Radsoft
 About | Buy | News | Products | Rants | Search | Security
Home » News

Apple's OS: Getting Root

What corrupts good systems?


Get It

Try It

If you're looking for cool (embarrassing) exploits for Windows you never have to look far. The system's fundamentally standalone and try as they will Microsoft can never change that. They try to hide things in their Registry or even on disk at times and things hold until everyone finds out where they've put them.

Once they're found out Microsoft have no further defences. Break through the outer perimeter - the browser, the mail client running HTML rendering code - and there's no more resistance.

People are used to this by now. It's par for the course.

What is not par for the course - what people will never get used to - is letting a system renowned for its security suddenly start bursting at the seams with hole after hole.

The Legacy

Apple's current operating system is not their original operating system. That system was scrapped over ten years ago. What Apple are running today is the NeXT operating system known as NeXTSTEP alternatively OPENSTEP.

Apple acquired this system eleven years ago when they acquired NeXT Software.

The NeXT system was an exercise in common sense. NeXT had no aspirations to write the actual system themselves - they simply adopted FreeBSD's system. Linus Torvalds has said he didn't even know this system existed; had he known he would never have started his Linux project.

FreeBSD is the 'free' variant of BSD ('Berkeley Software Distribution' - from the University of California at Berkeley) Unix. Despite the buzz about Linux FreeBSD is still the most widely used Unix in the industry.

The NeXT people made it easy on themselves: they took the FreeBSD system 'as is' and weaved their incredible GUI atop.

NeXT had no legacy customers; they had no issues of backward compatibility; and as newcomers they need to 'play well with the competition'. As NeXTSTEP morphed into OPENSTEP (based on the OpenStep standard) the NeXT system was ported to most of the mainstream computer systems - including Sun's SunOS, Hewlett-Packard's HP-UX - and even the Windows NT family.

The one system NeXT's software didn't run on was Apple's old 'MacOS'.

1997

Apple and NeXT 'merged' in 1997. Apple had attempted to write their own new operating system but ultimately were forced to admit defeat - thus the $429 million deal to acquire NeXT's system instead.

2002

For five years Apple wandered in a no man's land. They released two updates to their old system but for five years had no final release of the NeXT system.

What's of course interesting about this is that the NeXT system was turnkey already in 1997: NeXT had struggled for years to get a foothold and a market share, had been forced to abandon their original plan of also selling computer hardware - but by 1993 were on their way to finding a niche in the software market. Their system was not only ready for market - it was already on the market.

So why didn't Apple continue to market NeXT's system already in 1997?

Change

NeXT and later Apple chief of software Avadis 'Avie' Tevanian is rumoured to have (sarcastically) suggested Apple write a new system. This after acquiring NeXT. Why? Because Apple didn't want to run the NeXT system 'out of the box'.

This might seem strange to outsiders: NeXT represented annual revenues of perhaps $300 million; why not keep on marketing the products?

NeXT were big in the enterprise; the enterprise have never liked Apple. As soon as word reached NeXT customers about the Apple 'merger' most of them jumped ship. Amongst the better known clients were WorldCom and Dell who used NeXT code to build their online presence.

Although Steve Jobs wasn't Apple's CEO at the time of the merger he was by 4 July 1997 six months later - and working with the enterprise had never been Steve's or Apple's 'cuppa' and Steve Jobs knew it.

Porting OpenStep to SunOS, HP-UX, or even Windows NT had been relatively painless. Porting OpenStep to MacOS was going to be theoretically impossible.

At the end of the day Apple deserve kudos for getting as close as they have. Unix and MacOS make strange bedfellows. But close only counts in horseshoes. And it's not just the uneven edges: it's the continual obsession with adding features that don't really belong.

The Latest

Over the six years Mac OS X has been mainstream there have been a number of security scandals.

The Opener hole. 'Opener' is a script developed at the 'Mac Underground' March through October 2003. [It's since gone underground for real.] What the script does isn't important; how it does it is.

Opener was a data mining script that ran as 'root' on Apple's 'Unix' system. Normally to 'get root' a hacker has to try a bit of social engineering to get someone's password or find a a buggy program that can be exploited.

But not in this case. All the hacker had to do was copy the script into a wide open directory - /Library/StartupItems. When the system rebooted it ran the script in /Library/StartupItems and the script pwned the machine.

All the Opener people had to do to establish root privilege escalation was copy a few files into an unprotected directory.

The principal author of Opener contacted Apple long before March 2003. Repeatedly. Each time the answer was 'this works as designed' or 'this is not a security hole' or the infamous 'this behaves correctly'. Some people claim to have contacted Apple in the matter before 2002. It's likely the hole was there throughout the initial five year development of the system.

News of the Opener exploit spread outside the 'Mac Underground' website and to the mainstream media in October 2003 - in time for the release of Mac OS X version 10.3 ('Panther'). Opener caused quite the stir - the first real scare Mac users had since the new system's release.

Still and all it would take Apple over one and a half years to get around to patching this hole. From October 2003 to 29 April 2005 Apple did nothing.

The Oompa hole. The 'Oompa Loompa' exploit hit Apple's system in February 2006. It too capitalised on design flaws.

Apple namely had another wide open directory that could inflict harm: /Library/InputManagers. Anything at that path was automatically (and without discretion) injected into the process address space of every running 'Cocoa' application.

Kevin Finisterre of Digital Munition tried for years to get Apple to understand the gravity of the situation and produced several POC exploits for this purpose. Nothing happened. Rixstep tried to highlight the issue and still nothing happened.

Apple finally addressed the issue with the next version of their system in October 2007. A year and a half later.

The SLIHack hole. This is the POC released today by Rixstep. The issue's been known for some time and is currently being researched at MacShadows.

Apple namely have yet another wide open directory that can inflict harm: /Library/Preferences. Any process running on an admin account can put files in there - or remove them or replace them without authorisation. One of the files regulates special processes run before login. Processes run before login are run as root.

/System

Unix has its sensitive files in four standard locations: /bin, /sbin, /usr/bin, and /usr/sbin. The GUI in Apple's system resides in /System. All these paths are totally locked down - owned by root and modifiable by root alone.

Unix has further configuration files at /etc. These files too are locked down. Some are not even readable by accounts other than root. There can't be a way to tamper with files influencing or used by root. That's how you prevent an attack.For reasons unknown Apple have consistently tried to mix ordinary files with sensitive system files at /Library. This makes no sense and has proven dangerous in at least the three above cases in the short history of this system.

Note that these weakness have nothing to do with Unix: Unix has no /System or /Library - that's Apple.

This is what happens when someone takes a good idea - a good system - and tries to 'improve' it. Ultimately the system ends up being no more secure than Windows.

See Also
Rixstep Learning Curve: Rooting 10.5.4
Rixstep Industry Watch: Get Root on 10.5.4

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.