Focus on Apple
PWN to OWN at CanSecWest Mar 29 2007 12:45AM
mfossi securityfocus com (1 replies)
RE: PWN to OWN at CanSecWest Mar 29 2007 12:02PM
Don Rhodes (drhodes mail colgate edu) (1 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 04:31PM
Dave Schroeder (das doit wisc edu) (2 replies)
Hi. "That guy" was me, and it was one year ago...for posterity, below
is the original text of the site (for people who think the test was
garbage because of X, Y, or Z, please actually READ the description
first - chances are, your concern is addressed).

Since this was very high profile and open to anyone on the internet
as opposed to just one conference (and raised the ire of a lot of the
people who think that any positive statement about Mac OS X makes you
a "fanboy"), I doubt there are any *remote* exploits for stock Mac OS
X systems. I'll acknowledge that there could be still-unknown,
unpublished remote exploits for various services, but the real danger
would come from a remote attack against a stock configuration, as-is,
since that is how the vast majority of Mac OS X systems are configured.

In this case, the machine was in its default configuration with the
firewall *off*, and with ssh and apache running, and with any other
local Mac OS X services listening. So unless new remote
vulnerabilities against common services have been discovered (which
seems unlikely since MoAB would have loved to have used one as an
example), or there are still unpublished-but-known-to-some
vulnerabilities in Bonjour or the wireless layer (that can actually
be practically exploited for the purposes of this test and and not
just crash the machine), or vulns that can ONLY be exploited on a
local network, I actually wouldn't be surprised if these machines
make it through unscathed.

I'll qualify that with this: they did say the rules would be
"progressive", and I take that to mean that they'll perhaps be doing
something like enabling more services or removing barriers as time
goes on. Certainly there could be a vulnerability in a service that
ships with Mac OS X. Personally, I have my eye on Bonjour, especially
since mDNSResponder runs as root...

Still, the outcome of the test will be interesting.

- Dave

> Mac OS X Security Test
> Tue 7 March 2006 11:59 PM CST (8 March 2006 0559 GMT)
> The testing period is now closed.
> - The response has been very strong, and the test has illustrated
> its point.
> - Traffic to the host spiked at over 30 Mbps.
> - Most of the traffic, aside from casual web visitors, was web
> exploit scripts, ssh dictionary attacks, and scanning tools such as
> Nessus.
> - The machine was under intermittent DoS attack. During the two
> brief periods of denial of service, the host remained up.
> - The test machine was a Mac mini (PowerPC) running Mac OS X 10.4.5
> with Security Update 2006-001, had two local accounts, and had ssh
> and http open with their default configurations.
> - There were no successful access attempts of any kind, including
> during the 38 hour duration of the test period, nor have their been
> any claims of success. The host is still the same host and
> configuration used for the test.
> Some snippets from 7 March 2006:
> - The site received almost a half a million requests via the web.
> - There were over 4000 login attempts via ssh.
> - The ipfw log grew at 40MB/hour and contains 6 million events logged.
> - Several social engineering attempts were received, including one
> purporting to be from the government of Sweden, which apparently
> uses GMail. ;-)
> - More test results and information will be published here at a
> future date.
> Mon 6 March 2006 10:00 AM CST
> In response to the woefully misleading ZDnet article, Mac OS X
> hacked under 30 minutes [], a Mac OS X Security Test
> has been launched. (Test is now concluded.)
> The ZDnet article, and almost all of the coverage of it, failed to
> mention a very critical point: anyone who wished it was given a
> local account on the machine (which could be accessed via ssh).
> Yes, there are local privilege escalation vulnerabilities; likely
> some that are "unpublished". But this machine was not hacked from
> the outside just by being on the Internet. It was hacked from
> within, by someone who was allowed to have a local account on the
> box. That is a huge distinction.
> Almost all consumer Mac OS X machines will:
> - Not give any external entities local account access
> - Not even have any ports open
> - In addition to the above, most consumer machines will also be
> behind personal router/firewall devices, further reducing exposure
> Mac OS X is not invulnerable. It, like any other operating system,
> has security deficiencies in various aspects of the software. Some
> are technical in nature, and others lend themselves to social
> engineering trickery. However, the general architecture and design
> philosophy of Mac OS X, in addition to usage of open source
> components for most network-accessible services that receive
> intense peer scrutiny from the community, make Mac OS X a very
> secure operating system. There have been serious vulnerabilities
> [] in Mac OS X that could be taken advantage of;
> however, most Mac OS X "vulnerabilities" to date have relied on
> typical trojan social engineering tactics, not genuine
> vulnerabilities. The recent Safari vulnerability [] was
> promptly addressed by Apple, as are any exploits reported to Apple
> []. Apple does a fairly good job with regard to security,
> and has greatly improved its reporting processes after pressure
> from institutional Mac OS X users: Apple is responsive to security
> concerns with Mac OS X, which is one of the most important pieces
> of the security picture.
> The "Mac OS X hacked under 30 minutes" story doesn't mention that
> local access was granted to the system. While local privilege
> escalation exploits can certainly be dangerous - and used in
> conjunction with things like the above Safari exploit - this isn't
> very informative with regard to the general security of a Mac OS X
> machine sitting on the Internet.
> I have commented a bit [] on Mac OS X security in general.
> Objections to this test
> Some have objected to this test as doing nothing more than testing
> the security of apache or ssh on a PowerPC architecture. That is
> correct. And that is how most of the world will see Mac OS X
> externally. The original article was not fair, because it did not
> note, or even imply, or hint in any way, that local account access
> was granted. The whole point of Apple using proven open source
> services like OpenSSH and apache on Mac OS X is exactly because of
> their secure nature as a result of years of scrutiny by the
> community. Most users of Mac OS X in a consumer or desktop setting
> will never even enable any of these services at all. It's
> unfortunate that the initial coverage was so journalistically poor
> and sensationalistic on what might otherwise have been an article
> about an interesting local vulnerability. Instead, it chose to
> leave people with the impression that a Mac OS X machine can be
> "hacked" just by doing nothing more that being on the Internet.
> That is patently false.
> Update
> The ZDnet article has been updated to include the sentence,
> "Participants were given local client access to the target computer
> and invited to try their luck." But might it not have been
> interesting to explore:
> - What are the implications of local account access, and under what
> conditions might a computer be used in that way? How can such
> access normally be obtained? Do home users behind firewalls and
> with no ports open need to worry?
> - How can a vendor fix the claimed local privilege escalation
> vulnerabilities when they are not informed of the issue? What are
> the moral and ethical implications of knowing about allegedly
> severe vulnerabilities in products, like the "hacker" they
> interviewed, and actively choosing to NOT give the vendor an
> opportunity to fix the problem(s)?
> - How might a Linux or BSD distribution, other commercial UNIXes,
> or Windows stand up to a similar test, where anyone who wishes is
> given local account access?
> - A discussion about how since much of OS X is closed, this might
> make it more difficult for the community to discover - and report
> and fix - potential vulnerabilities in the closed pieces
> ...and things of that nature, instead of leaving people with the
> impression that any Mac OS X machine connected to the Internet can
> be taken over in 30 minutes?
> Important note
> This page may be updated by me. Any changes will be announced via
> this site. Last update: Wed Mar 8 09:12:56 CST 2006
> Contact information:
> Dave Schroeder
> University of Wisconsin
> das (at) doit.wisc (dot) edu [email concealed]
> +1 608 265-4737

On Mar 29, 2007, at 7:02 AM, Don Rhodes wrote:

> Sounds like that guy who did it a few years ago, but did it over the
> net. Will be interesting to see how fast they are broken.
> --
> Don Rhodes
> Network & System Administrator - Network, Systems and Operations
> Colgate University
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of mfossi (at) securityfocus (dot) com [email concealed]
> Sent: Wednesday, March 28, 2007 8:46 PM
> To: focus-apple (at) securityfocus (dot) com [email concealed]
> Subject: PWN to OWN at CanSecWest
> So anyone who has some OS X 0-day and a ticket to CanSecWest this year
> has a chance at a free MacBook Pro...
> Marc Fossi
> Symantec Corp.

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?,0?ô0?] DM0
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070921213052Z0¾1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
0????èöÆ?³G¡J[ ¨×
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
070329163144Z0# *?H?÷
 1OS·¥?÷Ü?0)4åcÚ類0¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
#"¶Ù:j?Ê?f\X?+Ì%?eb?b¡ÓiȧÃÄ»a?KtáYAj g:SÚÃô}ãæûöÍö?{?å\l­¡ô]¼

[ reply ]
Re: PWN to OWN at CanSecWest Mar 29 2007 09:53PM
Dragos Ruiu (dr kyx net) (1 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 10:10PM
Dave Schroeder (das doit wisc edu)
Re: PWN to OWN at CanSecWest Mar 29 2007 09:40PM
matthew patton (pattonme yahoo com) (2 replies)
Re: PWN to OWN at CanSecWest Mar 30 2007 12:33PM
Jeramey Valley (ValleyJR mps k12 mi us)
Re: PWN to OWN at CanSecWest Mar 29 2007 10:49PM
Eric Hall (securityfocus darkart com) (1 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 10:00PM
John Smith (genericjohnsmith gmail com)


Privacy Statement
Copyright 2010, SecurityFocus