Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

The Rabbit Hole Goes Deeper

Apple's 'Unix' still runs arbitrary code. As root. Without submitting a password, without authentication or privilege escalation. Even on OS X 10.4.5 Tiger with both security updates 2006-001 and 2006-002.


The StartupItems hole was plugged with 10.4 Tiger after being 'out there' for years. It was never plugged for Panther and Jaguar users. Scripts available at this site and elsewhere have been able to compensate.

But the rabbit hole goes deeper: it is still possible to get arbitrary code to run as root without authentication.

This works on all versions of OS X except 10.4.0 and 10.4.1.
It works on OS X 10.4.5 with both security patches (001 and 002).

Proof of Concept

This exploit has been demonstrated to work on OS X 10.4.5 with both security updates 2006-001 and 2006-002. It will not work on OS X 10.4.0 and 10.4.1 but it will work on all other versions of OS X.

Download the following proof of concept, read the instructions, and test it on your machine. Please report the results back, either by using this link or by reporting it to the CLIX forum.

ftp://rixstep.com/LogHook.tar.bz2 (1929 bytes)

Why It Works

The directory /Library/Preferences is not adequately protected on at least some versions of OS X and reports are that this includes 10.4 Tiger as well. The system will automatically correct ownership of files in this directory but that seems to have no bearing on their use.

It is possible to modify the file com.apple.loginwindow.plist to accept 'hooks' to scripts run both at login and logout. These hooks will run as root.

No privilege escalation above 'admin' is necessary to set these hooks.

What You Can Do

You have 'read' rights on com.apple.loginwindow.plist. Check the file to make sure no scripts are running on login or logout. If you find any scripts in there - remove them.

You can harden these directories just as you hardened your StartupItems directories. See the link at the bottom of this page.

Beyond that, the deeper issue is why code in this situation needs to run as root at all - but that's not something you can do anything about: only Apple can.

Background

This issue, like the StartupItems issue before it, has long been known by Apple. As with the StartupItems issue, Apple's position is this 'feature' 'works as designed'. Based on strong evidence that OS X users are currently being exploited in this fashion without their knowledge, it is incumbent to 'get the word out' so people can harden their systems.

And While You're At It

And while you still have com.apple.loginwindow.plist up there, you might want to look for a field called 'MasterPasswordHint'. It can be there if you used FileVault/Security to set a master password and provided a hint. Your hint is there in plain text. Hackers need little more than a hint like that to 0WN your system - so remove that key/value pair for now.

Tiger Update: Sometimes Yes Sometimes No

Although this exploit has been shown to work on Tiger with both recent security updates, it has also proven difficult to make it work on other Tiger machines.

The permissions set on /Library should be enough to keep intruders out as long as the permissions on /Library/Preferences are 0755 and not 0775 as previously.

Still, some people with Tiger 10.4.5 and both security updates are getting 'rooted' by this proof of concept exploit; it remains to be seen what running on these systems can be corrupting permissions.

All users with 10.3.9 or earlier are encouraged to tighten all four directories as they are still at risk.

# Don't worry if any of these first three commands fail -
# the important thing is that the directories are created.

mkdir /Library/InputManagers
mkdir /Library/Preferences
mkdir /Library/StartupItems

sudo chmod 0755 /Library/InputManagers
sudo chmod 0755 /Library/Preferences
sudo chmod 0755 /Library/StartupItems

sudo chown root:admin /Library/InputManagers
sudo chown root:admin /Library/Preferences
sudo chown root:admin /Library/StartupItems

sudo chmod 01775 /Library
sudo chown root:admin /Library

The system starter code will attempt to fix ownership and permissions on some of these directories and some of their files; check to make sure your settings are correct and if necessary run the above commands again.

See Also
Perimeters
Seeing Double
The Other Shoe
Hyde Park Corner I
The Chocolate Tunnel
OS X: Still Not WYSIWYG
Peeking Inside the Chocolate Tunnel
Apple's 'Unix' Runs Arbitrary Code on Boot?
Input Managers — The Cure

OS X patch faces scrutiny
Trojan flaw persists in OS X
Experts Claim Security Flaw Remains
Apple criticised for persistent Trojan flaw

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.