TMO Reports - Wisconsin Security Test Ends Successfully, But Hackers Dispute its Validity

by , 3:40 PM EST, March 9th, 2006

The Mac OS X Security Test initiated by Dave Schroeder at the University of Wisconsin successfully ended Tuesday evening, with many failed attempts to comprise the Mac mini he set up for that purpose. The challenge was supposed to end on Friday, but it came to an early conclusion because it was unauthorized, according to a university spokesman contacted by The Mac Observer.

Mr. Schroeder's Web page explaining the test has been removed, but when it was last checked by The Mac Observer Wednesday afternoon, it said that "response has been very strong, and the test has illustrated its point." He noted "intermittent DoS [denial of service] attacks" that failed, along with many attempts at Web exploit scripts, ssh dictionary attacks and scanning tools. He was running Mac OS X v10.4.5 with Security Update 2006-001, with two local accounts and ssh and http open to their default configurations.

Mr. Schroeder started the test in response to a ZDNet article covering the results of a Swedish hacking challenge in which other users were given local accounts on a Mac mini. The winner, who prefers the name "gwerdna," was able to hack into the computer's root account in 30 minutes, leading the mainstream media to run articles with such headlines as "Mac OS X Hacked in 30 Minutes." The ZDNet article at first failed to mention the fact that contestants were given accounts on the computer; that omission was later corrected.

While Mr. Schroeder acknowledged on his Web page that "[Mac OS X], like any other operating system, has security deficiencies in various aspects of the software," he said that there is "a huge distinction" between a computer compromised from within, as the Swedish machine was, and one hacked remotely, as his Mac mini wasn't. He added: "Most Mac OS X 'vulnerabilities' to date have relied on typical Trojan social engineering tactics, not genuine vulnerabilities."

Counter-Point

The user who initiated the Swedish contest, who prefers the pseudonym "rmm," told The Mac Observer that Mr. Schroeder's test succeeded only because "no one would waste a good bug just to show off that they could in fact hack this Mac too." He said that he wouldn't divulge the details of the unpublished OS X kernel security exploit successfully used in the challenge. He revealed that Apple tracked him down at his work e-mail address and that he "talked to them about stuff," but he declined to say more than that.

Regarding the contention that his challenge didn't reflect Mac OS X as used by typical consumers, "rmm" forwarded an e-mail he sent to someone else, in which he wrote: "People who complain about the fact that you can add account to the server think they have a point. Sure, not many people would do this. But on the other hand, doing this let me simulate a Mac OS X server that would've been used as a server that would have arbitrary users on it. Servers used for hosting services (web), for example."

The Mac Observer also contacted "gwerdna," who pointed to Apple's most recent security update as an example of flaws that have been found in the company's software. "They fixed a bunch of bugs that allowed trivial privilege escalation," he wrote in an e-mail. "So, based on what Apple have recently provided, it would be foolish to assume you can't compromise an Apple desktop, then use a privilege escalation to take full control of the machine. Fully automatic, no questions prompting the user."

He agreed with "rmm" that there was no sense in using his exploit to take over Mr. Schroeder's computer. "What would be the point of losing an extremely valuable remote exploit on a bunch of .edu people to prove something to them?" he asked. He dismissed the DoS attacks as "not a valid security attempt" and said that the other attacks are what happens "when you plug a machine into the Internet. There is nothing new here, or even to indicate that it was in response to this guy's challenge." He said it "hasn't proven anything, nor disproven anything."

Regarding the exploit he used to compromise the Swedish computer, he said: "I took advantage of a bug that I believe is unknown to Apple in the [Mac OS X] kernel to get root access to the machine. Despite the claims to Apple/Mac OS X fanboys, 'root access is disabled' doesn't hold water -- you can still access it via exploiting the box, either remotely (think AFP or mDNSresponder), or as a privilege escalation locally. (And the users are not prompted for their passwords, etc.)"

"Gwerdna" learned about the bug through "a community I'm involved with" and said that it works on both the new Intel processors as well as the older PowerPC ones. When asked why he wouldn't share what he knew with Apple, he replied: "That would obviously get the bug fixed. Anyway, to paraphrase what I remember Microsoft saying at some stage: 'If they didn't release patches, there would be no exploits.'"