http://members.lycos.co.uk/hardapple/ http://members.lycos.co.uk/hardapple/txt/OSX_Zombies.txt
------------------ >From CLIXchange, the newsletter of the developers of CLIX (http://www.rixstep.com/4/0/clix/). ( 3/24/05 ) Also publishers of the Mac-X newsletter. Quote: ---------------------------------------- SECURITY ALERT ---------------------------------------- [01] The OS X Zombies This is important enough to publish here for those who do not receive Mac-X. A number of OS X boxes have in fact been compromised. Please read on. * A certain institution of higher learning has discovered that fleets of their OS X boxes have been compromised. They do not yet know the vector of attack, meaning it is officially a 'zero day exploit'. They do however have several theories - all of which have to do with file sharing, anonymous FTP, and root logins over SSH. The OS X boxes, when compromised, end up running rogue IRC bot controllers and FTP servers. Naturally these rogue processes are capable of accessing sensitive data - which can be destroyed, modified, or stolen. Some of the victimised boxes were exploited through weak passwords for SSH-enabled accounts; still others through their Apache servers. Apache needs to be patched too and Apple have the patches out there for their contribution to the Apache community and they should be downloaded. Worse: if the holes in Apache are publicised and the sysadmins do not download them, the script kiddies will know how to attack. [Which all is hardly news for beleaguered Windows system administrators. DUH.] * Most if not all the holes - aside from those revealed through a laxity in patching Apache (no pun intended) - are most likely due to user ignorance or nonchalance. Apple boxes can be opened wide: it's possible to enable ordinary file sharing and even Windows file sharing (!) and it's generally not a good idea unless you really know what you're doing and only leave it enabled for as long as you need it. Whenever you open a box connected to the Internet - especially from a static IP - you're also opening it for the rest of the world. Add a trivial password to the mix and you have burnt toast. It's not possible to compromise an OS X or Unix system in the traditional way the Windows boxes get hit: none of them have the leaky sieve of the Internet Explorer rendering engine. But anyone, repeat 'anyone', stupid enough to let the intruders gain access will end up with - the intruders gaining access! Use of remote root login, especially to boxes connected to the Internet, has to be one of the absolute dumbest ideas of all time. Normally an attacker has to guess a username and a password; if the root account is enabled, half the battle is over. Now hit the server with brute force and you will 0WN it... Remote users can always escalate to root once they're in; enabling root - default disabled by Apple out of the box and for obvious reasons - is just folly. Downright stupid. OS X comes with the BSD firewall. Turn this sucker on and nothing is visible. It's relatively easy to set the firewall up to only show one's presence on the ports to be used for communications. Even this should be turned off when not in use. And kitchen table users out there: are your root accounts enabled? They should not be. Root came from the factory disabled and you should have left it as such. And how about all the software you download? How many applications ask for your administrator password to install? And if they did, did you throw them in the Trash where they belong? Are you going to finally understand that no one but no one is to get this password except Apple themselves? On a final note: the Unicode exploit is platform-independent. This exploit relies on the fact that certain Unicode characters look EXACTLY like ordinary 7-bit ASCII - you access a site and it really looks like you're at the right site, but a single character is actually QUITE ANOTHER VALUE... Most browser manufacturers are writing (or have already completed) code to combat this exploit: it matters not what platform you are running on - get the patch now. Rounding up, let us quote from the gurus who found the OS X zombies: 'OS X systems are secure, but their security issues cannot be ignored. Even though they've been good compared to their rowdy Windows cousins, they live in a dangerous world. Don't let hubris bite you!' Merci bien - until NeXT time... * All the best, J/R/S -------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
