[Full-disclosure] Security Alert - The OS X Zombies
hardmac at gmail.com
Wed Mar 30 00:39:11 BST 2005
>From CLIXchange, the newsletter of the developers of CLIX
(http://www.rixstep.com/4/0/clix/). ( 3/24/05 ) Also publishers of the
 The OS X Zombies
This is important enough to publish here for those who do not receive Mac-X.
A number of OS X boxes have in fact been compromised. Please read on.
A certain institution of higher learning has discovered that fleets of
their OS X boxes have been compromised. They do not yet know the
vector of attack, meaning it is officially a 'zero day exploit'. They
do however have several theories - all of which have to do with file
sharing, anonymous FTP, and root logins over SSH.
The OS X boxes, when compromised, end up running rogue IRC bot
controllers and FTP servers. Naturally these rogue processes are
capable of accessing sensitive data - which can be destroyed,
modified, or stolen.
Some of the victimised boxes were exploited through weak passwords for
SSH-enabled accounts; still others through their Apache servers.
Apache needs to be patched too and Apple have the patches out there
for their contribution to the Apache community and they should be
downloaded. Worse: if the holes in Apache are publicised and the
sysadmins do not download them, the script kiddies will know how to
[Which all is hardly news for beleaguered Windows system administrators. DUH.]
Most if not all the holes - aside from those revealed through a laxity
in patching Apache (no pun intended) - are most likely due to user
ignorance or nonchalance.
Apple boxes can be opened wide: it's possible to enable ordinary file
sharing and even Windows file sharing (!) and it's generally not a
good idea unless you really know what you're doing and only leave it
enabled for as long as you need it.
Whenever you open a box connected to the Internet - especially from a
static IP - you're also opening it for the rest of the world. Add a
trivial password to the mix and you have burnt toast.
It's not possible to compromise an OS X or Unix system in the
traditional way the Windows boxes get hit: none of them have the leaky
sieve of the Internet Explorer rendering engine. But anyone, repeat
'anyone', stupid enough to let the intruders gain access will end up
with - the intruders gaining access!
Use of remote root login, especially to boxes connected to the
Internet, has to be one of the absolute dumbest ideas of all time.
Normally an attacker has to guess a username and a password; if the
root account is enabled, half the battle is over.
Now hit the server with brute force and you will 0WN it...
Remote users can always escalate to root once they're in; enabling
root - default disabled by Apple out of the box and for obvious
reasons - is just folly. Downright stupid.
OS X comes with the BSD firewall. Turn this sucker on and nothing is
visible. It's relatively easy to set the firewall up to only show
one's presence on the ports to be used for communications. Even this
should be turned off when not in use.
And kitchen table users out there: are your root accounts enabled?
They should not be. Root came from the factory disabled and you should
have left it as such.
And how about all the software you download? How many applications ask
for your administrator password to install? And if they did, did you
throw them in the Trash where they belong? Are you going to finally
understand that no one but no one is to get this password except Apple
On a final note: the Unicode exploit is platform-independent. This
exploit relies on the fact that certain Unicode characters look
EXACTLY like ordinary 7-bit ASCII - you access a site and it really
looks like you're at the right site, but a single character is
actually QUITE ANOTHER VALUE...
Most browser manufacturers are writing (or have already completed)
code to combat this exploit: it matters not what platform you are
running on - get the patch now.
Rounding up, let us quote from the gurus who found the OS X zombies:
'OS X systems are secure, but their security issues cannot be ignored.
Even though they've been good compared to their rowdy Windows cousins,
they live in a dangerous world. Don't let hubris bite you!'
Merci bien - until NeXT time...
All the best,
Full-Disclosure is hosted and sponsored by Secunia.