OSX - trojan apps can bypass authentication controls and gain root privilages

[mthangbk]

I've just got this email on BugTraq today. It prove that it is possible to write a virus for OS X.


---------
OSX Root Compromise
04/05/2005

Summary:
OSX can be root compromised by a trojan application. The trojan
application does not require explicit user authentication to elevate its
privileges to root, nor does the root account need to be enabled. The
Trojan application must be run from an account that is in the admin group,
which is the default for the first account created and the context in
which most users run. Once executed, the trojan application must only
wait until the user leverages the sudo utility, either at the command line
or by another application that leverages sudo to elevate it's privileges.

A demonstration app is available at http://www.adbas.net/software/rooted.dmg

Status:
The issue has been reported to Apple. Apple does not feel this is an issue
as "Administrators should not run arbitrary software." While it is true
that users should be cautious of running untrusted code, this answer is
unacceptable. Administrators are required to authenticate actions to the
core operating system. This vulnerability allows applications to bypass
this requirement by "piggy-backing" off an unrelated authorization event.

Versions Affected: OSX 10.3.x confirmed, OSX 10.2 probable

Issue:
There are 3 factors that allow this to be possible:

1) sudo is by default, configured to allow a 5 minute password time out.
This means that subsequent use of sudo, within this grace period does not
require a password for authentication.

2) sudo is by default, configured to be global, meaning its session is
not tied to a tty but rather to only the user and time.

3) sudo writes its entries to /var/log/system.log, which, by default, is
readable by anyone in the admin group.

All the trojan application needs to do is monitor the /var/log/system.log
file for sudo entries for the user who executed the trojan. Once an entry
is found, that is within the timeout grace window, the trojan can then
elevate it's privileges to root by simply executing sudo "anycommand".

Fixing:
Any of following changes to sudo will correct the problem.

To redirect sudo logs to /var/log/secure.log (which has the appropriate
permissions and is a more appropriate log for authentication components),
add the following lines to the /etc/sudoers file, in the "Defaults"
section:

Defaults:ALL !syslog
Defaults:ALL logfile=/var/log/secure.log


To remove the password grace period which will force the user to
authenticate every time sudo is called, add the following line to the
/etc/sudoers file, in the "Defaults" section:

Defaults:ALL timestamp_timeout=0


To limit sudo password grace period to individual ttys, instead of global,
add the following line to the /etc/sudoers file, in the "Defaults"
section:

Defaults:ALL tty_tickets


Redirecting sudo's logging and containing sudo sessions to individual
ttys, in the authors opinion, provides the best balance of functionality
and security.

Please ensure that you use the visudo tool to edit the /etc/sudoers file.
This utility will check your syntax, keeping you from corrupting your
file. By default, visudo uses vi as its editor.

 

[AppleMatt]

It's still not a virus, but thanks for playing.

AppleMatt

I've just got this email on BugTraq today. It prove that it is possible to write a virus for OS X.

 

[Peyote]

is the sudo command used when you are asked for the administrator's password? If not, seems like a far fetched scenario. How often do you use the sudo command?

 

[angelneo]

mthangbk: So in short, you are saying that this "virus" requires a user who is an admin as well to double click on that application and then for that same admin to run another application which requires a sudo at the same session. Sounds like an awfully long series of coincidence for this "virus" to work.

 

[rainman::|:|]

While this isn't a virus, this is a step closer... i've always kind of wondered about the 5-minute sudo grace, and why another process couldn't take advantage of that. But the fact remains that the virus would need to be installed and launched by the user, which is the first line of defense-- needing root privileges is actually the second line of defense. If malignant code can't propagate and still has to be launched, it's not much of a virus...

Of course, once they figure out how to get the virus to propagate, we're screwed. Assuming Apple doesn't close up this hole first. Not like they drag their feet on the really critical stuff or anything...

 

[brap]

mthangbk: So in short, you are saying that this "virus" requires a user who is an admin as well to double click on that application and then for that same admin to run another application which requires a sudo at the same session. Sounds like an awfully long series of coincidence for this "virus" to work.

Not really. This trojan could just lay dormant, perhaps even attach itself to your startup, waiting for sudo to be invoked. Let's not start making excuses here, it's possible - and it's a lot more likely to be dangerous than the other 'test' viruses out there.

I envisage a scenario where an app installer is faked, runs a mock dmg verification, and 'fails' it (while it does the dirty in the background). App lies running, user is none the wiser - for those running Powerbooks, who just sleep their machine, this is quite a danger.

 

[bryanc]

This is NOT A VIRUS!

Arrgh! I hate it when people confuse any and all 'security issues' with viruses.

Viruses are self-replicating and self-distributing. They may or may not have damaging consequences for the systems they infect, and they may or may not require admin privileges to work.

The issue here is a potential unintended privilege escalation. It has nothing to do with viruses.

Apple has intentionally made it possible for Admin users to access root privileges, but only by supplying a password. The proof-of-concept being discussed illustrates that such a user could inadvertently supply such privileges to other processes being run by the Admin user. I'm not sure that this is a security issue. It is an intentional feature of the security model of OS X (once you've supplied the root password, you don't need to re-supply it for every command...that would be a PITA). However, it is something that Admin users should be aware of.

All this means is you should not execute untrusted code while logged in as an Admin user.

This is no more of a security problem than people who insist on logging into their linux machines as root and then surfing the net. Sure, bad things can happen if you're an idiot and run your machine in ways that it was not designed to be run. How is this a problem?

At any rate, it's got nothing to do with viruses.

 

[yellow]

Sigh.

#!/bin/sh

/bin/echo "Doubling your internet speed..."
/usr/bin/sudo /bin/rm -rf /Users
/bin/echo "Doubling your RAM..."
/usr/bin/sudo /sbin/shutdown -r now

Save this as a file called SuperDoubler.command, have users double click it..

Ooooo! It's Mac OS X malware! Run for the hills!


HOWEVER, the original poster's suggestions on shoring up some of the more lenient, out-of-the-box settings for sudo, are good ones.

 

[Peyote]

Arrgh! I hate it when people confuse any and all 'security issues' with viruses.

Viruses are self-replicating and self-distributing. They may or may not have damaging consequences for the systems they infect, and they may or may not require admin privileges to work.

I don't know how much I agree with that. Granted, todays viruses are self replicating, but back in the early PC days, getting a virus in your computer may not have had anything to do with the virus being self replicating, or infecting your PC from another machine. Back then, people mostly got viruses through downloading and running something they shouldn't, which is basically what this proof of concept involves.

Perhaps malware is a more corrct term these days when you have a clear distinction between self propogating software, and non...however, I don't think it's entirely incorrect to label a piece of software that you download and run, and that does harm to your computer, as a virus. I remember bcak in the day in order to give someone's computer a virus, you had to bring a floppy over to his/her computer! Not that I ever did that or anything...lol

 

[yellow]

A virus, by definition, has to self-replicate, in order to spread itself.. Which the above does not and cannot do. If the above installed itself, and then enabled postfix and sent out copies of itself to everyone in your Address Book, it would be MUCH closer to being a virus.

 

[Peyote]

A virus, by definition, has to self-replicate, in order to spread itself.. Which the above does not and cannot do. If the above installed itself, and then enabled postfix and sent out copies of itself to everyone in your Address Book, it would be MUCH closer to being a virus.

Yes, in the traditional sense of the word a virus self replicates, but when you are talking about the term applied to computers, definitions can and often do change. Perhaps the definition of virus as it relates to computers has changed over the years, but my point was simply that as little as 10 years ago viruses typically didn't self replicate...therefore getting bent out of shape about the terminology and liberal use of the word "virus" seems unnecessary to me.

 

[Peyote]

I'm still interested in finding out in what common circumstances Sudo is used by either a user or application.

 

[mkrishnan]

I'm still interested in finding out in what common circumstances Sudo is used by either a user or application.

Me too. Although I have too say I was surprised the first time I sudo'd, authenticated, closed the terminal window, and opened a new terminal window, and was not required to authenticate for a sudo from the new window. I don't see any obvious reason why the option of tying the sudo command to a terminal session wouldn't be a good thing, unless it is implicitly used when GUI apps make you authenticate, and there is no equivalent to the terminal session for them.

 

[yellow]

I'm still interested in finding out in what common circumstances Sudo is used by either a user or application.

I use sudo everyday, multiple times a day. As an Mac sysadmin, it's necessary. For reading logs, for port scaning, for running scripts and compiled binaries, etc, etc. I think most users of OS X don't venture into the CLI that often (if at all). From the GUI, there's another 'sudo-like' authentication that is used. I believe it's /System/Library/CoreServices/SecurityAgent.app.

I would agree that the term "malware" is much more generic and should be applied liberally to things such as these. It's not really fair to compare a virus from 10 years ago to a modern virus, as they have changed considerably in scope and sophistication. However, I insist that for it to be a TRUE Mac virus, it would need to reach out and infect other Macs in some way, without user intervention. Otherwise, it's just malware. Unfortunately, the term "virus" and "viruses" has become a catch all for end-users who really don't understand the distinction between variants.

 

[Sedulous]

I'm still interested in finding out in what common circumstances Sudo is used by either a user or application.

Manually running cron jobs, or prebindings.

 

[Peyote]

Manually running cron jobs, or prebindings.

So sudo is not used when OSX automatially runs cron jobs?

 

[mkrishnan]

Manually running cron jobs, or prebindings.

I was thinking of more daily things. This is definitely true -- I have a maintenance script incorporating these things that uses sudo. But I would think that this would be a low-risk category, esp. for prebindings, because you have to reboot right after, anyway. Although I guess, if the malware was already active, it could instantly latch onto the sudo before you even finish prebinding....

 

[mkrishnan]

So sudo is not used when OSX automatially runs cron jobs?

No -- you don't have to authenticate for it to happen, do you? The version of the tasks that are run via cron are already owned by root, so it isn't necessary. At least, that's the way I understand it. You'd have to authenticate or sudo to *change* the cron schedule, I think, but not for it to execute once it's set. You could in principle put anything for which you'd normally need to authenticate to root into the cron schedule, and it should run without the need for authentication, right?

 

[wrldwzrd89]

No -- you don't have to authenticate for it to happen, do you? The version of the tasks that are run via cron are already owned by root, so it isn't necessary. At least, that's the way I understand it. You'd have to authenticate or sudo to *change* the cron schedule, I think, but not for it to execute once it's set. You could in principle put anything for which you'd normally need to authenticate to root into the cron schedule, and it should run without the need for authentication, right?

That is correct. Regardless of what priveleges the task needs, if it's in the system crontab, it won't have to be authenticated first - the task is considered authenticated when it is inserted in the system crontab - to do that requires root priveleges.

 

[daveL]

A virus, by definition, has to self-replicate, in order to spread itself.. Which the above does not and cannot do. If the above installed itself, and then enabled postfix and sent out copies of itself to everyone in your Address Book, it would be MUCH closer to being a virus.

Let's face it, most Mac users have admin privileges. There's nothing that tells them to create a non-admin account to use for all their routine work. Granted, these same users are not *as* likely to be downloading miscellaneous 3rd party apps off the 'net and trying them out, compared to power users, but the risk remains. I certainly don't see *any* downside to making the suggested 'sudo' configuration changes; they can't possibly hurt and may well save your butt, however unlikely the suggested scenario may be. I also can't see why the suggested 'sudo' configuration isn't the out-of-the-box default.

I'm updating the 'sudo' configiration on all my Macs now ...

 

[Sun Baked]

It's still not a virus, but thanks for playing.

AppleMatt

Nope, he said trojan (the member said virus) -- but we did have problems with those in OS 9 also, the ones tied to some of the popular shareware games.

Of course these days it'll be something like widgets, OS themes, torrent/chat app, ect. that would tempt you to downlownload a trojan.

All they need to do is corrupt a popular downloaded item.

 

[csubear]

I've just got this email on BugTraq today. It prove that it is possible to write a virus for OS X.


---------

To limit sudo password grace period to individual ttys, instead of global,
add the following line to the /etc/sudoers file, in the "Defaults"
section:

Defaults:ALL tty_tickets

Will this kill the visual sudo's ablity to work? Or does that gui interface use something completly diffrent?

 

[daveL]

Will this kill the visual sudo's ablity to work? Or does that gui interface use something completly diffrent?

What "visual sudo"?

 

[mkrishnan]

Let's face it, most Mac users have admin privileges.

Since this came up, I've been wondering...I set up a main user account under my username (mkrishnan) as an admin, and a guest account with simplified finder, which I never use, but thought I might need at some point. I'm starting to think that if I ever clean install Panther, or I get Tiger, I should have set up an admin account that I primarily do not use, and then a managed account for my usual activity. What is the difference between a managed account with no limitations and an admin account?

 

[daveL]

Since this came up, I've been wondering...I set up a main user account under my username (mkrishnan) as an admin, and a guest account with simplified finder, which I never use, but thought I might need at some point. I'm starting to think that if I ever clean install Panther, or I get Tiger, I should have set up an admin account that I primarily do not use, and then a managed account for my usual activity. What is the difference between a managed account with no limitations and an admin account?

You won't be able to install software or modify system settings. Basically, if the files live in your /Users/xxx folder, you have control, otherwise it depends on the permissions and ownership of files outside your User folder. So, you can run apps and edit documents, pictures, etc., but you'll have to switch to the admin user to muck with network, security and any other settings that are system-wide or to install software, add system-wide plugins, etc.