U of Wisconsin's Mac OS X Security Challenge

digitalsurgeon writes "The University of Wisconsin [ed: Go Badgers] has launched a Mac OS X Security challenge, in response to a 'woefully misleading ZDnet article'. From the site: 'The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open.' Are you up to the task? Can you prove ZDNet wrong, or can you show that Mac OS X can really be hacked in less then 30 minutes? More information about the challenge is at http://test.doit.wisc.edu/ The challenge ends Fri 10 March 2006 10:00 AM CST." Update: 03/07 14:32 GMT by Z : Commentary on the contest and original claim is available at VNUNet

Hackorama Windows

[CDMA_Demo]

I wish someone running windows 2003 professional could start a competition like this.

Logs

[Bromskloss]

Mabye logs could be published (in real-time) so that we all can see some of what possible challengers are up to. That would be interesting.

Re:A Different Test

[Yahweh Doesn't Exist]

the point of the original test was supposedly to test OS X in 'server' mode rather than 'home desktop' mode, hence the ridiculous number of open doors. yet even that does not justify a local user account on ssh.

* yawn *

[Noryungi]

I am sorry, but what exactly does this prove? That ZDNet is wrong? That Mac OS X is secure?

It proves neither: every operating system on the face of this earth has been hacked, cracked, and 0wned. Numerous times. Get over it.

Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine. Even better, make that two manuals: one for the average joe, with nice color screenshots for every step that has to be taken, and another for people like me, who manage systems for a living. THAT would be a valuable contribution to the field of computer security, instead of this stupid challenge.

Possible Danger

[zaguar]

Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

With virus/spyware becoming a multimillion dollar business, do you really think that the real hackers (sorry for the use of the term) will stay away from this, due to the this very condition. Do you think that the dangerous exploits and cracks that are, for the moment, unknown by Apple, and are hence, very valuable. They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.

the original post

[rayde]

here is the original comment [slashdot.org] posted by Dave Schroeder about this challenge pretty much posted right after the 30-minute hack article was posted here. I'm actually quite curious whether the University of Wisconsin has approved this whole thing, as I'm not so sure they really wish to have a machine on their networks in the crosshairs.

Re:A Different Test

[mekkab]

I think you can't "see the forest for the trees."

The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!" Most houses don't have everything bolted down to the floor.

But how often do you allow someone into your machine? For A desktop, not often, perhaps never.

The biggest risk to most computers is a network based attack; this is the real meat and potatoes and a better test of the security of a machine.

Re:A Different Test

[Fahrvergnuugen]

The problem is that the media presents the original test as though Mac OSX is insecure out of the box. It's very misleading.

An acquaintance of mine runs a small web hosting company. His original service plan offered SSH accounts to every hosting account. Despite his best efforts to secure the box, it was still rooted by a script kiddie.

His customer's PC was compromised and the ssh password for his account on the linux server was found by the script kiddie. The shell account had access to GCC. The script kiddie logged in as the non privileged user and used gcc to compile a rootkit. The rest was a walk in the park.

The OS was Slackware linux. All of the accounts were jailed, and all of the "best practice" measures were taken to harden the box (I can't comment on every detail as I am not a linux system admin).

My point is that when a malicious user gains shell access to any *nix system, you're in deep trouble.

My friend has since stopped offering SSH access to his customers.

Re:A Different Test

[Paradise Pete]

The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!"

I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.

When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.

Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

Re:A Different Test

[jav1231]

Exactly. If you wanted to truly compare OS X to Windows in this scenerio, put a PC on the Net with TS opened and give out the user account information.

Re:Your wish has been granted:

[SolitaryMan]

• Keep your machine patched
• Don't randomly open ports for services you don't use
• Have a personal firewall/router
• Don't run software you don't trust

Excuse me, but an "average Joe" doesn't have to know what any of these words means. Until then, we're bad engeneers.

Re:I'm not sure what the value of this is.....

[emerrill]

The point of this is to see how secure the OS is w/o hardening, and in a more typical networked situation. For that matter they are softening it to attack compared to the stock configuration.

The ZDnet article simply was not reported correctly, and gave the wrong implications. Even with the added sentence, the article tries to make it sound like its vulnerable to remote exploits and you have to be worried about having your machine on the internet.

Re:A Different Test

[mekkab]

The two things are different. Very different. Quit trying to make analogies with them. Some attempts at home security/compute security analogies are better than others (and this one wasn't one of them), but they're almost always flawed in one way or another.

Thanks for making an assertion without even providing any evidence to support it! ;)

I this case, I think the analogy holds VERY well. Its much easier to defend a single point of entry (or a limited number of entry points) than it is to defend each and every thing that is precious and valuable. In this case, the TCP/IP stack and the the network services that ride on top of them are your "limited entry points"; vs. tying down absolutely every application.

Fink could have contributed to the original "hack"

[Been on TV]

One of the unusual things about the "hacked" machine was that Fink was installed. This most likely means that the Apple developer tools were installed (although Fink can install precompiled binaries), making it possible for the hacker to bring his own code and compile on the system. Although Apple ships the developer tools on the OS X client install DVD, it is not installed by default, nor is X11.

Fink lists a catalog of 6359 open source projects [finkproject.org]that can be installed, many of which are tools that could help a hacker exploit a machine or that are exploitable in themselves. Fink is a Debian style package manager for Mac OS X.

Re:A Different Test

[AKAImBatman]

This is how most Mac OS X machines will appear to outside entities on the internet.

Let me just say, thank you. All these trolls seem to think it's perfectly natural that you'd let hundreds of anonymous users into your system, who's only purpose in life is to compromise one of the hundreds of software packages installed in an attempt to gain higher priviledges. That's just ridiculous. Mac OS X is a desktop system. It is configured as such, and is bound to have problems that could be exploited by a sharp human. (Trojans, worms, and viruses tend to need an exploit that's guaranteed across a large number of systems. This may not be the case.)

If the guy had wanted to test Mac OS X server, he should have run Mac OS X server. Yet even then, there's absolutely no admin worth his salt that would allow shell access to a Unix machine before first performing a full lockdown of the machine. The defaults are never good enough, because the system is still evolving for its intended use. When you're configuring all the services you need, it's always important to set the security to match the level of trust you give the users. In some cases that may mean that you've exposed yourself to potential compromises, but you trust the user (or users) with that responsibility. In other cases, you don't trust the users at all, so you revoke just about every right you can think of.

Or in other words, security is based on trust. Thinking that a system that's intended to trust its users (a Desktop) is going to stand up against untrustworthy users is silly. So again, thank you for trying to set the record straight here. When you're done, we can get the Onion to sydicate the ZDNet article. ;-)

Re:A Different Test

[shippo]

The original machine had had various extra bits of software installed via the Fink project, such as MySQL. The Fink project is very lax at getting updates in place, and there appears to be no specific security policy, particularly if installed from the so-called 'stable' release.

It is entirely possible that one of the pieces of software installed by fink had a root exploit, perhaps using SETUID.

Fink should not be installed on production systems.

Re:Sad.

[99BottlesOfBeerInMyF]

Why is it that the world only considers remote vulnerabilities to be of consequence? Somehow local vuls are now irrelavent[sic].

You're missing the point. This test is not trying to imply that local vulnerabilities are inconsequential, it is trying to undo some of the misinformation that has been spread by the press. The previous test was fine, but the representation of it in the press was that a regular OS X machine put on the internet can be hacked in 30 minutes. This is wrong in many, many ways. Thus, someone made angry by these misleading articles set up a test that is closer to the condition those articles presented and hopefully the press will also report on how misleading their previous reports were. Most of them have retractions or updates up now, but since the damage is already done, this seems like a reasonable solution to me.

Please note, neither of these tests is gathering much in the way of useful information for security people, they are just providing yet more evidence of what most security people already know. A medium competent cracker can find a local exploit for OS X. A really good cracker can find a remote exploit for OS X. If you are going to be giving shell accounts to random people or are likely to be attacked by experts, you should be running one of the secure OS's that uses jails or virtual machines. None of this is news.

This is not about security people though, this is about giving the average person an accurate view of how secure OS X is, without the FUD.

Re:Much better analogy!

[Anonymous Coward]

However with most desktop machines your biggest worry isn't normally* an attack from within; its usually from without.

Well, I can think of a few scenarios where an attack from within might be a major issue for a desktop machine. For example, in a family situation, the parents might desire to restrict the children's access to a computer, say to prevent them installing P2P software or browsing porn sites. But of course a restricted account is no substitute for good parenting...

Still no comparison

[massysett]

Lots of hosting companies offer ssh access, not to mention that if an account exists on the machine with ssh access, it may be only a matter of time before someone manages to gain access to it.

True, but this test still does not compare to what hosting companies are doing. Web hosting companies are (hopefully) run by professionals who secure the boxes. Web hosting companies run operating systems like RHEL that were designed for server use--Mac OS X on a Mac Mini was designed for home use.

Most importantly though, hosting companies are not giving ssh to any anonymous joe off the street, which is exactly what happened in this contest. At a minimum, web hosting companies have your credit card number before they offer you ssh. Some will demand additional information, such as a faxed copy of a driver's license. Of course a crook can get a drivers' license and a stolen credit card, but these are additional hoops to jump through that make the process of cracking the machine that much more trouble. Plus, if someone does crack the machine despite his lack of anonymity, the hosting company might be able to track him down.

This contest as reported on ZDNet was a joke. The guy gave ssh accounts to anyone who asked for them, without demanding any proof of identification. He ran it on an OS that was not designed to be run with untrusted users logged in. Furthermore, the crack was done by an anonymous person using an "undocumented" security hole, which to me calls the credibility of the whole episode into question. In what real-world situtation does anyone allow ssh login to any random, anonymous Joe?

CNet

[aclarke]

I think much of the fault lies at the feet of ZDNet/CNet. They'll write anything to get page views. It doesn't matter if a piece on their site is entirely non- or anti-factual as long as it inflames enough people to read it out of pure disgust.

I'm still subscribed to some of their newsletters, where they email me about what this or that person has "blogged" on their site recently. I guess if you call it blogging then you don't have to do any journalism, but they'll have two people playing off both sides of an argument so so we'll keep clicking and ringing their page count up.

I think the best solution is to ignore them so they'll go away, or otherwise to make sure you make judicious use of Adblock.

Re:A Different Test

[mekkab]

I appreciate your analysis, thanks.

f you must make an analogy, don't even use a house. It's a public train station, with no police, and the attacker is challenged to write his name on a piece of paper. But the challenge is that the piece of paper is in a locked viewing cabinet behind bullet proof glass.

Analogies are indeed a MUST. and M-U-S-T must must must. Sorry, but sometimes you do need to reduce things down to a simplified set.

I liked the "there's a guy you let in your basement, and he's getting into the main part of your house" as an analogy for priv-elevation, but the train station is a nice one, too.

Re:Don't play this down

[mythz]

How can we take this seriously. No one know how the exploit was achieved, what services was left open and what was installed on the target machine.

The target machine as far as we know does not represent any typical OSX installation. So this exploit has not made a OSX user's typical desktop installation any less secure or a typical Internet any less secure webserver, as it would not have had the same settings.

The fact that the result of the exploit has been published without any information relating to how the exploit was done and what tools were used renders this article a bad PR Stunt.

Re:Generic smear campaign

[SoulRider]

Um, MS is releasing a new OS this year, arent they?

Re:A Different Test

[hvatum]

The point of the original test was not to hack the machine from outside, but from inside. All the noise about Windows getting hacked 4 minutes after it was connected to the net was due to lack of firewalling and vulnerable services - turn on firewalling and the vulnerable services are no longer accessible. What does that prove? nothing - they didn't magically become secure. OSX probably has fewer vulnerable services (active or not) but that was not the point.

No, the point of the orignal test was to provide fodder for a pointless, sensationalist and outright misleading article. Given the original wording of the article the argument that "your test is utterly irrelevant for the type of people that would be interested in the original one" is patently false. People who were interested in the "original test" would not have even known the original article concerned such a test. The original article never mentioned what was being tested.

This new test has in fact forced ZDnet to change the wording of the article to make clear what was even being tested in the first place. So instead of one useless ambigious article we have two informative tests. The desinger of the second test has done us all a large favor - unlike antagonistic pedants like you.

Yes, Sponsored by University of Wisconsin

[TubeSteak]

http://apple.slashdot.org/comments.pl?sid=179501&c id=14866581 [slashdot.org]

by daveschroeder (516195) on Tuesday March 07, @10:44AM (#14866581)

And yes, this challenge is sanctioned. I'm glad that the University of Wisconsin supports the genuine interests of its faculty, staff, and students, and encourages individual thought, research, discovery, and exploration. That's why it's a great place to be!

No +1 Informative for you.

try it for Windows or Linux...Re:A Different Test

[javaxman]

Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.

What I'd like to see is that same test repeated for Windows, and maybe even Linux and Solaris... and OpenBSD. Now *that* would be interesting.

Guess what? I'm going to wager that all of those systems are prone to some sort of privilege escalation attack. ( actually, I don't have to guess, just check out CERT on this one. )

Are you trying to say WindowsXP or Linux is more secure when it comes to privilege escalation attacks than OS X ? Somehow, I'm tempted to think all of these systems have issues in that area. I'm not saying it's good, and I definitely won't defend Apple's somewhat lax approach in this area ( especially regarding the holes they've put in their security via LaunchServices and SystemStartup ), but uh... you should be fair, I think. It's not like a WindowsXP box, or even a Linux box, would last much longer if you just *gave* everyone user accounts on them, or ran software of questionable origin. That's just not something safe to do, regardless of what system you're on.

Now, if your intention is simply to point out that Apple's systems aren't any more secure than anyone else's in terms of this kind of attack, then you have a good point, one that Apple and their users both need to listen to and act upon.

Re:A Different Test

[asdfghjklqwertyuiop]

The OS was Slackware linux. All of the accounts were jailed, and all of the "best practice" measures were taken to harden the box (I can't comment on every detail as I am not a linux system admin).

Well no, obviously he missed something. It was a walk in the park because he left some well-known vulnerability on his system, possibly in the kernel. I don't think Slackware blows off local vulnerabilities and doesn't bother releasing fixes.

My point is that when a malicious user gains shell access to any *nix system, you're in deep trouble.

No you aren't. There are plenty of companies out there that will grant shell accounts. I grant shells to friends and friends of friends on my own server. There are even places places out there that will give them to the public for free. The key is the system administrator has to know what they're doing and you have to be running an operating system whose designers and maintainers take local security seriously.

It IS doable.

Re:Why encourage hacking?

[Cid Highwind]

"This is almost like someone wants to destroy the smug "unhackable" world that Mac users live in."

Exactly. Antivirus and firewall vendors want Apple users to pay for their "solutions" to problems that don't yet exist, Windows and Linux fanboys want Mac zealots to feel the pain of spyware infestations, insecure default configurations and constant brute-force attacks on open ports, and the tech press likes negative reporting. We're seeing the collision of many interests creating a huge storm of hype around some minor flaws in OSX security.

Re:A Different Test

[Anonymous Coward]

*sigh* are you guys hopeless? The point of the original test was not to hack the machine from outside, but from inside.

This was the point of the original test, yes.

However the problem is that this was not the point of the original test as presented in the ZDNet article.

So, to summarize:

* Guy does OS X privilige escalation test.
* ZDNet writes story saying "GUY DOES OS X HACKING TEST!"
* Dave Schroeder fellow goes "Hey, that wasn't a hacking test, that was a privilige escalation test. This is a hacking test."

Why Dave Schroeder is wrong (and MSFT is right!)

[ichin4]

It's certainly true that the original ZDNet article was sensationalist and overly alarmist about the implications for Mac security. But by implying that the original contest is irrelevent for a typical Mac user and that his test will prove that Macs are secure, Dave Schroeder is being equally, if not more, misleading.

The original test showed that Macs are vulnernable to local privlege escalation. It is true that most Mac desktops users are not offering accounts to external users. But a great many of the attacks out in the real world today are luring attacks, where a local user is tricked into running an executable with his local user permissions. The original test shows that such a executable can successfully elevate its privliges and own the machine. This is very relevent to the typical Mac desktop user.

Dave's new test doesn't have a user on the machine randomly surfing the internet and clicking on any link that says "get yer naked pics here"! Instead, as he freely admits, he is really just testing apache and ssh security, which are rarely turned on a typical Mac desktop configuration. Of course, were a hacker to exploit a vulnerability in one of those services, he could presumably use the same privledge escalation attack that was used in the original test to own the machine.

One of the more interesting ideas about how to deal with luring attacks has actually come out of the Microsoft .NET Framework. In its security model, the permissons of on application don't depend just on the user that's running it, but also on the origin of the application, as defined by a signed certificate. This system has the potential to greatly improve security, but sadly most Windows applications are not yet managed, and most Windows machines are not yet configured to strictly limit which managed applications are allowed to do what.

Re:Still no comparison

[guet]

The fact is *all* security gaps are important. If there's a network hack that can only get you a non-priviledged account, but you can then jack that up to root access using this local hole, then that hole was mighty significant. This whole "Mac has no security faults" meme is dangerously delusional. It's significantly more secure than Win32, but at least own up to faults (small as they may be) and get them fixed, don't bury your heads in the sand.

Have you read the page at http://test.doit.wisc.edu/ [wisc.edu] ?

He doesn't say it's invulnerable, and he doesn't say the local hole is unimportant, just that it's unimportant to desktop users (which it is), and applicable only to servers giving out ssh accounts. At present there is no network hack that can get you a local account, and most desktops wouldn't even have the services he has turned on enabled. Once something has a local account, you can only try to contain it, and for most desktop users it's game over, as it has access to all their files, address book etc. The worst hole so far has been due to Apple's stupidity in adding a feature to open downloaded files automatically to Safari, allowing trojans an easier route to trick users.

I haven't heard anyone say 'The Mac has no security faults', almost everyone here will readily admit that it has faults, and the stream of security updates from Apple attest to that. What people do say is that it's fairly secure, and more secure than Windows, by design.

I find it interesting he took the test down so quickly though, it's almost as if he was worried : )