I've been following one of the security exploits in OS X over the last month or so, and found it rather fascinating. Not from a technical viewpoint mind you, but seeing the reactions and misconceptions about just what it means, and how it makes OS X vulnerable.

The exploit I'm referring to is this one ( http://www.k-otik.com/exploits/20050123.fm-iSink.c.php ), which feeds bogus data to a small component of iSync to cause it to execute arbitrary code. In this case the code creats a shell. That in itself may have been harmless but the component it exploits, a file named 'mrouter' has permissions set to suid root. This is a special form of permissions which effectively makes mrouter run as the root user, no matter who started it.

So the shell this exploit creates is a root shell. If an app has root access it can do anything, from brute force wiping drives & deleting files, to more insidious things like installing unwanted apps (spyware, adware anyone?) that run invisibly in the background, while modifying your system to not reveal their presence or allow their deletion.

Anyway, on with the bit I'm fascinated about. In quite a few online forums & newsgroups I've seen this exploit mentioned, plenty of mac users are going into a defensive denial - I'm sure most of the mac world that's heard of this exploit are under the impression it can't affect them because 'it needs a root account with no password', or 'it needs an attacker to be physically at the computer', or 'it won't affect anyone if iSync has been deleted'. Every excuse under the sun is made as to why it's an exploit with no meaning.

That's scary. One point often raised as a criticism of Windows is that IE always runs as a shell, meaning it has full access to the OS, and no amount of privilege enforcement (as both Windows and Mac OS have, usually) will prevent a bug in IE from allowing full access to Windows. That's just what's happened in the past when flaws in IE allow code execution - because of IE's status as a shell that code can do whatever the hell it likes.

Welcome to the last six weeks of OS X. Since January and the publication of the mrouter exploit, OS X has effectively had all the protection of privileges & permissions made worthless. They may as well not exist because any code you run on a default OS X install can get root access without you knowing, whenever it pleases. That includes *any* application you run. A small piece of shareware, an app sent from a friend, commercial software you buy, or something you're tricked into runnning or run accidentally. No password popups to alert you that something may be trying to do things it shouldn't.

Thankfully at the moment there seem to be no REMOTE holes in OS X. There have been in the past - errors in services that run commonly on OSX boxes. (For example if you have a 10.3.3 or earlier OSX with Personal File Sharing on, best upgrade it. It's vulnerable to anyone who can reach it over a network). That's a situation that just by the nature of the complexity of an operating system won't stay true forever. The only way to keep secure is to have a vendor fix security bugs soon after they're found, so that a situation doesn't arise where you get multiple exploits piling up & allowing complete access to your Mac.

Unfortunately the mrouter exploit has been public more than six weeks and Apple have released two security updates - 001 and 002 for 2005 - that haven't addressed it. I'm sure they have their reasons (good or bad ones). I'd rather they were quicker, but they aren't, so we're vulnerable.

So what's the point of this rant? An expression of worry at how a whole community can shrug off a serious problem that weakens defenses in the OS we use. True, it's not going to allow just anyone out there who wants to attack in immediately, but out of the two biggest parts of online security (preventing remote code execution, and the concept of code execution privileges) we now only have one working. What happens if there's another little bug in mail.app where the process of filtering an email message allows code execution? suddenly any mac user with an email address can be owned. Perhaps a similar bug in an image file or other parser in safari? suddenly browsing to the wrong webpage and you've lost control of your machine.

- the mrouter exploit does NOT require an attacker to physically be at your keyboard
- the mrouter exploit does NOT need a compiler on your system
- the mrouter exploit does NOT need you to have no password, a weak password, or a strong root password. OS X is vulnerable each way.
- the mrouter exploit does NOT go away by deleting the iSync application.
- the mrouter exploit can be temporarily disabled by changing the permissions on the file:

/System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter

away from suid root. Or fixed permanently by deleting the same file - but if you have a Symbian OS device you need to sync with, you're messing with that functionality. Permissions will be reset back to unsafe the next time you Repair Permissions.

In the absence of a fix from Apple we can protect ourselves by knowing what's vulnerable, how it's vulnerable, and how we want to personally deal with the problems for each of our OSX Macs. Living in denial isn't a fix - please don't presume it's just a nothing issue.

dana

Wow, this is the first time I've heard of this exploit. Thanks dana.

Ummm, one question. How do I change permissions in SymbianConduit.bundle/Contents/Resources/mRouter? I tried "get info" with Command-I but it doesn't show any further options. Is there a utility application I need to open that file with? Or do I use terminal window to change settings? If so, how?

use chmod from the terminal.
"man chmod" should so the manual for chmod

The terminal is indeed the way to go. Open up a terminal window as an administrator and use the command:

(that should all be on one line btw, in case it wraps). After hitting enter it'll ask you for your password - enter the one you usually use to login/do software updates/etc and you'll have changed mRouter from an suid root executable to a plain executable.

(as above - that might/probably will change the way iSync works with symbain OS devices, and will become re-vulnerable after running Repair Permissions, if you do that)

dana

Thanks islayer and dana.

Not that I'm paranoid or anything, h34r: but when I used 'ls -l' in symbianconduit.bundle/contents/resources, I did notice that "mrouter" was the only file modified recently... Feb 19. Now, I did install 10.3.8 but can't recall exactly when, and security update 002 wasn't posted til Feb 22. How do I find out when I installed 10.3.8? I've checked log files but can't seem to locate the info...

Update - I've finally found my install.log in console, and apparently I did install 10.3.8 that Saturday morning. And I remember why I'd forgotten, I was installing whilst getting ready to go to the Yarra Valley Grape Grazing Festival... aaah good day.

OK, now I'm confused, after using 'chmod' my mRouter settings have changed from

-rwsr-xr-x 1 root arbitrary 58108 19 Feb 09:18 mRouter
to
-rwxrwxr-x 1 root arbitrary 58108 19 Feb 09:18 mRouter

The extra "w" appears to me that I've allowed a permission to write or edit.
So I've used 'chmod' again to re-set permissions to

-rwxr-xr-x 1 root arbitrary 58108 19 Feb 09:18 mRouter

Is this the desired settting?
:blink:

Update - I think I've worked this one out. If I run Disk Utility's 'Repair Permissions', it will re-set the mRouter file to being vulnerable. Then I'll use 'chmod' again.

Aye, -rwxr-xr-x is how it should come out with a chmod to 755. -rwxrwxr-x would be 775, which might indicate a typo in the terminal command. Either way, it'll fix the suid exploit problem until repairing permissions, as you said.

It's curious you have the Feb 19th date on the mRouter binary, as I checked mine within the last week and noticed it too had been changed - to Feb 11th in my case. I was hoping it had been a security fix I might have not noticed, but after trying the exploit again it was still vulnerable. I don't know what's happened there.

Hi dana,

Yeah it's all cool now. The 19 Feb thing was due to alcohol - my previous previous post was edited to highlight this fact! No idea about your mRouter date situation. Alcohol?

And after rooting around in Terminal and googling about Unix lore, I was able to sort myself out. In the end it was all a piece of ...er ...um strüdel!

Thanks again for the heads up.

Cheers

The "set uid root" bit that the exploit attacks is where you have in the permissions "rws" where the "s" is set uid. Because I run "repair permissions" regularly that would fix this, I renamed that file to something else after changing the permissions so the permissions wouldn't end up reset.

your should post to apple. they will proably release a security patch.

they do listen tn suggestions. I messaged them last time about supporting HDTV on the idvd program. a few montsh later ilife 5 came out with HDTV support.