Jump to content

$10k Prize Won for Macbook Hack


54 posts in this topic

Recommended Posts

Dino Dai Zovi and Shane Macauly succeeded in gaining OS X user-level shell access to a MacBook Pro over a wireless network, Macworld reports.

 

The hack was written and implemented on day two of the CanSecWest security conference held at the end of the last week. It was accomplished in just nine hours, but only after contest hosts eased rules and allowed security experts to attack through code sent through malicious websites instead of directly compromising the OS itself.

 

Apple has turned down an opportunity to comment on the Safari flaw, but the vulnerability will be disclosed to them by 3Com, who put up the cash prize.

Link to comment
Share on other sites

That's pretty cool that it took a while for them to come up with a hack for a Mac.

Yeah I guess so, though you can't help thinking that if the incentive was there, there would be more OS X exploits. It took a $10k prize for someone to be interested, but people love to hack Windows for free :)

Link to comment
Share on other sites

Well, I mentioned this in another thread here...that no operating system is 100% secure. However, OS X's security is very tight wtih high level permissions, and this is why it is more secure than windows...and will always continue to be that way, unless Microsoft changes the core structure of the operating system. The good thing here is that the hackers were not able to get root level access. If root level was acheived...now that would be dangerous, but that never happend, instead the rules were lowered to a browser based attack, since they could not do a wirless based attack. Must have been pretty embarassing for the contest holders to find out that OS X as an operating system could not be hacked in that two days...so they relaxed the rules to application level. Since when was Java safe anyways...in any platform?

Link to comment
Share on other sites

A few weeks ago when I bought Mac OS X Server 10.4 and put it on my iMac G5. I setup holes in my firewal to allow for ssh, VNC, ftp etc. A few days after I returned to school (Which is about 350 miles from where my iMac is), I VNCed into my iMac to do some work with ftp and I noticed my harddrives name was changed.

 

Normally Its called "Ridley RAID" as I setup a RAID and I named my server Ridley as a tribute to Metroid :unsure:, anyway, the name was all these Windows commands, some of them looked like commands to open remote holes, as well as one referred to an IP address I never heard of. I did an IP search and it was from somewhere across the country from me and my iMac o.o. I was confident that someone tried to hack my iMac, but all they could do was change the harddrive name. Morale is, yes they can be hacked, but the UNIX structure better for security specially with permissions.

Link to comment
Share on other sites

A few weeks ago when I bought Mac OS X Server 10.4 and put it on my iMac G5. I setup holes in my firewal to allow for ssh, VNC, ftp etc. A few days after I returned to school (Which is about 350 miles from where my iMac is), I VNCed into my iMac to do some work with ftp and I noticed my harddrives name was changed.

 

Normally Its called "Ridley RAID" as I setup a RAID and I named my server Ridley as a tribute to Metroid :euro:, anyway, the name was all these Windows commands, some of them looked like commands to open remote holes, as well as one referred to an IP address I never heard of. I did an IP search and it was from somewhere across the country from me and my iMac o.o. I was confident that someone tried to hack my iMac, but all they could do was change the harddrive name. Morale is, yes they can be hacked, but the UNIX structure better for security specially with permissions.

 

Damn, Im closing my port-forwarding up as we speak (for vnc and ssh. never for bitttorrent :rolleyes: )

Link to comment
Share on other sites

SO what is a safe alternaltive (I recently set up ARD on macpro and use VNC/putty for ssh from windows box at work to remote to the macpro), since no commercial products with 256bit encryption such as logmein or anything like that works on a mac??? I wish some programs "just worked" on a mac (I love logmein on my windows boxes)......LOL

Link to comment
Share on other sites

This article is misleading.

 

The contest rules were NOT relaxed after the contest began. to use the word relaxed is the misleading part.

 

The rules were set up so the contest was a three part effort.

 

First was the remote attack. The MacBook Pros were set up, stock 10.4.9 with all updates, including the latest released last Thursday, but with all settings default. (That means no firewall, you'll notice)

 

They were set up on a LAN, with connections available through wireless or ethernet. Contestants were then allowed to do their best to attack the Macs.

 

The 15 inch was "owned" if the contestant could access a file on the user desktop that gave instructions for authenticating the attack. This required only user level access, not admin.

 

The 17 inch was set up the same way, but in order to win, the attacker had to perform a successful priveledge escalation to admin level priveledges.

 

On the second day, the rules were CHANGED (not relaxed). The organizers set up a local wiki, and attackers could send, via email, a link to a website (on that local wiki) that the contest organizers would then click on (using Safari on the target machine). The rules for winning were the same.

 

On the third day, the venue for attack was through USB and Firewire.

 

So you see, the rules were set up so that the Macs were tested for resistance to attacks from different venues.

 

The settings on the targets were never changed, their security settings were always the default, out-of-the-box settings Apple gives you when you set up new.

 

So, the attack that won was a legitimate drive by malicious web site attack. Nothing nefarious about it. Just good clean luck (admitted to by the author) that he found it so quickly.

 

The good thing here is that neither machine was successfully attacked during the first phase of the contest, even tho the attackers were allowed on the same subnet with no router or firewall to contend with.

 

That said, this hole definately needs to get fixed. Java is something that a lot of us use, like it or not, and I find it a pain to have to turn it on and off depending on whether I'm going to a site I use that requires it or whether I'm just generally surfing.

 

One last thing. Mac OS X has the root account disabled by default. So the contest wasn't looking for ROOT, but for admin access. In Unix, there is a HUGE difference!

Link to comment
Share on other sites

One last thing. Mac OS X has the root account disabled by default. So the contest wasn't looking for ROOT, but for admin access. In Unix, there is a HUGE difference!

 

Umm...actually the contest was (for the seoncd part) to gain ROOT access (which they failed to do), it even says so on the CanSecWest website. And secondly, the rules were infact relaxed becuse the only reason why they did a browser based attack was because they couldnt succesfully hack the MBP from the wireless lan through the OS itself. I would call this infact relaxing the rules.

 

Nedless to say, this is nothing to be happy about, but some people talk about it by claiming that OS X is now on the same security level as Windows.....which cannot possibly be any farther from the truth. All this contest proved was that there is a minor flaw in Safari, and that too could be easily corrected on the part of the user.

Link to comment
Share on other sites

Umm...actually the contest was (for the seoncd part) to gain ROOT access (which they failed to do), it even says so on the CanSecWest website. And secondly, the rules were infact relaxed becuse the only reason why they did a browser based attack was because they couldnt succesfully hack the MBP from the wireless lan through the OS itself. I would call this infact relaxing the rules.

 

Wrong. The rules were NOT relaxed, they were planned that way from the first. Secondly, here is a quote from their web site:

 

"The Prizes are on the "pwn-2-own" SSID ... the 2.3Ghz 15" Macbook Pro is on 192.168.0.42 and can be yours if you follow the instructions in the home of the default user, and the 2.3Ghz 17" Macbook pro is on 192.168.0.43 and can be yours if you follow the instructions in the filesystem root (this one will need admin compromise)."

 

Note the paranthetical statement: "(this one will need admin compromise)" - 'root' refers to the 'root' of the drive, not priv levels. I repeat, Macs have the root account disabled by default, and these units were set up with all default settings. There IS NO root account to gain the privileges of!

 

Your position only serves to excite the anti-Mac crowd, as it denies the truth and makes it seem that you are in denial as to the true vulnerability of the platform. Please read up in sources that know the truth, such as John Gruber's Daring Fireball: http://daringfireball.net/

 

John has the story pretty much right.

Link to comment
Share on other sites

So basically what was exploited was a cross site scripting issue with the default browser on the mac. It required no user interaction, other then having to click on a link. Windows faces this same kind of exploit where all that is required is for the user to click on a link. It is an exploit and it needs to get fixed. If it wasn't an exploit, why even bother issueing updates for OS X? It's so perfect after all.

 

Now some say it's not as bad as windows, but they gained remote access to the user level shell. Which means they can do anything with your files that you can do with them. How'd you like it if all your files were encrypted and you were told pay up and we'll give you the password to decrypt them. Because that is exactly the kind of thing user level shell access allows. They can't damage the OS files, but they sure can do whatever they want with your user's files. How bad do you rate this now? I'd say pretty bad.

 

Oh and A Nonny Moose, a security vulnerability is a security vulnerability. It uses a vulnerability in the quicktime component. And whether a security vulnerability is cross platform or not, it's still effected by that platform it's on. Is it any less important or just a PR spin by you to make it not look as bad? Don't try to distract us from what happened. We will not ignore this exists. Apple wrote quicktime. Quicktime is on OS X. Therefore it's an OS X vulnerability. Quicktime comes with OS X by default. And this was with all security updates installed. The only question to ask is, should OS X users be worried about it? Do you A Nonny Moose need to worry about it? Because all it requires is that you click on a link on a website. Nothing more. I certainly would.

 

correction above: noted that it is cross platform after details had been released of it.

 

A few weeks ago when I bought Mac OS X Server 10.4 and put it on my iMac G5. I setup holes in my firewal to allow for ssh, VNC, ftp etc. A few days after I returned to school (Which is about 350 miles from where my iMac is), I VNCed into my iMac to do some work with ftp and I noticed my harddrives name was changed.

 

Normally Its called "Ridley RAID" as I setup a RAID and I named my server Ridley as a tribute to Metroid :P, anyway, the name was all these Windows commands, some of them looked like commands to open remote holes, as well as one referred to an IP address I never heard of. I did an IP search and it was from somewhere across the country from me and my iMac o.o. I was confident that someone tried to hack my iMac, but all they could do was change the harddrive name. Morale is, yes they can be hacked, but the UNIX structure better for security specially with permissions.

 

If I were you I'd be worried. Your system got compromised. You can never be sure your system is clean now unless you backup your data and start over fresh. That is the only way you can be sure. And I'm pretty sure that now they got remote access to your system, by indication of your hard drive's name being changed, that they gained root access. Because if you try to rename that hard drive, does it need admin privileges? I'd think so. But correct me if I'm wrong. I know that in linux you'd need root access in order to rename a hard drive's name.

Link to comment
Share on other sites

Because if you try to rename that hard drive, does it need admin privileges? I'd think so. But correct me if I'm wrong. I know...

 

Your wrong...you dont need root access to rename your HD.

 

So basically what was exploited was a cross site scripting issue with the default browser on the mac. It required no user interaction, other then having to click on a link. Windows faces this same kind of exploit where all that is required is for the user to click on a link. It is an exploit and it needs to get fixed. If it wasn't an exploit, why even bother issueing updates for OS X? It's so perfect after all.

 

Are you implying that OS X's security is the same as Windows now?

 

This is what I dislike, when one flaw is found in an OS X application (not even the OS, just the app), and it compromises your security to some length....then all of a sudden windows users compare it to windows and say that OS X is no more secure than Windows. sheesh. When internet explorer came out with Windows XP in 2001. All you had to do to get your computer to be fully exploited was to launch the browser...and wait 20mins..thats it, until you start seeing all sorts of ads, viruses, etc. infecting your system.

 

Windows is still several folds worse in security than OS X. Im not saying that OS X is perfect....heck no, but its far, far more secure than Windows could ever get (unless they ditch legacy support, and run on a Unix like core).

Link to comment
Share on other sites

Your wrong...you dont need root access to rename your HD.

 

So just user level access, which means they can do anything to your user files. Feel safe still?

 

Are you implying that OS X's security is the same as Windows now?

 

This is what I dislike, when one flaw is found in an OS X application (not even the OS, just the app), and it compromises your security to some length....then all of a sudden windows users compare it to windows and say that OS X is no more secure than Windows. sheesh. When internet explorer came out with Windows XP in 2001. All you had to do to get your computer to be fully exploited was to launch the browser...and wait 20mins..thats it, until you start seeing all sorts of ads, viruses, etc. infecting your system.

 

Windows is still several folds worse in security than OS X. Im not saying that OS X is perfect....heck no, but its far, far more secure than Windows could ever get (unless they ditch legacy support, and run on a Unix like core).

 

When there is a problem found in the IE7 browser, it is called a windows flaw. Because it comes with windows. This effects the safari browser, which comes with OS X. And all it requires is javascript plus quicktime installed. Quicktime isn't installed by default in windows but it is installed by default in OS X. So this is an OS X flaw whatever way you look at it. Any application that comes with OS X by default is part of the OS.

 

And yes the previous versions of windows was worse then OS X for security because you couldn't run as a regular user in windows easily, yet you could in OS X. But now you can run as a regular user in Windows Vista. So Microsoft has caught up.

Link to comment
Share on other sites

So just user level access, which means they can do anything to your user files. Feel safe still?

 

No, and this is a flaw I know...and must be fixed ASAP. No one is denying that. Just dont blow it (not referring to you mate, just in general to the windows crowd) way out of proportion thats all. :P

 

Just so you know, this exploit also affects Windows Vista running Internet Explorer, so I guess, this is a Vista flaw also then now isnt it?

So Microsoft has caught up.

 

:D

Link to comment
Share on other sites

 Share

×
×
  • Create New...