Vulnerabilities in Mac OS X
The vulnerabilities made public in the Month of Apple Bugs showed that Mac OS X was not seriously designed as a multi-user system and that clear separation of user accounts was not an important design goal. Two vulnerabilities recently made public underscore this shortcoming. German software developer Oliver König has discovered a hole that attackers can use to compromise a system without even logging in. For instance, if an administrator connects to a MacOS X system via SSH to perform maintenance and enters sudo osascript -e 'tell Application "Finder" to beep in the Shell, Finder opens up behind the login window at the root level. Anyone who has physical access to the computer can then compromise the computer with root privileges. The login window should block access to Finder, which does not belong on the GUI to begin with. While this scenario is not likely to be used for genuine attacks (applications will rarely be launched in the GUI via SSH), it at least demonstrates the poor design of the security concept used in Apple's operating system. In addition, there may be other applications that display dialogs in the GUI.
To make matters worse, HackMac.org has published instructions showing how easy it is to set up an additional admin account without even knowing the administrator password. Apparently, this can be done via the common technical support channel users resort to when their system no longer runs smoothly or they have forgotten their password. Furthermore, no installation disk is required to change passwords, as is normally the case. According to HackMac.org, you only need to hold down the Apple key and S during booting to enter the single user mode and obtain root privileges. Unlike Linux, for instance, Mac OS X does not require a password at that point. The attacker could then mount the drive, delete the file /var/db/.applesetupdone and restart the computer. When the computer reboots, a setup dialog appears. An additional account can then be set up and used with administration rights.
Attackers generally stand a better chance of manipulating a system if they have physical access. On Windows and Linux, passwords can be overwritten or deleted if the attacker has access to the hard drive and additional programs, but it is not possible to read passwords in plain text.
- Admin Hack, security advisory at HackMac.org