OS X Vulnerability Can Allow Superuser Access to Unauthorized Users

MacRumors · Aug 28, 2013

Users looking to exploit a vulnerability in the Sudo Unix command, originally reported back in March, have received some assistance, reports Ars Technica.

The developers of Metasploit, software that makes it easier to misuse vulnerabilities in operating systems and applications, have added the Sudo vulnerability to their software suite. All versions of OS X from OS X Lion 10.7 through the current Mountain Lion 10.8.4 remain vulnerable.

Mac users should realize that an attacker must satisfy a variety of conditions before being able to exploit this vulnerability. For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past. And of course, the attacker must already have either physical or remote shell access to the target machine. In other words: this exploit can't be used in the kind of drive-by webpage attacks that last year infected some 650,000 Macs with the Flashback malware. This doesn't mean it's a non-issue though, since the exploit can be used in concert with other attacks to magnify the damage they can do.

Most of the recent exploits in Mac OS X have been related to Java, which Apple completely blocked earlier this year over security vulnerabilities, though Apple did release a standalone malware removal tool to help clean machines that were affected by a number of Java vulnerabilities.

OS X has been targeted more in recent years as it has gained in popularity. The Janicab.A malware was discovered last month, while another program called macs.app was discovered in May. That app captured and stored screenshots.

Article Link: OS X Vulnerability Can Allow Superuser Access to Unauthorized Users

BuCkDoG · Aug 28, 2013

Interesting. Lets hope they patch this soon.

tsadi · Aug 28, 2013

"For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past."

I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.

Dalton63841 · Aug 28, 2013

tsadi said:
"For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past."

I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.

What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.

bondsbw · Aug 28, 2013

tsadi said:
I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.

I was confused about this too. The summary doesn't go into much detail, and the title can be misread/is confusing. Does it mean that unauthorized users can somehow gain root? Is it an exploit that is possible when one logged-in user has root access and another logged-in remote or physical user has some level of shell access (e.g. via guest account or via low-privileged user account)?

pdjudd · Aug 28, 2013

tsadi said:
I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.

Admin and root are two different levels of access. You can do some things with root that you cannot do with admin. Root is the deepest access one can have - but it's not really the goal of most hackers. An administrator account is probably the most that an attacker really needs since they can pretty much do anything they need with that account.

So an exploit that needs admin rights access and one that rehires you to have used sudo isn't one that is high priority. The number of users that run sudo at all is really small, and from a security standpoint, if you have admin rights, all security goes out the window. In other words, you don't have security.

sjinsjca · Aug 28, 2013

tsadi said:
"I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.

Admin != root

jameslmoser · Aug 28, 2013

I know a lot of mac users, and only one other person I know of has ever used sudo. We are both sysadmins/programmers. It also seems like if the attacker already has shell access to your machine, then either they already have an account on the machine (probably someone the machine owner knows) or they already used another exploit to get to this point. I don't see this as a major concern, but obviously it should be fixed.

----------

Dalton63841 said:
What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.

Thats a lot of if/ands... =)

goobot · Aug 28, 2013

jameslmoser said:
I know a lot of mac users, and only one other person I know of has ever used sudo. We are both sysadmins/programmers. It also seems like if the attacker already has shell access to your machine, then either they already have an account on the machine (probably someone the machine owner knows) or they already used another exploit to get to this point. I don't see this as a major concern, but obviously it should be fixed.

Lots of people have their mac set up to login to their account automatically on boot. Also if you steal someones computer when it is in sleep mode and still logged in there you go.

ururk · Aug 28, 2013

Hrm. So, I had a machine once where I was an administrator, but not in the sudoers file. Fine - so I unlocked it and added myself via BBEdit. However, permissions were incorrect after updating the file, so sudo was "broken" on the machine. As an experiment, I used Disk Utility's repair permissions tool - and sure enough it fixed the sudoers file permissions, and I then had sudo access.

I know what I describe above is probably expected behavior, it made me rethink how secure I thought OS X was.

Dalton63841 · Aug 28, 2013

jameslmoser said:
Thats a lot of if/ands... =)

Exactly. It's effectively a NON-issue, especially considering that the garden variety Mac user has never even opened Terminal. That having been said it still needs to be fixed. Who knows what fancy method they might find to exploit it if they don't fix it.

batchtaster · Aug 28, 2013

Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.

RabidMacFan · Aug 28, 2013

You don't need to run metasploit to exploit this bug.

The following command should give you root if you are logged in to OS X as an Administrator and have used the "sudo" command at least once in the past. It will also set your system clock to 01/01/1970.

Code:

sudo -k
systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00
sudo su

To set your system clock back to normal, go into the System Preferences and set the time and time zone back to the way it was.

To prevent somebody from abusing this attack, you will need to run the following command after every time you use the sudo command, until it gets patched.

Code:

sudo -K

Dalton63841 · Aug 28, 2013

batchtaster said:
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.

From the original article:

The addition capitalizes on the fact that all versions of OS X from 10.7 through the current 10.8.4 remain vulnerable. While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes thanks to the systemsetup binary.

manu chao · Aug 28, 2013

batchtaster said:
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.

It's a OS X vulnerability if other Unix versions have long patched it in their current releases. The patch is there already, a Unix OS vendor just has to incorporate it.

RabidMacFan · Aug 28, 2013

batchtaster said:
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.

It's an OS X vulnerability because sudo is built into OS X. The copy of sudo that is installed is outdated (1.7.4p6) and has known vulnerabilities. The latest version of the release branch is 1.7.10p7, released on February 27, 2013.

OS X inherits any vulnerabilities within the software that it ships with, just like Windows or Linux would inherit any vulnerabilities in software they they ship with. It may not be Mac-specific, but it definitely is an OS X vulnerability

brymck · Aug 28, 2013

Interesting.

Just so it's clear, sudo ("superuser do") creates a timestamp file so you can continue running commands with superuser privileges. With sudo -k, you can reset the timestamp file to point to the beginning of Unix time (1/1/1970). If you can reset the system clock as well, then you can therefore run commands with sudo as though you had just run it. In OSX you can reset the system clock with systemsetup, which apparently (I can't check right now) does not require administrator perms unlike most Linux distributions, hence it being an OSX vulnerability.

You need access to the computer in the first place, which probably limits the effectiveness of the exploit, but it's still a pretty ugly one with what I'd think is an obvious fix (test newer versions of sudo and update users or require higher permissions to change the system clock).

manu chao · Aug 28, 2013

Dalton63841 said:
Exactly. It's effectively a NON-issue, especially considering that the garden variety Mac user has never even opened Terminal. That having been said it still needs to be fixed. Who knows what fancy method they might find to exploit it if they don't fix it.

It's very simple, when somebody manages to run code in your account (eg, you clicked on a downloaded file which was actually an application and you ignored the warning or an application you downloaded had a payload) they don't have access yet to settings like the firewall or deleting accounts or install and run some very low level stuff. They still need an admin password, well thanks to this exploit they don't need it anymore.

But I wonder if the malicious code could not simply install a keylogger to eventually get your password? Or do you need an admin password to install a keylogger.

pdjudd · Aug 28, 2013

goobot said:
Lots of people have their mac set up to login to their account automatically on boot. Also if you steal someones computer when it is in sleep mode and still logged in there you go.

If someone can get physical access to your hardware you can kiss any security in mind unless your drive is encrypted (which will require a password anyhow).

I still fail to see how this is worse.

If someone has admin access, and you loose your laptop or it's stolen - your screwed even before this path could be exploited.

brymck · Aug 28, 2013

RabidMacFan said:
OS X inherits any vulnerabilities within the software that it ships with, just like Windows or Linux would inherit any vulnerabilities in software they they ship with. It may not be Mac-specific, but it definitely is an OS X vulnerability

I think you know this already, but just so it's clear, it's actually more Mac-specific than that, because many Linux distributions require sudo in the first place to change the system clock. OS X doesn't. So while Linux distros have updated sudo, they haven't needed to with the same urgency. OS X, meanwhile, needs an update but hasn't had one. The vulnerability is really a combination of sudo and OS X's permission structure for system clock changes.

As the Ars Technica article notes:

While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes thanks to the systemsetup binary.

charlituna · Aug 28, 2013

Dalton63841 said:
What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.

So the 'patch' is to be mindful of who has access to your computer

mikethebigo · Aug 28, 2013

Sudo make me a sandwich.

Four oF NINE · Aug 28, 2013

I'm not sure I even understand this particular vulnerability. Is this something that can be executed remotely or does someone require physical access to the machine?

Are there any user steps that can preempt this particular vulnerability?

ScottishCaptain · Aug 28, 2013

mikethebigo said:
Sudo make me a sandwich.

make: *** No rule to make target `me'. Stop.

-SC

V.K. · Aug 28, 2013

EDIT: mea culpa, I was wrong. this is a real vulnerability that needs to be fixed.

OS X Vulnerability Can Allow Superuser Access to Unauthorized Users

macrumors bot

macrumors 6502a

macrumors member

macrumors 65816

macrumors member

macrumors 601

macrumors 68020

macrumors 6502a

macrumors 603

macrumors member

macrumors 65816

macrumors 65816

macrumors 6502

macrumors 65816

macrumors 604

macrumors 6502

macrumors newbie

macrumors 604

macrumors 601

macrumors newbie

macrumors G3

macrumors 68020

macrumors 68000

macrumors 6502a

macrumors 6502a

Our Staff