OS X Security Flaw Can Allow an Attacker Root Access to Your Mac

OS X Security Flaw Can Allow an Attacker Root Access to Your Mac

A bug that was discovered in Mac OS X five months ago, and is still as yet unaddressed, can allow attackers to bypass the usual authentication process by tweaking specific clock and user timestamp settings, giving the intruder almost unlimited access to the Mac’s files.

sudo_time_hack

AppleInsider:

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files, though that level of control is password protected.

While the flaw has been around for awhile, renewed interest in the bug was kindled by developers of testing software Metasploit, which makes it easier to exploit the vulnerability in OS X.

The attacker can work around authentication requirements by setting the Mac’s clock to January 1, 1970, which is known as the Unix epoch. Unix time starts at zero hours on this date, and uses it as basis for calculations. By resetting the clock, as well as the sudo user timestamp, to epoch, both time restrictions and privilege limitations can be worked around.

Macs are considered especially vulnerable to this bug, as OS X does not require a password to change clock settings. Version of OS X from 10.7 up to the current 10.8.4 are vulnerable. While Linux builds can also be affected by this flaw, many of the builds require entering a password to protect clock changes.

“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

This method of bypassing security does have its limitations. An attacker must already be logged into a Mac with admin privileges, and have run sudo at least once before. And of course, the person attempting this must have physical or remote access to the machine.

Apple has yet to comment on the bug, or issue a fix for it.