Apple Mac flaw gives hackers 'super status,' root access

Apple Mac flaw gives hackers 'super status,' root access

Summary: A five-month old flaw allows hackers to bypass authentication protocols by altering clock and user timestamp settings.

SHARE:
TOPICS: Security, Apple, iOS
137
credit-splashdata-v1
Credit: Splashdata

An unaddressed five-month-old flaw in Apple's Mac OS X gives hackers near unlimited access to files by altering clock and user timestamp settings.

As reported by Ars Technica, a bug discovered five months ago has received renewed interest due to the creation of a new module in testing software Metasploit, which can life easier for hackers looking to exploit the Mac vulnerability.

The bug revolves around a Unix component called sudo. The program is designed to require a password before "super user" privileges are granted to an account -- giving access to other user files -- and the flaw works around this authentication process by setting a Mac's clock back to Jan 1, 1970, the Unix epoch, a way to describe instances in time. By setting the clock back to 1-1-1970, the beginning of time for the machine -- as well as altering the sudo user timestamp -- it is possible for hackers to gain root access without the need for a password.

Metasploit is an open-source framework that makes it easier for security researchers to penetrate and test networks. Although useful for researchers to pinpoint and correct security flaws, this can also be used to make exploiting the sudo vulnerability easier.

All versions of OS X from 10.7 through to the current 10.8.4 version remain vulnerable.

However, the vulnerability -- (CVE-2013-1775) -- does have limitations. In order for hackers to exploit this security flaw, they must already have administrator privileges, and the user must have ran sudo at least once previously. In addition, the hacker needs to have either physical or remote access to the machine in question.

"The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit," HD Moore, the founder of Metasploit, told the publication. "I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package."

Topics: Security, Apple, iOS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

137 comments
Log in or register to join the discussion
  • Wow

    6 Months huh? I'm surprised people haven't exploited this. I guess people are ignoring the platform for the most part huh? Looks like other targets are more popular.
    slickjim
    • The reason no one has exploited this is because

      It's almost impossible to exploit. You either need to be physically present at the machine or somehow trick a user into turning in remote login and have them give you an admin name and password so you can ssh in. Of course if you already have an admin name and password, you don't need this exploit anymore.
      baggins_z
      • "almost impossible" is a strong choice of words

        But yes, it does require a lot of social engineering on the end user to get the prerequisites lined up (admin privileges, and an already run "sudo" command.)
        Mac_PC_FenceSitter
        • I think you just described why it's almost impossible

          in your description explaining why you think almost impossible is such a strong choice of words. Ironic.
          baggins_z
          • In security and IT, we really, really need to be careful with the words

            "almost impossible." I can imagine several scenarios where a carefully crafted social engineering attack combined with some ingenious technology could cross those hurdles. it definitely is not "almost impossible."
            Mac_PC_FenceSitter
          • By the way

            Those whose computers are worth penetrating are unlikely to fall for this kind of social engineering. The careless user, who would give their admin privileges to anyone is not an interesting target...

            It is pretty much irrelevant how "possible" the attack is. More relevant is how probable it is... and if in order to gain administrator privileges, one needs administrator privileges -- I would say, everything else is irrelevant.
            danbi
      • Also Because

        Macs don't have su and sudo enabled when you purchase them. You have to log in as an admin, then enable the root user before this bug even becomes possible.

        Here's what you have to do on a Mac to get su and sudo:
        http://support.apple.com/kb/ht1528

        So only Mac power users will be vulnerable. You would have to decide for yourself how many of those folks are then going to let you have admin access or remote access to an admin account so you can force the date change and then do the rest.
        m0o0o0o0o
        • That's not right.

          You can use sudo right out of the box with an admin account without having root enabled.
          baggins_z
          • But that being said, remote login is

            turned off by default as is automatic login. So to use this exploit, you will need things that make the exploit irrelevant (admin credentials).
            baggins_z
      • So...

        Similar to a lot of hacks... But I guess with Apple this is almost impossible, because well its Apple.
        schultzycom
        • Since I'm not talking about other hacks and holding

          them to a double standard, why would you act as if I were?
          baggins_z
        • That pretty much covers it...

          "Similar to a lot of hacks... But I guess with Apple this is almost impossible, because well its Apple."

          Yeah, I'd say that sums it up pretty well... Apple makes the best hardware and runs the best OS. You get what you pay for.
          MacUeber@...
      • Bzzt, wrong, again, as usual

        "You either need to be physically present at the machine"

        Nope, you just need code that is running locally. It helps if a user is physically at the computer. To suggest that the ATTACKER needs to be physically there is wrong, a lie, and an apology.

        "The bug is significant because it allows any user-level compromise to become root"

        So ANY user code can now be run with root privileges. User code can be code that a user runs willingly (a trojan) accidentally (a drive by) or through a remote code execution vulnerability.

        But baggins, please go on the record and state that vulnerabilities are NEVER combined to create exploits that work around the limitations of the individual vulnerabilities.
        toddbottom3
        • (sigh)

          I realize it's pointless to reply to you, but for the benefit of anyone else reading, the user still has to already have admin privileges and has to have run sudo at least once. "any user code can now be run with root privileges" is flat-out false.

          Of course, it's still irresponsible for this bug not to have been fixed.
          mikeschr
        • First, yes, you do need physical access to the machine.

          Second, your quotes are inaccurate.
          Third, shut up and go away.
          .DeusExMachina.
          • Well

            You do not need physical access, IF

            - you know the administrator credentials;
            - remote access to the computer is enabled;
            - you know how to trigger the bug.

            But, if you already knew the administrator credentials, then you don't need to go trough any of these efforts: you already can do anything on the computer.
            danbi
        • Re: is wrong, a lie, and an apology.

          All you say is just that.

          But, you are safe, because you simply do not understand what you are talking about.
          sudo is an UNIX thing. Like greek to you.
          danbi
        • I'll go on record...

          To say that Toddbottom3 doesn't know his @$$ from a hole in the ground.
          MacUeber@...
      • It's actually trivial to exploit locally.

        Developers often use sudo to install software or otherwise do work on their Macs (or Linux machines, many of which which had the same exploit that was patched sooner.)

        Macs fall into the category of machines that do not require a password when you change the date and time from within the GUI. Just click on the little date area on yours if you don't believe me. If a developer walks away (say, to grab a soda or something for 5 minutes) and forgets to lock their machine, a malicious person could walk up, change the time, run commands as sudo, and change the time back. This is exacerbated by OS X's lack of a "lock screen" hotkey. You have to set up hot corners.

        tl;dr: Always lock your machine when you walk away from it.
        Mark S. C. Smith
        • You're really streatching the BS here...

          Unless a person happens to be an idiot... (which many Microshafters happen to be I guess)

          A typical user will:

          1) NEVER run their system in admin mode unless installing software or doing maintenance.

          2) NEVER leave their system "open" in questionable surroundings.

          Really, it's THAT difficult to mouse over to "sleep" or "Login Window"???

          Just how stupid are those Redmondites anyway?
          MacUeber@...