Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

manu chao

macrumors 604
Jul 30, 2003
7,219
3,031
man, they are really scraping at the bottom of the barrel if this counts as a vulnerability. anyone in a position to actually exploit this will have already gained access to an admin password. with that one can gain root access in any number of completely legitimate ways without any need for resetting the sudo timestamp.

I can't see any possible scenario where this so called vulnerability can actually be exploited without the attacker having full access to the system already.
You cannot see why changing settings like the firewall currently require you to enter an admin password since you are already logged into an admin account?
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
More accurate headline:

"OS X Vulnerability Can Allow Superuser Access to Authorized Users"

Yes, this is a bug that needs fixing, but if someone already has admin access to my machine (or physical--they have stolen it), there are so many things I have to worry about that this theoretical additional possibility hardly gets my notice!

And no, you can't have my admin password.

Lots of people have their mac set up to login to their account automatically on boot. Also if you steal someones computer when it is in sleep mode and still logged in there you go.

Not mine. It asks for the password on wake. And offers them the standard Guest login, which potentially lets me track them using Find My Mac :) All built-in OS X features, no custom hacking or add-ons needed.
 
Last edited:

Casiotone

macrumors 6502a
Oct 12, 2008
825
111
If you have physical access to a Mac you can reset the password in 2 minutes by booting into recovery mode, so why is this more of a problem?
 

V.K.

macrumors 6502a
Dec 5, 2007
716
466
Toronto, Canada
You cannot see why changing settings like the firewall currently require you to enter an admin password since you are already logged into an admin account?

of course I do. but
this is irrelevant. give me a plausible scenario of somebody actually exploiting this "vulnerability". they have to be able to run sudo at least once using a legit admin password in order to start resetting the sudo timestamp. And if an attacker can do that they can do whatever they want.
 

brymck

macrumors newbie
Jul 30, 2012
18
0
Tokyo, Japan
I'm not sure I even understand this particular vulnerability. Is this something that can be executed remotely or does someone require physical access to the machine?

Are there any user steps that can preempt this particular vulnerability?

You have to be logged in as an administrator. Administrators can authenticate with their own password to perform tasks that require higher permissions, like installing programs, deleting files in system directories, changing certain system settings, etc. This vulnerability would allow someone to run a command as root, bypassing the need for further authentication.

You need either physical or remote access to the machine. The more likely case for personal users is the first one, where a malicious user has access to your unlocked computer (quickfix: better friends).

This doesn't affect anyone who doesn't use sudo. If you do, you can always sudo -K until it gets patched, which means you get a lecture every time you try to use sudo because it thinks it's your first time. This doesn't actually worry me, so I'm planning to do nothing.
 

bradl

macrumors 603
Jun 16, 2008
5,917
17,396
It's an OS X vulnerability because sudo is built into OS X. The copy of sudo that is installed is outdated (1.7.4p6) and has known vulnerabilities. The latest version of the release branch is 1.7.4p7, released on February 27, 2013.

OS X inherits any vulnerabilities within the software that it ships with, just like Windows or Linux would inherit any vulnerabilities in software they they ship with. It may not be Mac-specific, but it definitely is an OS X vulnerability

Sudo isn't built into OS X, just as it isn't built into any distro of Linux, Solaris, HPUX, AIX, {Free,Net,386}BSD, or any other Unix variant.

Sudo is compiled for that particular Unix, and if that distribution of Unix packages it, then it is that package that is the problem, not a problem of the OS. The OS needs to update the package, but it isn't the OS that has the vulnerability.

If anything, the vulnerability exists in the systemsetup binary, as it is the one that does not force a user to supply a password for modifying the system clock. That is the proper place to change this, otherwise, a newer version of sudo needs to be pushed out.

BL.
 

manu chao

macrumors 604
Jul 30, 2003
7,219
3,031
If you have physical access to a Mac you can reset the password in 2 minutes by booting into recovery mode, so why is this more of a problem?

What if you want the target not know that they have been compromised so you can keep harvesting valuable intel from them?

----------

of course I do. but
this is irrelevant. give me a plausible scenario of somebody actually exploiting this "vulnerability". they have to be able to run sudo at least once using a legit admin password in order to start resetting the sudo timestamp. And if an attacker can do that they can do whatever they want.

Give me a plausible scenario where not having the admin-password lock on firewall settings is dangerous.

Because that is a scenario where this vulnerability is dangerous.
 

brymck

macrumors newbie
Jul 30, 2012
18
0
Tokyo, Japan
of course I do. but
this is irrelevant. give me a plausible scenario of somebody actually exploiting this "vulnerability". they have to be able to run sudo at least once using a legit admin password in order to start resetting the sudo timestamp. And if an attacker can do that they can do whatever they want.

They only need you to have run sudo once. No scenarios are that plausible, but the main example would be letting someone use your computer using your main account, which often has administrator privileges. They can then do anything they want without ever entering your password.

Obviously, this is unlikely unless your friends are evil, but the point remains that such a person does not need to know your password and has permissions much beyond what a naive user would expect.
 

kingrst

macrumors newbie
Aug 10, 2009
5
0
Lansing, MI, USA

V.K.

macrumors 6502a
Dec 5, 2007
716
466
Toronto, Canada
They only need you to have run sudo once. No scenarios are that plausible, but the main example would be letting someone use your computer using your main account, which often has administrator privileges. They can then do anything they want without ever entering your password.

Obviously, this is unlikely unless your friends are evil, but the point remains that such a person does not need to know your password and has permissions much beyond what a naive user would expect.

ok, yes, if someone has physical access to your system then yes, this is exploitable. of course, having physical access lets them do all kinds of stuff like resetting the root password from single user mode but still, this counts. but it seems like a non-issue to me when speaking of remote vulnerabilities.

sorry, I take it back. if a remote attacker gains user level access somehow and that user happens to be an admin user then the attacker can use this vulnerability to get full root access without ever having an admin password. this does make it somewhat serious.
 
Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Given that no one has demonstrated a method to bypass the runtime security mitigations in Mac OS X Lion and Mountain Lion to be able to achieve remote access via exploitation ....

And, the inherent limitations of this vulnerability in Sudo ....

It's unlikely this is going to used in malware in the wild.
 

techwhiz

macrumors 65816
Feb 22, 2010
1,297
1,804
Northern Ca.
Sudo make me a sandwich.

I saw that shirt :D

If I have physical access to your machine and you don't have a hardware password set to not boot from external devices; game over anyway.

My MacBook Air:
Encrypted so only I can log in.
HW Password set to only boot from other devices with a password.
Short timeout for screen with lock on screen saver.

Anyone want a brick???
 

grundoon

macrumors member
Feb 2, 2013
92
46
If an administrator account has been compromised and your incident response hinges on whether 'sudo' has previously been run… please, please, never submit your resumé.
 

bin00

macrumors newbie
Aug 28, 2013
6
0
Here's the point of the exploit:

1. Attacker gets a shell on your user account, perhaps by exploiting a browser vulnerability (CVE-2013-0983) or by emailing you a crafted image (CVE-2013-0975). Yes they are real, and those are only two that we know about. This is the hard part of exploitation.

2. Attacker can now read all your files, perform any actions that your user account can normally do. Usually attacker will stop here. Without knowing the system password, he can't perform system actions, primarily: can't read root-owned files, can't read files owned by other users, can't install kernel extensions, install hard-to-detect persistence, can't change passwords of other users, etc etc.

This is where the vulnerability comes in handy. if you just so happened to have ever run the "sudo" cmd successfully (as many devs do), and you are an administrative user (as the default user is in osx), the attacker can easily upgrade to a "root" shell. That's a bummer, and apple really should have patched this already, the sudo update has been around for 6 months or so now at least.
 

bradl

macrumors 603
Jun 16, 2008
5,917
17,396
Hey looks, you can stop this "vulnerability" in it's tracks by turning off your sudo timeout:

http://reviews.cnet.com/8301-13727_7-57562122-263/adjust-the-sudo-time-out-behavior-in-os-x/

This really doesn't count as a vulnerability. All UNIX systems which incorporate the use of sudo will grant the user the privilege without a password within a set amount of time. This is what we call a convenience. Conveniences tend to lessen our security.

It really isn't a vulnerability. And when I ran Linux on my machines at home (Slackware was my choice of distros, and had been for 20 years), I avoided every vulnerability sudo had by simply not installing it. If anything needed to be run as root, become root.. su up to root, and supply the password. IF you didn't know it, you weren't running it as root. Simple as that.

in a lot of cases, sudo has been more of a hassle than the convenience it supplies. Case in point: this issue.

BL.
 

njytouch

macrumors newbie
Aug 22, 2013
16
0
I know what I describe above is probably expected behavior, it made me rethink how secure I thought OS X was.
 

bin00

macrumors newbie
Aug 28, 2013
6
0
man, they are really scraping at the bottom of the barrel if this counts as a vulnerability. anyone in a position to actually exploit this will have already gained access to an admin password. with that one can gain root access in any number of completely legitimate ways without any need for resetting the sudo timestamp.

I can't see any possible scenario where this so called vulnerability can actually be exploited without the attacker having full access to the system already.

Browser drive-by vulnerability, upgrading to root? Vuln in a random OSX userspace application, upgrading to root? To an attacker it is quite useful for post exploitation (installign persistence, seeing other users' files, etc). Is it as scary to the consumer as a browser drive-by exploit? No. But it does need to be fixed, yesterday.
 

bradl

macrumors 603
Jun 16, 2008
5,917
17,396
I know what I describe above is probably expected behavior, it made me rethink how secure I thought OS X was.

Again, this isn't just an OS X issue. This is a sudo issue, relative to sudo, and how sudo was patched, but OS X hasn't updated to the new patch. Every version of Unix had this vulnerability and security issue. Apple just hasn't addressed it.
 

V.K.

macrumors 6502a
Dec 5, 2007
716
466
Toronto, Canada
Here's the point of the exploit:

1. Attacker gets a shell on your user account, perhaps by exploiting a browser vulnerability (CVE-2013-0983) or by emailing you a crafted image (CVE-2013-0975). Yes they are real, and those are only two that we know about. This is the hard part of exploitation.

2. Attacker can now read all your files, perform any actions that your user account can normally do. Usually attacker will stop here. Without knowing the system password, he can't perform system actions, primarily: can't read root-owned files, can't read files owned by other users, can't install kernel extensions, install hard-to-detect persistence, can't change passwords of other users, etc etc.

This is where the vulnerability comes in handy. if you just so happened to have ever run the "sudo" cmd successfully (as many devs do), and you are an administrative user (as the default user is in osx), the attacker can easily upgrade to a "root" shell. That's a bummer, and apple really should have patched this already, the sudo update has been around for 6 months or so now at least.
yep, that's it exactly. this does make this vulnerability more serious than I thought and I was wrong to totally dismiss it.
 

Zellio

macrumors 65816
Feb 7, 2012
1,165
474
Admin and root are two different levels of access. You can do some things with root that you cannot do with admin. Root is the deepest access one can have - but it's not really the goal of most hackers. An administrator account is probably the most that an attacker really needs since they can pretty much do anything they need with that account.

So an exploit that needs admin rights access and one that rehires you to have used sudo isn't one that is high priority. The number of users that run sudo at all is really small, and from a security standpoint, if you have admin rights, all security goes out the window. In other words, you don't have security.

Depends on how personal the attack is.
 

bin00

macrumors newbie
Aug 28, 2013
6
0
Again, this isn't just an OS X issue. This is a sudo issue, relative to sudo, and how sudo was patched, but OS X hasn't updated to the new patch. Every version of Unix had this vulnerability and security issue. Apple just hasn't addressed it.

You're correct, it is a sudo vuln. But on most unix systems it was not an issue, as you needed root privs to change the date/time. On osx you just have to be in the "admin" group, and are not required to enter a password to modify clock.
 

Zellio

macrumors 65816
Feb 7, 2012
1,165
474
man, they are really scraping at the bottom of the barrel if this counts as a vulnerability. anyone in a position to actually exploit this will have already gained access to an admin password. with that one can gain root access in any number of completely legitimate ways without any need for resetting the sudo timestamp.

I can't see any possible scenario where this so called vulnerability can actually be exploited without the attacker having full access to the system already.

It said the attacker needed physical or remote shell access. It didn't say they need admin passwords. This looks like a way to easily gain entry.
 

bin00

macrumors newbie
Aug 28, 2013
6
0
I will also point out that this vulnerability is very useful to people who have run sudo but forgot their account password! :p
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.