toggle

AAPL Stock: 95.6 ( -2.55 )

Printed from http://www.macnn.com

Flaw in Unix sudo command threatens OS X, Linux

updated 10:10 pm EDT, Wed August 28, 2013

Could give admin-level users unauthorized root access

A flaw in the Unix "sudo" program that has remained unaddressed in recent implementations of OS X and some distributions of Linux could allow a current or former user who still has admin-level access to the computer the ability to gain root access, presenting a security risk. The flaw, discovered by security testing software maker Metasploit, requires would-be attackers to jump through a number of hoops, however.

The possibility of an attacker successfully exploiting the vulnerability is pretty remote under most circumstances, but there are situations where the various requirements could be met, and the attack successful. The flaw, which involves resetting the target computer's clock, requires that the attacker already have admin-level privileges on the machine, have physical or remote access to it, and the attacker must have used the sudo command on the machine successfully once before. All three of the conditions must be satisfied in order for the intruder to reset the computer's clock in the manner necessary to gain root privileges.

By default under OS X, only the owner of the machine has administrator privileges, and remote sharing is off -- completely preventing non-users or remote attackers from being able to even begin utilizing the exploit. The fact that the attacker must be a person who still has admin-level access to the machine narrows the risk quite considerably. Further, it is thought that only a single-digit percentage of Mac users ever engage the sudo command at all, which requires the use of the Terminal program.

However, a scenario such as a recently-fired employee of a company, a jilted lover or an abusive mate that still has an admin-level account on the target machine could conceivably have both the access and the technical know-how to exploit the flaw and gain full access to all files on the target computer. On the Mac, the bug exists in all recent versions of OS X from 10.7 onwards. Under Linux, the flaw either exists or has been worked around depending on the particular distribution.

Apple may be waiting for its upcoming release of the next major version of OS X, called Mavericks, to address the vulnerability -- reasoning that the chances of an attack are sufficient low as to be not be a high-priority item. To date, there have been no known successful attacks exploiting the flaw. However, Metasploit went public in order to urge Apple to address the problem promptly.

The company's motives in revealing the problem may be suspect, however, as Metasploit sells "penetration-testing software" for security and IT professionals, and thus has a vested interest in making its audience aware of potential security risks for the Mac and other platforms. Apple was notified of the problem five months ago, but has not issued a formal public or private response. The iPhone maker has been known to be sometimes slow to respond to bugs found in open-source software, preferring to wait until a scheduled update or new release rather than patch problems as they come along for flaws the company doesn't see as likely.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. burger

    Forum Regular

    Joined: 09-13-00

    "The flaw, which involves resetting the target computer's clock, requires that the attacker already have admin-level privileges on the machine, have physical or remote access to it, and the attacker must have used the sudo command on the machine successfully once before."

    Facepalm

  1. coffeetime

    Mac Enthusiast

    Joined: 11-15-06

    Another word, if a robber stands inside your house, he can rob your house easily. Well, that makes sense. Why I hadn't thought about that?

  1. JBracy

    Fresh-Faced Recruit

    Joined: 08-08-00

    I'm confused. If an attacker has Admin privileges why would he need to reset the clock to get root privileges? All admin users already have sudo access.

    To expand on coffeetime's comment - it's actually saying "If you're roommate is in your house and has the keys, then he can take whatever he wants. If you kick him out, but don't change the locks or take away his keys then he can still come in and take whatever he wants."

    I'd like to know how other OS's have "mitigated" this "exploit" without completely disabling the sudo command.

  1. gprovida

    Fresh-Faced Recruit

    Joined: 02-14-06

    Concur with facepalm. Not sure I understand. The only explanation I can get is that there is some sloppy code software that allows an admin to bypass the normal means to get root access but using this flaw. Presumably the threat is not an admin user exploiting this, but rather some other kind of exploit might be doable given the software weakness. But this is pure speculation.

  1. DiabloConQueso

    Fresh-Faced Recruit

    Joined: 06-11-08

    "All admin users already have sudo access."

    On Mac OS X's implementation of FreeBSD, yes.

    On other *NIX systems, not always. Debian 7 is an example of administrators not having sudo privileges until explicitly given them by the superuser by addition of their account to the sudoers file. Hell, sudo isn't even installed by default on Debian 7 systems -- you must either install it, or use su, which requires knowledge of the root/superuser password.

    It's definitely a security hole, albeit one that more than most users will never have to worry about (but for sysadmins who manage enterprise-level *NIX systems with multiple administrator users, it's a relatively big concern). Still, this is what makes UNIX one of the most powerful and secure systems on the earth -- it's been under constant development and hardening for over 40 years.

  1. The Vicar

    Junior Member

    Joined: 07-01-09

    The point is that if the attacker can exploit this flaw, then they never have to enter a password again. (They could even create a user which the OS would think was a non-admin user -- IIRC the "admin" thing is determined by membership in a particular group -- grant it permanent root privileges, and then log out.) Situations where this is important are rare, but technically possible. Bottom line: it's good for everyone if Apple fixes security holes, even minor ones. Especially if the fix already exists and can be patched in, which appears to be the case here.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Adesso Xtream S3B Bluetooth speaker

Finding a speaker purpose-built for a specific need is challenging. Even when a Bluetooth speaker can be paired with a mobile device, ...

JBL Synchros E40BT headphones

For all the different configurations of headphones on the market, it's always a tough choice for buyers to get something that is just ...

Razer Taipan mouse

The list of gaming devices is growing larger with each passing day. A large number of companies have entered the gaming input arena, a ...

toggle

Most Commented