“Researchers have made it easier to exploit a five-month-old security flaw that allows penetration testers and less-ethical hackers to gain nearly unfettered ‘root’ access to Macs over which they already have limited control,” Dan Goodin reports for Ars Technica.
“The authentication bypass vulnerability was reported in March and resides in a Unix component known as sudo. While the program is designed to require a password before granting ‘super user’ privileges such as access to other users’ files, the bug makes it possible to obtain that sensitive access by resetting the computer clock to January 1, 1970,” Goodin reports. “That date is known in computing circles as the Unix epoch, and it represents the beginning of time as measured by the operating system and most of the applications that run on it. By invoking the sudo command and then resetting the date, computers can be tricked into turning over root privileges without a password.”
Goodin reports, “Mac users should realize that an attacker must satisfy a variety of conditions before being able to exploit this vulnerability. For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past. And of course, the attacker must already have either physical or remote shell access to the target machine.”
Read more in the full article here.
MacDailyNews Take: We hope to see this fixed in the imminent OS X 10.8.5.
Damn. Now this obscure bug will be told everywhere. Here in Silicon valley it will be big news in SJ Mercury, on all the SF tv news shows, etc. Never Fails. And sadley Googleband others troubles are never mentioned. Apple is our biggest taxpayer in bay area but gets terrible press. Just watch.
Not exactly. The mainstream news outlets seldom pick up “proof of concept” stories from the tech press. Their bread and butter is sensational reporting of real-life massive outages that affect millions of people, not obscure researchers’ claims about theoretical and technical vulnerabilities.
News = drivers die for want of a stop sign.
…No news = stop signs direly needed, analysts warn
This is probably going to affect no one.
Exactly… “And of course, the attacker must already have either physical or remote shell access to the target machine.”
In addition to that (according to the story on apple insider):
“In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before.”
I think that I like that all the haters are marking Ken1w’s and my posts down because we pointed out what you really need to make this “exploit” work. Just like antenna gate or battery gate it is an apple hater created, non issue bounced around in the tech press echo chamber.
You need the administrators, password to make it work…
Yeah OS X users will loose sleep over this one.
I would agree with you. I would guess most users have never run sudo in terminal an very few have even enabled root user on their Mac. This coupled with the fact that the person must have physical access to a computer and be logged in as an administrator.
There are a lot of IF’s and AND’s involved in the whole thing…making it very trivial.
“Mac users should realize that an attacker must satisfy a variety of conditions before being able to exploit this vulnerability. For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past. And of course, the attacker must already have either physical or remote shell access to the target machine”.
The “attacker must already have either physical or remote shell access”?
The “end-user who is logged in must already have administrator privileges”?
Huh? Seems quite benign to me.
Wait, wait a minute.
First the attacker must satisfy a variety of conditions before being able to exploit this vulnerability:
1- The end-user who is logged in must have admin rights.
2- The end-user must have run SUDO in the past.
3- The attacker must already have either physical or remote shell access to the target machine.
Really??
Then they wrote the headline:
“Unpatched Mac bug gives attackers “super user” status by going back in time”
None of my clients run as admin.
None of my clients even know what SUDU is.
Some stranger sitting at a client Mac would be noticed.
My clients have remote shell set to off. Which happens to be the default.
Wow. This is nothing but stupidity written as if the keys to the Mac were just laying out there for anyone to grab.
Sad, very sad reporting. No wait, very sad blogging.
Dam spelling, second SUDO is spelled wrong.
Just sudo awk in to fix the typo… 😆
Damn 😉
Go back in time to fix it.
You know who this affects? Teenagers trying to break into dad’s porn collection. Snoopy spouses trying to spy on their partners.
No, it doesn’t. As a unix admin, I can tell you it is ridiculous to say that a computer is vulnerable if the attacker can run sudo on it. Sudo is a basic administrative function on any unix box. Unless a user has soecific permission to run sudo AND the administrative unix sudo password (usually held on by sysadmins) they are dead in the water. It’s like saying I can open any bank vault, all I need is physical access and the combination to the safe. Utter nonsense.
And if, bound and gagged by intruders who have extracted the password from me by threat of torture, they are able to download and make away with my entire Hello Kitty screensaver collection, I shall have no one to blame but myself. Oh! Had I only continued my career with steadfast, reliable Windows Server; had I not been cruelly seduced by a purportedly inviolable OS X!
Also, this just in…
Unpatched Mac OS X bug gives unlimited access if you invite hacker into home and leave Post-It Note on your display with password
It also fails to mention, you would have to have enable root users. By default root user is not enabled on a Mac.
If you read the article, it’s about the “sudo” utility, which means it’s not specific to Mac OS X, although we all know that won’t deter headlines from proclaiming it a Mac problem.
sudo allows you, out of convenience, to not have to reenter your admin password within 5 minutes of having used it previously. Therefore, that timestamp is stored, and can therefore be affected by a person setting your clock back in time to within 5 minutes of the last time you used sudo. The simple fix is to alias sudo to sudo -K, killing off the stored time, and therefore preventing anyone from doing this little bit of trickery, but also requiring you to reenter your password for every privileged operation you want to use.
I’m so unimpressed with this new “security threat”. A hacker has to already have Administrator access to your Mac before they can change the date. That’s like a burglar turning off the alarm system after they walked in through an open front door. If a hacker is already in, you’re p0wned. But no doubt the Apple haters will be crowing to high heaven about Macs being just a vulnerable to viruses as Windows is. Wait for it…
From my perspective, the only reason this hack has come into the spotlight is because it has been integrated into the Metasploit hacking tools kit. That makes it easy to use, IF you can get into an admin account. With the Java Internet plug-in being such a dire POS under the ownership of Oracle, the worry is that another privileges escalation security hole will show up for Mac. But so far, this sudo attack indeed isn’t worth the worry.
Let’s not be too hasty. Remember that when you first fire up that brand new Mac & answer the setup questions, the system will create an account for you, and it WILL have administrator privileges. Certainly most enlightened readers here know to create a second account for everyday activities, leaving the admin account for system software updates & installs only. But not every Mac user is conversant in Unix security. We would probably be shocked to find out how many people have one and only one account on their Mac, the admin account, that they use daily. Those are the ones we should be concerned about.
I don’t get it… Yeah, looks like there is a bug in sudo, but if I already have administrator access on the box, I don’t need the sudo bug to become root.
I guess the only situation where this can be of use is when I’m already logged in, I’m an admin and I forgot my password? Really?
I don’t even need to be an admin if I have access to an installer USB Stick or DVD.
I.e., if I have physical access to your machine, all your files are belong to us! Outside of FileVault, that is, unless you’re logged in, then I have those, too.
…gain nearly unfettered ‘root’ access to Macs over which they already have limited control
This affects OS X 10.7 through 10.8.4.
It’s not of immediate danger because the hacker must already be logged into an administrator account in order to do the dirty work. It’s more of a danger when an admin password has been cracked or leaked, OR you’ve got a rogue admin user who’s out to wreck your Mac, aka a Mac-o-path. 😉
What’s of concern is that this hack is currently being tossed into exploit kits. Therefore, if some other hack (such as yet-another idiotic Java security hole) lets a hacker into an administrator account, they can pull off this sudo attack as well. (Therefore, uninstall or turn off the Java Internet plug-in!)
“The Sky is Falling, The Sky is Falling!!!!!!!” pffftttt……
It’s not going to lead to widespread malware outbreaks, but it’s still serious and should to be patched pronto. It could be used in concert with other exploits to reach super user access. It could also be used in targeted acts of hacking, corporate espionage, data theft, or other kinds of cyber crime. System administrators do often use remote shells and sudo, unlike typical users – so there’s a variety professionally managed computers that could be targeted using this type of exploit – many containing databases of sensitive information.
If I already have physical access to your mac I don’t need this to break in lol
Yawn!