March 07, 2006
ThreatWatch - the Mac gets hacked
ZDNet Australia reports more substantial evidence that Mac OS X has a real problem with security has surfaced. In the interests of fairness and seeing my own predictions bite the dust, here's the news:
On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
Participants were given local client access to the target computer and invited to try their luck.
Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".
The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.
"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .
Yowsa! Some work to do, guys! Maybe we're all back to OpenBSD again... A little more digging, and Arstechnica and MacWorld both indicate the hack was less dramatic than it sounds:
Firstly, the hack was that of privilege escalation, not a pure remote exploit. The web site author had enabled SSH, the Unix "Secure Shell" tool that has replaced telnet as a means for accessing networked machines from the command line. He then configured an LDAP (Lightweight Directory Access Protocol) database and added a web-based interface so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.
Ah. You have to have a shell account on there in the first place. That's different. To counterbalance that, CS news reports:
"In response to the woefully misleading ZDnet article, 'Mac OS X hacked under 30 minutes', the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."
Cool. Stopwatches running...
Posted by iang at March 7, 2006 02:47 PM
At 19:49 +0000 7/3/06, firstname.lastname@example.org wrote:
>>More substantial evidence that Mac OS X has a real problem with
>>security has surfaced. In the interests of fairness and seeing my own
>>predictions bite the dust, here's the news:
This was not a remote hack - it was from a local account, setup by the
'cracker' on an open access machine using ldap for authentication at the
owners behest. ie the owner lets anyone setup an account on the system
themselves so it is hardly yer regular Mac out of a box.
A couple of commnets from another mailing list in UK Academia
A guy at the University of Wisconsin is describing that ZDnet article as
'woefully misleading' and has set up his own hack challenge at
From the site:
The ZDnet article, and almost all of the coverage of it, failed to
mention a very critical point: anyone who wished it was given a local
account on the machine (which could be accessed via ssh). Yes, there are
local privilege escalation vulnerabilities; likely some that are
"unpublished". But this machine was not hacked from the outside just by
being on the Internet. It was hacked from within, by someone who was
allowed to have a local account on the box. That is a huge distinction.
MacFixit goes even further...
Mac OS X hacked in under 30 minutes? Think again.
A highly questionable article on ZDNet claims that "Mac OS X was
hacked in under 30 minutes," in a Swedish contest. The article fails
to mention, however, that the Mac OS X system that was "hacked" had
an LDAP server setup which was linked to the Mac's naming and
authentication services, to let people add their own account on the
machine. So the contest allowed the user to create their own account
and local SSH access -- a precarious set-up to say the least.
and a couple of articles elsewhere:
url will require registration when it moves to Archived status in a couple
Mac security challenges SecurityFocus notes a flawed contest we reported on
yesterday (where a Mac OS X system was allegedly hacked in thirty minutes)
which became the focus of controversy because it originally neglected to
mention that every attacker had been given an account on the system, making
the contest much easier than originally portrayed, critics maintained, and
reports on a new contest: "Later Monday, David Schroeder, senior Apple
systems engineer for the University of Wisconsin's IT Department, set up
his own contest inviting security researchers and hackers to attempt to
breach a Mac with open SSH and HTML ports and two user accounts. A critic
of the original contest, Schroeder stressed that his challenge is more
fair, but that most users will not likely even have those ports open." More.
Referenced in the Macfixit news item.
Contests challenge Mac OS X security
The security of Apple Computer's operating system remained a topic of
controversy this week, as one Mac hacking challenge got the thumbs down for
being too easy, spurring an Apple expert to kick off a more balanced
In an article published on Monday, News.com reported that a contestant in a
Mac OS X hacking challenge had breached the test system in 30 minutes. The
article quickly became the focus of controversy because it originally
neglected to mention that every attacker had been given an account on the
system, making the contest much easier than originally portrayed, critics
Later Monday, David Schroeder, senior Apple systems engineer for the
University of Wisconsin's IT Department, set up his own contest inviting
security researchers and hackers to attempt to breach a Mac with open SSH
and HTML ports and two user accounts. A critic of the original contest,
Schroeder stressed that his challenge is more fair, but that most users
will not likely even have those ports open.
"Mac OS X is not invulnerable--it, like any other operating system, has
security deficiencies in various aspects of the software," Schroeder wrote.
"However, the general architecture and design philosophy of Mac OS X, in
addition to usage of open source components for most network-accessible
services that receive intense peer scrutiny from the community, make Mac OS
X a very secure operating system."
Flaw finders have focused on Apple's Mac OS X operating system in recent
years, and while Mac users argue that the system is more secure than
Microsoft's Windows XP, the operating system's security is under scrutiny
because of recent attempts to create malicious code for the platform.
& finally a clarification in the original story
Of course this is not say that Apple couldn't do a better job regarding
patching holes etc & interacting with the community, but they are better
than SUN, HP et al used to be when they released *nix clonesten 10+ years
ago full of holes....
FYI U of Wash is claiming the article is bogus... and have issued their own challenge... (see digg.com/slashdot.org etc)
By Joris Evers
Staff Writer, CNET News.com
March 8, 2006
A Mac OS X hacker challenge apparently got a systems engineer at the
University of Wisconsin-Madison into trouble with university
Dave Schroeder on Monday invited hackers to break into a Mac Mini he
attached to the university network. The challenge would last until
Friday, he announced. The contest was in response to an earlier
challenge, which Schroeder criticized as too easy.
But the event ended early--Tuesday night. On Wednesday, information
emerged that the contest had drawn the scrutiny of the university's
chief information officer, Annie Stunden.
"The Mac OS X 'challenge' was not an activity authorized by the
UW-Madison," Brian Rust, a university spokesman, said in an e-mailed
statement. "Once the test came to the attention of our CIO, she ended
it...Our primary concern is for security and network access for UW
The same statement also appeared on Schroeder's challenge Web site
Wednesday afternoon. "Dave was well-meaning, but he did the test
pretty much on his own," Rust said in a phone interview.
Universities are often the target of cyberattacks. The academic
institutions face the challenge of balancing the need to share
information on large networks with the need to secure data.
The Mac OS X contest ended without a negative impact on the University
of Wisconsin-Madison's network, Rust said. "We were able to handle the
traffic, and there were no compromises to university systems," he
said. The university apologized for any inconvenience its action
caused to the Mac community.
The university is distancing itself from the challenge. "If Dave wants
to continue this test, he has to do that privately, not using
university systems," Rust said.
Schroeder had said he wants to publish some details on the attempts
that were made to hack his Mac. The computer was connected to the Net
for more than 30 hours, apparently without being compromised. In the
earlier challenge, an anonymous hacker claimed he was able to
compromise OS X within 30 minutes using an undisclosed vulnerability.
However, attackers in that case had been given user-level access to
the system rather than being shut out completely.
These hacker challenges came after weeks of scrutiny of the safety of
OS X, prompted by the discovery of two worms, and the disclosure of a
serious vulnerability. Security experts are also questioning the
effectiveness of Apple's latest patch.
>>Ah. You have to have a shell account on there in the first place. That's
>>different. To counterbalance that, CS news reports:
>>"In response to the woefully misleading ZDnet article, 'Mac OS X hacked
>>under 30 minutes', the academic Mac OS X Security Challenge has been
>>launched. The ZDnet article, and almost all of the coverage of it, failed
>>to mention a very critical point: anyone who wished it was given a local
>>account on the machine (which could be accessed via ssh). The challenge is
>>as follows: simply alter the web page on this machine, test.doit.wisc.edu.
>>The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security
>>Update 2006-001, has two local accounts, and has ssh and http open - a lot
>>more than most Mac OS X machines will ever have open."
Actually although none of the services are not running - the firewall is shipping as open.
Verified recently on
10.4.3 OSX retail
10.4.4 OSX on a MacTel iMac
10.4.x OSX on a PPC iMac
10.4.3 OSX on PPC G4 PB 15"
10.4.3 OSX Quad G5
All since 12/05
Now where is my OpenBSD paid for CD... which is actually the only OS cd I have bought - the rest have come from the Apple Dev Connection or new machines...