“Some time ago now, in fact in November of 2003, I reported to Apple that it was possible to make the authentication dialog lie about which program was asking for authorisation to do something. This is filed as rdar://3486235, for any Apple employees watching,” Alastair Houghton writes for Alastair’s Place.
Here’s an amusing demonstration:
(the program that did this was definitely not called “Steve Jobs”)
Alastair writes, “Very funny, but quite scary because it means it’s much too easy to trick an end-user into giving a potentially malicious program root privileges. Apple have been widely—and, to my mind, rather unfairly—lambasted for their attitude towards security holes, but in this case I’m sorry to report that the critics are quite correct. I’m sure they’ll fix this now I’ve published it on the Internet, but I really shouldn’t have had to do this; it should have been fixed back in 2003 when it was first reported.”
“Ordinarily I don’t approve of people publishing security holes, because it puts end-users at risk, but this one makes it too easy to trick a user into giving away privileged access to his or her machine, and Apple still haven’t fixed it, over two years after it was reported. It’s also a sufficiently common issue that the comp.unix.programmer frequently asked questions document actually mentions that “it is possible to invoke programs with arbitrary values of argv[0]”, so the fact that you can set argv[0] to whatever you like is hardly an unknown feature, nor is it likely that the black hats don’t already know about this,” Alastair writes.
Full article with more here.
[Thanks to MacDailyNews Reader “MacDoc” for the heads up.]
MacDailyNews Take: Apple needs to get on the ball and fix this yesterday. It’s totally irresponsible to allow such an issue to exist for so long. Trojans are the one real issue that could actually seriously affect Mac OS X security. This should concern all users. If you can trick someone into authorizing an application, there is no protection. This is potentially a huge security problem and Apple should be very ashamed to have let it go uncorrected for so long.
As usual, do not download and/or install files from untrusted sources.
Advertisements:
• Introducing the super-fast, blogging, podcasting, do-everything-out-of-the-box MacBook. Starting at just $1099.
• Get the new iMac with Intel Core Duo for as low as $31 A MONTH with Free shipping!
• Get the MacBook Pro with Intel Core Duo for as low as $47 A MONTH with Free Shipping!
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
Unless you activate root: Nobody is getting root access. What you are doing is in the dialog activating the sudoers rights to that app..what ever it may be. What sudoers can do is defined in the /etc/sudoers file (at least in Linux).
Now that said, yes this type of software would allow malware to cause problems but , only to the extents that the sudo privileges allow. And that is still alot. it needs to be fixed.
OK then run this test!!
Go ahead and repair your permissions and then stop the repair, see what happens.
I found sometime ago that occasionally you can just press the RETURN key several times, without entering a password after each request, and the authentication dialog will eventually accept that! That doesn’t seem right to me that that should happen…
Well, don’t log in as a root user! duh.
Who the hecks needs to enable the root user when you got ‘sudo’?
Create a separate user accounnt without root privileges or even admin privileges if you can help it.
That won’t make any difference. It’s a fake app asking for admin password. Once it gets it then it can run sudo regardless of the user.
Don’t download mystery stuff from the net either!
Well duh, but stuff can be attached to and run using the MetaData exploit.
Secure your computer like you would secure your home. Don’t give keys to strangers, don’t leave spare keys under your door mat, don’t leave your windows open all the time, see who it is before you open the door when someone knocks, etc.
Yea, when the cop comes to your door you just invite him in right?
Everything is fine until he sticks a gun in your face.
YOUR STUPID, get outta my face. You don’t even have a Mac. I can tell.
What exactly are you trying to prove Static Mesh?
All I get is:
Determining correct file permissions.
Stopped by user
The privileges have been partially verified or repaired on the selected volume.
Permissions repair complete
Maybe Apple DID fix this yesterday. I noticed in 10.4.7 the dialog had changed, is this already fixed?
This attack vector will run on any OS:
http://www.eweek.com/article2/0,1895,1983037,00.asp
Be sure to read the last paragraph. Be afraid, boys and girls. Be very afraid.
🙁
You don’t know the history of being very afraid… I do.
But, wait!
Where did the “MacDailyNews Never Criticizes Apple” posters go?
the key here is tricking a user into typing in their password.
there are few reasons for that dialog box to appear and ask for a password. i hope people are so out-of-tune with what they are doing on their computers that they just robotically type in their password everytime they might be asked for it.
only download stuff from trusted sources and only type in your password if you have caused something to happen that you know should require a password.
pay attention to the details of what you are doing.
problem solved.
>> am not defending this shortcoming (if it is
real), but I would be pretty damn suspicious if
any app inadvertently asked for authentication
out of nowhere without me authorizing an update
or other comparable action.
<<
I dunno … sometimes, the Keychain asks me for authentication for no apparaent reason ….
… Mmm … now I’m worried …
” width=”19″ height=”19″ alt=”hmmm” style=”border:0;” />
@Static Mesh
“A two way authentication, like Mac OS X providing us with a password so that we know it’s truly Mac OS X asking for the admin password and not a fake.”
This would be easy for Apple to resolve by having a key word or image set in the accounts preferences — this would be encrypted so that only the OS can access it. and it would be displayed on authentication dialogs — that way an app can’t spoof the authentication dialog so that it grabs the admin password and does what it want with it.
@ Ray
“Unless you activate root: Nobody is getting root access. What you are doing is in the dialog activating the sudoers rights to that app..what ever it may be. What sudoers can do is defined in the /etc/sudoers file (at least in Linux).”
Uh — the way admin users are configured by default is that an admin with sudoer access is as good as root. it would be easy for an script running under admin sudoer access to install rootkits, reassign the root password enable the root account, etc etc etc.
What if Apple allowed root access to only a few of THEIR apps (and hardened those apps to deny root requests from scripts)?
What besides an installer really needs root anyway?
Then again you can only do so much to protect users from themselves.
The strongest lock is only as secure as its keyholder.
Sock it to ’em MDN
If you hold your mouse cursor over the blue box indicating the tool being used, it displays a downward arrow. If you click said arrow then it will show you the directory of the tool. And besides, the “tool” is chosen from programs that are already installed on your computer. You need to install a bogus program before this even becomes confusing. Mac OSX does need a fix for the metadata exploit, but it cannot protect its users against their own ignorance. If you are concerned about the security enough to go nuts about this, then you should be concerned enough to simply read the pathway of the program being used to see if it is what you expected.
Call me naive, but I don’t see the big deal here. When that dialogue box pops up, something is asking for your password. Does it really matter what that something is named? If that box popped up, and I wasn’t expecting to have to enter a password, I wouldn’t enter it no matter what the program called itself.
I mean come on: Anyone sufficiently naive to mindlessly type in a password because “Mail” asks for it out of nowhere would probably enter it if “ParisHiltonScreensaver” asked for it. So what would be the point of this “exploit”?
“Haha, according to that dialog, Steve Jobs is a tool”
Of course. You should always use the right tool for the Jobs.
Oh sheet Ampar that was hilarious.
*wipes spit soda off of monitor*
Thanks, non-moving fabric pattern! Are you related to xGrid?
“As you were, I was. As I am, you will be.’
– “Hell’s Angels”, Hunter S. Thompson
DISCLAIMER: Ampar is not responsible for damage to keyboards, monitors, computers, peripherals, cords, small furry animals, Lisa Kudrow, the moon Ganymede, tetrahydrochlorides, shag carpeting, ominous presences, venison, Nehru jackets, Pop-Tarts, crop circles, warts, new age bands, Parliament, latex paint, or any residents of San Bruno, California resulting from spit takes on any said objects, mammals, manifestations, products, body parts or thought processes herein. Reading this thread constitutes implicit compliance. Proceed with caution.
Always read the fine print.
@Truth
>>
This attack vector will run on any OS:
http://www.eweek.com/article2/0,1895,1983037,00.asp
Be sure to read the last paragraph. Be afraid, boys and girls. Be very afraid.
<<
Could be a hoax
Static Mesh:
Are you trying to get a job at Apple
Static Mesh said: They as for your personal identifing information and then use it everywhere in the machine.
He could get a job at Apple as a false authority writing spam-phrase-nonsense security alerts.
This is the point behind being able to click on the name of the “tool” or application in this dialog box, and see the full path where it’s located. If I see “Disk Utility requires that you type your password” and I don’t recall initiating a disk utility action, and I click that name and see that “Disk Utility” is in “~/Downloads/” then I will probably not give it my password.
Granted though, most users do not have this much awareness as to what is going on with their computer. For most, it is “I click this pretty picture, do what it tells me, and it works”
(Of course, if untrusted malicious code is running on my machine, I already have larger problems than misleading password boxes.)
The only real way to prevent “fake” authentication boxes is to require a “security attention” key sequence before entering passwords, and then train users never to enter a password without first typing that sequence. This is the idea behind Windows control-alt-del (but in Windows this is only implemented in a few cases such as system login, so it’s basically useless)