proving something by making a Desktop configured machine do server-class work, and then expect it not to get rooted.
Was it a local privelage escalation flaw?
Yes. The exact hole has been withheld, but it probably doesn't matter anyway. In a contest of machine vs. hacker where the owner is doing nothing to stop the hacker (and in fact, inviting him by removing barriers!), my money is on the hacker.
Was it a remote flaw in SSH or Apache? Maybe an SSH password attack?
The guy gives out [nyud.net] SSH accounts. There was no need to penetrate this layer of security, because he left the door wide open.
How long would this contest lasted on Windows? (Score:3, Informative)
If you need to give potentially hostile users shell, you want them in a FreeBSD jail at a minimum.
Re:Why keep SSH on? (Score:1, Informative)
Re:Why keep SSH on? (Score:3, Informative)
Is the standard desktop version of MacOS X configured for that purpose straight out of the box? No. That's why they sell MacOS X Server. OTOH, MacOS X (non-server) is properly configured for its intended purpose and does not ship with a bunch of things turned on that make the machine particularly vulnerable to outside attacks.