Thursday, August 29, 2013

Security notes: sudo and OS X, more reasons you should not use Java

Busy week for security. There is growing consternation over a blended exploit in the OS X sudo utility (1.6 and later, which applies to all Macs from at least 10.4 up, including Intel Macs through 10.8.4) that can be abused to give a logged-in attacker root privileges. sudo is a tool that allows allowed users (on OS X, that's anyone who is an administrative user) to achieve root privileges without knowing what the root password is, and from there can do any task, nefarious or necessary. This exploit takes advantage of a well-intentioned sudo convenience where if you've authenticated already within a certain period, usually a few minutes, it won't ask you for the password again. Let's also combine this with the knowledge that OS X does not require root privileges to set the date and time of the machine, either from System Preferences or using the systemsetup CLI tool. Did you figure out the flaw yet? If you set the clock to a time period sufficiently back in the past, and the user you are attacking, impersonating or sitting down at their machine has ever successfully run sudo from the Terminal before, you can become root as often as you like because their credentials will not have "expired." This means you can merrily install malware, snoop on their files, force them to use the metric system, copy their Michael Bolton album boxed sets, etc. Just because you don't use the Terminal doesn't mean you're not vulnerable; if they can get on your system and run applications, even remotely, they can exploit this hole.

How to fix it? Well, you could build and install a new sudo, but here's a better idea: force sudo to always make you enter your password, which is just more secure in the first place. In the Terminal, type sudo visudo, enter your password, and in the configuration file add this line: Defaults timestamp_timeout=0

Save the file and exit the editor. Test it with back-to-back sudo bash commands. You should always be asked for a password. Now it doesn't matter what the clock is set to; you won't give away the store. I've tested this on 10.4 and 10.6; I see no reason why it won't work on 10.5, 10.7 or 10.8. 10.3 and earlier users, if sudo -V says a version that is 1.6 or later, you are also vulnerable. This may be fixed in a future 10.6 update, but really, this is just a safer way to use a tool that can be very dangerous if misconfigured.

Also, if it's [a day in the week ending in -day], it's time for another Java exploit. In the MITRE security note, they say "Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox," which, because Larry Ellison is a turdbucket, almost certainly means that this vulnerability can escape the Java sandbox. That also means that this is a cross-platform privilege escalation, because the sandbox runs platform-independent code, and Java 1.5 is already known to be vulnerable and will never be updated for Power Macs. If you are running Java applets on any version of PowerPC OS X, you need to surrender your power cord, now.

On BaselineCompiler progress, we are now passing 87 tests so far and slowly getting to phase 4. Also, our friend at Tenfourbird found a methodjit bug and created a fix that we will take for 17.0.9 and 22.0.2 (if there is one) (issue 239). Thanks, t_mrc!

7 comments:

  1. Thanks for the sudo tip!
    (also gave me another chance to practice using vim :) )

    ReplyDelete
  2. Sudo, I thought you were a friend!

    If you have no idea how to use vi, you can edit (at least in Tiger) /private/etc/sudoers with nano.

    Larry Ellison's too busy playing with boats in his kiddie pool to have time for his sandbox.

    ReplyDelete
  3. I wonder if people who have never done this before know how to insert lines with the vi editor (or any Terminal based editor) and successfully save the sudoers file without messing it up. I'm not exactly sure, so I refrained from changing the file for now. The man and :help pages aren't too helpful.

    ReplyDelete
    Replies
    1. In that case, I'd go with Dan's recommendation. I love vi, but it's not very friendly to the uninitiated; nano is pretty easy to work with. You probably need to do "sudo nano /private/etc/sudoers" and the insert the line at the end.

      Delete
    2. (But, if you want the vi keystrokes, it should be:

      0G (that's zero followed by capital G)
      o (that's lower case "O")
      Defaults timestamp_timeout=0

      Then press ESC, and

      :wq! (that's a colon followed by w q and exclamation point)

      Delete
    3. Thanks, it worked. I am now asked for my password every single time I use sudo, which probably helps against a lot of other potential exploits as well. Sudo version on 10.5 is 1.6.8p12, btw, the same as on 10.4.

      Delete
    4. At least you are going through visudo which checks the file to make sure it is valid before saving it.

      Delete

Due to an increased frequency of spam, comments are now subject to moderation.