2003
11.27

Remote Root Vulnerability in MacOS X

Category: Security / Tags: no tag / Add Comment

It seems like all version of OSX are affected by a major security issue related to malicious DHCP response. It’s highly recommanded that all OSX user on workstation or server read the temporary workaround.

[b]Vulnerability:[/b]
Malicious DHCP response can grant root access

[b]Affected Software[/b]
Mac OS X 10.3 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.3 (all versions through at least 26-Nov-2003)
Mac OS X 10.2 (all versions through at least 26-Nov-2003)
Mac OS X Server 10.2 (all versions through at least 26-Nov-2003)
Probably earlier versions of Mac OS X and Mac OS X Server
Possibly developer seeded copies of future versions of Mac OS X

[b]Abstract[/b]
A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.

[b]What does this mean to the average user[/b]
Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section “Workarounds” for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.
(…/…)

[b]Workarounds[/b]
There are a variety of avenues to avoiding this vulnerability…
Disable any network authorization services from obtaining settings from DHCP:
in Directory Access, select LDAPv3 in the Services tab, click “Configure…”, uncheck “Use DHCP-supplied LDAP Server”
in Directory Access, select NetInfo in the Services tab, click “Configure…”, uncheck “Attempt to connect using broadcast protocol” and “Attempt to connect using DHCP protocol”
in Directory Access, uncheck LDAPv3 and NetInfo in the Services tab, if you don’t intend to use them

Turning off DHCP on all interfaces on your affected Mac OS X machine can also keep you from being affected.
For added security, be sure to disable any unused network ports:
turn the AirPort card off or remove it, if it is not being used.

[b]Technical Details[/b]
By default, the affected versions of Mac OS X attempt to negotiate DHCP on all available interfaces. In the event that an Airport card is installed but there is no network nearby, they also default to associate with any network that might appear and then use DHCP to obtain an address. The system will also use DHCP provided fields, if available, to connect to an LDAP or NetInfo server on the network.

The default settings in “Directory Access” on affected systems will cause the system to place the network LDAP or NetInfo server ahead of the local user info for any given account, and will implicitly trust the LDAP or NetInfo server to provide correct information. Furthermore, nothing in the system prevents a login as a user with uid 0 (zero) with any login name. For example, an LDAP or NetInfo source with an account username “bluemeanie”, uid 0, would be perfectly valid and usable for login at the login window and on any network provided service, including ssh (which is turned on by default in certain versions of the affected software).

In most cases, the Mac will need to be booted into the malicious environment to be exploitable by this flaw. (The netinfod process must be restarted to cause the malicious server to be inserted into the authentication source list.)

By taking advantage of these default settings, a malicious individual could potentially take full control of a Mac OS X workstation or server without even having to make a physical connection to the machine. With a good antenna the malicious individual wouldn’t even have to be in the same building.

While the further examples in this advisory deal exclusively with LDAP, this vulnerability is equally exploitable using a malicious NetInfo server.

[b]History of this Advisory & Vendor Contact Log[/b]
2003-10-09 Initial version of this advisory
2003-10-09 Apple Computer notified
2003-10-09 Apple Computer confirmed receipt and forwarded to eng. team
2003-10-11 Minor edits, also added “Philosophical Issues” and “Path to Root”
2003-10-14 Apple Computer assigns specific point of contact
2003-10-14 Requested confirmation of issue with Apple Computer
2003-10-15 Apple Computer confirms issue
(2003-10-24 Original deadline given to Apple for acknowledging issue)
(2003-10-24 Mac OS X 10.3 is released with this known issue)
(2003-10-28 Mac OS X 10.3 Security Update released, does not address issue)
2003-10-28 Requested update of fix status from Apple Computer
2003-10-28 Apple Computer proposes Nov. 3 fix date
2003-10-29 Apple Computer reneges on Nov. 3 date
2003-10-29 Requested fix in “2 or 3 weeks” from Apple Computer
(2003-11-04 Mac OS X 10.3 Security Update released, does not address issue)
(2003-11-15 Mac OS X 10.3.1 is released with this known issue)
2003-11-17 Requested update of fix status from Apple Computer
2003-11-18 Requested update of fix status from Apple Computer
(2003-11-19 Mac OS X 10.3.1 Security Update released, does not address issue)
2003-11-19 Apple Computer replies “scheduled to go out in December’s update”
2003-11-19 Deadline of Nov. 26 given to Apple Computer
2003-11-25 Minor edits, made “Path to Root” a little more work for the script kiddies
2003-11-26 Advisory issued (48 days after initial vendor notification)
2003-11-26 Added FAQ section at 2:10pm to address questions that have come up
2003-11-26 Fixed an error in the FAQ at 9 pm regarding the mount behavior

Credits: [url=http://www.carrel.org/dhcp-vuln.html]William Carrel [/url]

No Comment.

Add Your Comment

Your Comment

You must be logged in to post a comment.