Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

From: mns (mns_at_mnslab.com)
Date: 07/31/03

  • Next message: MightyE: "Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)" 
    Date: Thu, 31 Jul 2003 13:04:10 -0400
To: bugtraq@securityfocus.com

    On Wednesday, July 30, 2003, at 04:56 PM, Patrick Haruksteiner wrote:

    >
    > On Wednesday, July 30, 2003, at 10:07 h, Doug White wrote:
    >> On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:
    >>
    >>> I discoverd another security issue with the Mac OS X screensaver.
    >>> If you have installed escapepod from Ambrosia Software and hit
    >>> crtl-alt-delete(==backspace) when the screensaver with password
    >>> protection is running, it kills the screensaver and the desktop is
    >>> open to anybody - so it has the same effect as the recently
    >>> emerged password-exploit.
    >>
    >> This is not a bug in Apple software. This is a third party extension.
    >>
    >> Ambrosia's Escape Pod is a utility that kills the frontmost app when
    >> the
    >> shortcut keystroke is typed. Naturally it does not ship with MacOS X.
    >>
    >> Since the screen saver is just another application (called
    >> ScreenSaverEngine), if you hit the kill key when its running, it gets
    >> killed. Fancy that!
    >
    > I know that! But it should be the concern of the OS that you cannot
    > circumvent its security system with the help of other applications!
    >
    >

    I agree with Doug White in the assessment that this is, in fact, an
    issue
    that is the responsibility of Ambrosia, if it is to be considered a
    security
    issue at all. Apple cannot be held responsible for the code of third
    party
    developers.

    I downplay the definition of this as a security issue at all because
    there are
    so many immediate workarounds. One is not running or installing Escape
    Pod
    in the first place. Another is simply logging out when you leave your
    workstation,
    rather than relying on ScreenSaverEngine for your security. Bottom line,
    there are more direct and more threatening exploits that are available
    to
    people who happen upon an OS X machine unattended. Allow me to describe
    a couple of them:

            1) If a user finds a machine unattended, whether running
    ScreenSaverEngine
            or not, and regardless of the presence of Escape Pod on said machine,
    the
            machine can be booted from an OS X installation CDROM, at which point
    the
            "Reset Password" option can be used to change root access to the
    machine,
            which allows the user to log in as root, then change the password for
    any account,
            including whatever account was initially running ScreenSaverEngine.
    Data can
            then be removed or overwritten at said user's discretion.

            2) If an unattended machine is discovered, it can also be powered
    down, and
            carried off, physically, without regard to the presence of
    ScreenSaverEngine
            or Escape Pod.

    Do these constitute security threats or exploits that are Apple's
    responsibility
    to protect against? Of course not. Both are common sense examples of
    how many
    security measures can be circumvented using simple, direct techniques.
    Neither
    implies that anyone at Apple should be recoding the operating system,
    or any of
    it's underlying core technologies in order to prevent them from being
    used.

    Beispiel: If the rightful user/administrator of any given OS X machine
    were to install
    the following shell script, how would it be Apple's responsibility to
    prevent this?

    #!/bin/sh
    while true
    do
             killall ScreenSaverEngine
             sleep 60
    done

    -
    m a t t h e w n . s h a r p
    mns(at)mnslab.com

  • Next message: MightyE: "Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)"

    Relevant Pages

    • Re: Pentester convicted..
      ... and thus politely forcing them take responsibility for the protection of privacy of the data they carry. ... and ignored the first 2 reports. ... A security pro notices a flaw, checks to make sure he is not on crack ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • Re: More on caching and logging
      ... or do you think it also includes corporate security ... Refusing to boot up is a felony. ... I was going to run down some process involving hard drives ... Apple did to implement this new product or will they allow it to be ...
      (comp.sys.mac.system)
    • Re: The Myth of the secure Mac
      ... > 1) You fail to apply necessary recommended security patches after ... > I agree that the Wintel world could take a few pointers from Apple as ... > price, not quality or engineering excellence. ...
      (comp.sys.mac.advocacy)
    • US-CERT Technical Cyber Security Alert TA06-275A -- Multiple Vulnerabilities in Appl
      ... Multiple Vulnerabilities in Apple and Adobe Products ... These vulnerabilities affect both Intel-based and PowerPC-based Apple ... Apple has released Security Update 2006-006 and Mac OS X 10.4.8 Update ...
      (Cert)
    • US-CERT Technical Cyber Security Alert TA06-275A -- Multiple Vulnerabilities in Appl
      ... Multiple Vulnerabilities in Apple and Adobe Products ... These vulnerabilities affect both Intel-based and PowerPC-based Apple ... Apple has released Security Update 2006-006 and Mac OS X 10.4.8 Update ...
      (comp.security.announce)