[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00EE1715-C379-11D7-BC40-003065BA5E9A@mnslab.com>
Date: Thu, 31 Jul 2003 13:04:10 -0400
From: mns <mns@...lab.com>
To: bugtraq@...urityfocus.com
Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)
On Wednesday, July 30, 2003, at 04:56 PM, Patrick Haruksteiner wrote:
>
> On Wednesday, July 30, 2003, at 10:07 h, Doug White wrote:
>> On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:
>>
>>> I discoverd another security issue with the Mac OS X screensaver.
>>> If you have installed escapepod from Ambrosia Software and hit
>>> crtl-alt-delete(==backspace) when the screensaver with password
>>> protection is running, it kills the screensaver and the desktop is
>>> open to anybody - so it has the same effect as the recently
>>> emerged password-exploit.
>>
>> This is not a bug in Apple software. This is a third party extension.
>>
>> Ambrosia's Escape Pod is a utility that kills the frontmost app when
>> the
>> shortcut keystroke is typed. Naturally it does not ship with MacOS X.
>>
>> Since the screen saver is just another application (called
>> ScreenSaverEngine), if you hit the kill key when its running, it gets
>> killed. Fancy that!
>
> I know that! But it should be the concern of the OS that you cannot
> circumvent its security system with the help of other applications!
>
>
I agree with Doug White in the assessment that this is, in fact, an
issue
that is the responsibility of Ambrosia, if it is to be considered a
security
issue at all. Apple cannot be held responsible for the code of third
party
developers.
I downplay the definition of this as a security issue at all because
there are
so many immediate workarounds. One is not running or installing Escape
Pod
in the first place. Another is simply logging out when you leave your
workstation,
rather than relying on ScreenSaverEngine for your security. Bottom line,
there are more direct and more threatening exploits that are available
to
people who happen upon an OS X machine unattended. Allow me to describe
a couple of them:
1) If a user finds a machine unattended, whether running
ScreenSaverEngine
or not, and regardless of the presence of Escape Pod on said machine,
the
machine can be booted from an OS X installation CDROM, at which point
the
"Reset Password" option can be used to change root access to the
machine,
which allows the user to log in as root, then change the password for
any account,
including whatever account was initially running ScreenSaverEngine.
Data can
then be removed or overwritten at said user's discretion.
2) If an unattended machine is discovered, it can also be powered
down, and
carried off, physically, without regard to the presence of
ScreenSaverEngine
or Escape Pod.
Do these constitute security threats or exploits that are Apple's
responsibility
to protect against? Of course not. Both are common sense examples of
how many
security measures can be circumvented using simple, direct techniques.
Neither
implies that anyone at Apple should be recoding the operating system,
or any of
it's underlying core technologies in order to prevent them from being
used.
Beispiel: If the rightful user/administrator of any given OS X machine
were to install
the following shell script, how would it be Apple's responsibility to
prevent this?
#!/bin/sh
while true
do
killall ScreenSaverEngine
sleep 60
done
-
m a t t h e w n . s h a r p
mns(at)mnslab.com
Powered by blists - more mailing lists