Mac OS X flaw raises serious concerns

Summary:An unpublished security vulnerability in Apple's Mac OS X operating system that first came to light after a hacking competition has sparked concern in the user community. Mark Borrie, IT security manager at New Zealand's University of Otago, said the vulnerability could cause potential difficulties.

An unpublished security vulnerability in Apple's Mac OS X operating system that first came to light after a hacking competition has sparked concern in the user community.

Mark Borrie, IT security manager at New Zealand's University of Otago, said the vulnerability could cause potential difficulties. He manages a total of 12,000 desktops, including nearly 5,000 Macs.

As reported by ZDNet Australia on Monday, the flaw surfaced when a hacker, going by the name 'gwerdna', won a Mac OS X contest recently. The vulnerability allows users -- with local access -- to escalate their privileges to a point where they can perform various unauthorised acts such as delete files or directories, install applications and bypass restrictions imposed by the machine's administrator.

Borrie said he had previously come across vulnerabilities in OS X that lets an attacker create a local account, which if combined with the unknown vulnerability, could allow an unauthorised user to gain complete control of the computer.

"We have also seen in the past quite a few exploits where somebody breaks in through a standard service. People are thinking ... they can't do anything with that because it has no privileges. But once they have that access they can use the vulnerability to get root [access]," he told ZDNet Australia.

James Turner, security analyst at Frost & Sullivan Australia, agreed the issue was serious since unauthorised users could potentially bypass security controls.

"People should not be able to access data that they are not authorised to access. Being able to change account privileges by hacking a system's vulnerabilities is not a legitimate way of getting around the authentication issue," said Turner.

Gwerdna has so far declined to provide complete details of the flaw. Commenting on the contest, he said, "As far as I'm aware, Apple does not know about the exploit or bugclass used to own this box.... A so called zero-day exploit if you wish."

Such backdoors are not exclusive to Apple boxes. Neal Wise, a partner at Sydney-based security consultancy Assurance.com.au, said administrators have had to deal with privilege escalation problems on Unix- and Windows-based systems for a number of years.

-You want to give people the least privilege they need to do their job. Linux and Unix systems have always suffered from 'root or not root' issues.

-I remember around 15 years ago where you could access the help menu in (Silicon Graphics) SGI systems and get root from it. This is a real issue and applies to all systems -- not just Unix but Windows systems too," Wise said.

New Mac hack challenge
In response to the ealier contest, Dave Schroeder, a senior systems engineer at the University of Wisconsin, has given hackers until Friday to break into his Mac.

Schroeder is asking hackers to alter the home page hosted on a Mac mini that is running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and has SSH and HTTP open. "A lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.

Secure Shell, or SSH, is used for logging into and executing commands on a networked computer, and HTTP, or HyperText Transfer Protocol, is the method used to transfer information on the Web.

Schroeder deemed the contest won by gwerdna as "too easy".

"The original challenge allowed any users to have local accounts to access the machine via SSH," Schroeder said in an interview via e-mail. "This is an important distinction, because if you have local -- or physical -- access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."

Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the Internet," he said.

Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he said.

The person who does successfully hack Schroeder's Mac mini is requested to send him an e-mail describing the attack. Schroeder plans to report that to the appropriate software vendors and will post results after the close of the challenge, he said.

When contacted, gwerdna said he was unlikely to take part in the challenge since he wasn't willing to reveal his techniques to Schroeder or Apple.

"I don't particularly care for reporting issues to Apple. Additionally, this box sounds like a honeypot ... not worth losing any exploit code to a bunch of .edu people," gwerdna told ZDNet Australia yesterday in an e-mail interview.

Despite several attempts, Apple Australia was unavailable for comment .

CNET News.com's Joris Evers contributed to this report.

Topics: Apple, Hardware, Operating Systems, Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.