|Home » Learning Curve
ARDAgent on Snow Leopard
The best way to fix design flaws that result in really dumb root exploits is not to ignore them.
Thanks to an anonymous friend there's now proof the ARDAgent exploit works on Apple's coming Snow Leopard 10.6 as well. As if anyone's surprised.
The exploit worked only 'so so' on Tiger; Leopard regressed; the ARDAgent story started spreading perhaps too late for Apple to burn new media for their conference.
But it didn't start spreading too late for Apple to fix things in time for their 10.5.4 and latest security update releases. Those could have been ready in time. But of course they weren't.
Round the Corner, Round the Bend
There's an aphorism about Apple's OS X: namely that if something weird and nasty rears its ugly head there's some old 'beige box' artifact lurking around the corner. And 'beige box' is of course a corporate philosophy that's totally round the bend.
As the system was not only ready for market but already on the market in 1997 there seems little reason to stop marketing the product so you can ruin it with 'MacOS' trash over a five year period, kissing perhaps $1.5 billion in revenues goodbye, only to 2002 introduce it again - but this time vastly incomparably inferior.
Little reason unless of course you're a fanboy. Fanboys exist both inside and outside One Infinite Loop. They make a nice cozy community - so much so that the rest of the world not surprisingly want nothing to do with them.
They're babies: they stomp and scream until they get their way and then complain of the side effects of what they asked for.
They never grow up. Never. The Kool-Aid™ keeps them down.
And although it's a wonder that any purportedly serious corporation would even listen to such idiots it's also a fact Apple depend on these losers for their revenues: sell them an OS upgrade at full price every year or so. Announce iTurd and they'll blog about it and buy them by the millions and iTurd becomes the new lifestyle revolution.
Whilst the more awake of this curious species recognised that Apple's work on the incomparably impeccable NeXTSTEP was nothing short of outrageous not a one of them wanted things done any other way. 'Keep on doing it - keep up the good fight', blogged one of the most terminally ill of this crowd at the time.
'We don't care what type of rock solid foundation OUR computers have as long as they have the same great usability', wrote other such zombies at the time to this site - failing totally to admit their 'usability' had changed a lot.
What the World Needs Now
What the world needs now - what the world has needed for a long time - is a viable alternative to Windows. The Internet used by all is itself down for the count - you can thank the great philanthropist Mister Bill for that - and although there are sensible things people can do there's simply not enough movement to overcome the inertia.
Linus has made a great kernel - even if the classically unproductive RMS keeps trying to steal his glory - but the 'desktops' available for that OS are simply not going to cut the muster. They copy Windows.
And it's difficult for an open source product to establish a beachhead in the world of commerce.
And that leaves only the Great Cupertino Hope. But unfortunately the people there don't see things that way.
'Make It Our Own'
Apple could have continued marketing OPENSTEP and WebObjects back in 1997 - if the big NeXT clients had stuck by the company. [They didn't as corporations historically despise having to deal with Apple - especially companies as big as WorldCom and Dell.]
Gil Amelio tried to keep the clients on board - but the stench of Apple was too great. Could everyone have made a bigger renewed effort? Would it have mattered?
There was certainly no reason to rewrite perfection and there was no reason to keep an interim CEO on board who deliberately scraps $1.5 billion in revenues for a company threatened by chapter 11.
But that's what Apple did. For there are fanboys both inside and outside Cupertino. Apple decided to make the OS 'their own'.
Guess what? it's not a good fit - as has been pointed out ad infinitum at this site.
In fact the decision has to go to history as one of the most disrespectful things ever done to the history and legacy of Unix and NeXTSTEP. [And it's a short list.]
And it's no surprise even the most brainwashed of fanboys see this as something unequivocally outrageous. Because it is.
There's something rotten in Cupertino and the stench is spreading to the surrounding countryside.
The Bait and Switch
Back in 1997 Apple didn't have many people loving them. Hardware quality was out the door: Amelio had to halt production half a year until things got back on track again. Apple engineers were heard muttering things like 'if it doesn't work out of the box they can bloody well buy a new one'. The most loyal of clients had jumped ship.
Things were no better on the software side. Apple needed a new 32-bit protected memory/mode OS like Microsoft's. They'd tried writing their own and failed in a classic way. Corporate magician Gil Amelio was asked to step down from the Apple board to take over and save the company. What he found was a frightful mess. Skunkworks of fanboys everywhere. And an abortive attempt to write an operating system. He scrapped the project and went searching for one he could buy.
He found one. Ironically at a company owned by Steve Jobs.
OPENSTEP was the ultimate platform. Played well with others, had clean interfaces - and a GUI born to be a Microsoft Windows killer. Punters won't understand security - some of them can't even type - but if you give them a good enough GUI they'll flock to you. For the wrong reasons to be sure - but they'll come all the same.
And a world without Windows is a Better World™. And Apple had NeXT's technology. Would they do it?
You. Gotta. Be. Kidding.
Not that they told anyone up front of course. Heaven forbid. The number of independent NeXT software developers was growing all the time - especially with the OpenStep successor finally running on Windows. That was the market share these software houses needed to make their corporate focus profitable.
For over three years Apple kept these developers looking in the wrong direction. Instead of coming out and disclosing their future policies they preempted questions by gratuitously insisting developers had to be prepared to deal with compatibility with Bill Gates' OS. Quite the tack.
And finally they let the other shoe drop - silently. They just didn't bring up the topic again. And developers got antsy. Started asking questions. Such as why Apple aren't supporting cross platform support as promised. No answers given.
Some of the most brainwashed fanboys stuck to it - the rest started jumping ship. Sales were back up again - who needed them anyway? Apple have always been doomed to the margins - why change things now? There's a bit of a snob trip in being the minority, the underdog, the eternally downtrodden.
And with the voices of reason out the door and only the old fanboys still sticking to it there was no reason to hold back the forces of inevitability any longer. Let's make a new MacOS! Better than before! With all the old system foibles back again - but now in 32-bit! Go for it!
It. Doesn't. Work. It doesn't matter if you have sensible engineers on board or not. It doesn't matter if any of your underpaid engineers actually have better sense than this nonsense or not. They're governed, limited, and hampered by the direction the corporation takes as a whole. They can't change things themselves. Either they finally agree to drink the blood of Kali or they get another job.
Apple have had some good people on board. Alan Kay was there. The BeOS file system dude was there. One of the FreeBSD founders was there. And so forth. But that doesn't change anything. They're still bound by their job assignment to bend and twist the uniquely elegant technology they've been given and ultimately they make a hodgepodge out of it. That's what their boss wants.
Unix has been honed and tweaked over a great period of time. Eric Raymond cites Unix as one of the greatest open source projects ever. Flaws are found and fixed - immediately. Collaborations result in people sharing code between key skill groups. Enhancements propagate instantaneously. In the connected world this is crucial.
But it's not the way Apple work.
Round the Corner
And time and again it comes back to the same thing - and it's why the professionals Apple flirted with got sense back and abandoned Apple's OS. And it's not just about the hardware lock-in. And it's not just about the fanboys. It's about the most basic of system security requirements not being there.
Embarrassing cosmetic bugs that surface after years of code maintenance and are never corrected; root exploits that aren't a question of buffer overflows or buffer underflows or heap overflows or underflows or any of that - but root exploits that exist only because the fanboys in Cupertino, with zip understanding of Unix and the open source collaborative process, decided they could really easily tack on a few 'Mac' features.
We've seen it before with the Opener hole; we've seen it with the Oompa Loompa worm; we've seen it with the 'protocol hole'; we've seen it with the 'Finder hole' that makes all web applications susceptible to a script kiddie hack even to this day; and so forth.
We've seen it in the Month of Apple Bugs - many hacks of which aren't fixed to this day over a year later.
And now we see it again in the ARDAgent hole and in the SLIHack hole. These are two extremely simple script kiddie root attacks. And they both work on Tiger, Leopard, and Snow Leopard.
And there's no guarantee they're alone. Charlie Miller hacked the system in no time flat. Charlie Miller's also pointed out the obvious way to fingerprint an Apple system if you need to find another way in. There could be dozens more root attacks that aren't being published. And well known security companies regularly write to this site bragging they have them.
And every last one of them points not to flaws in Unix but in flaws with what Apple have done with Unix. Flaws Apple typically absolutely refuse to recognise, admit to, and fix.
Of the above cited design flaws only the 'protocol hole' was fixed in more or less the accepted time frame: fifteen days. In fact this site lauded Apple at the time for sticking to their guns and waiting until they got it right before releasing a patch. If you've seen this alert come up from time to time then you know what they did.
And it's a good fix to be sure - for a really bad design flaw that has zip to do with Unix and that unfortunately lingers on even today. But it's a clever fix. But in all other cases it's taken years to get a fix. All the while Cupertino continue to churn out more Automator actions because that's what their customers want!
For those who want security but also want a system like Apple's OS to take to the market, dominate it, and destroy Windows: be grateful it's not your Apple OS after all. Were Apple's 'OS' to gain market dominance with the current corporate and system structure it'd be a slaughter of unparalleled proportions.
As many the security guru has suspected all along: when it comes to OS X hackers simply don't give a shit. And that's all that's protecting any fanboy right now. Taking the pieces of this site's Hackers Handbook and baking in either the ARDAgent attack or the SLIHack attack is a script kiddie exercise and no more.
Any OS X box running Tiger, Leopard, or Snow Leopard can be root-hacked at any time. Any. These systems are wide open.
But don't expect Apple to patch these holes any time soon. They may - in such case it's great - but then again they might just apply more band-aid code. Rethinking what they thought wrong in the first place is something they've up to now not been capable of.
And yet there's more to this than mere capabilities.
The best way to fix design flaws that result in really dumb root exploits is not to ignore them.
Somebody please tell Apple.
Learning Curve: Rooting 10.5.4
Industry Watch: Get Root on 10.5.4
Industry Watch: ARDAgent - Here to Stay?