The real story behind “rm my mac”

There’s been tonnes and tonnes of words written about the RM My Mac competition, which saw a Mac mini compromised within hours of being placed online. Most of it has been unremitting garbage, either with news stories that miss out essential facts, or puff-pieces that try and claim that it’s not actually an issue (Leander, what has the fact that it was on a wireless network got to do with it? Stop drinking the Kool-Aid man!)
The best summary is, perhaps unsurprisingly, at Ars Technica.
However, one thing that everyone seems to have missed out troubles me. The hacker used a local privilege escalation technique to gain root access from a normal account. This means that the same technique is open to any malware writer – which means that there’s a method by which you could write a serious Mac OS virus that not only self-propagates, but which can compromise your entire machine, and all accounts on it. Any software technique that can be used by a local user can also be used by a locally-running application.
How serious this is depends on the method that the hacker used, and what the exact set up of the Mac mini was. The author of the rm my mac page notes only that:

It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues.

This could mean that the issue is with the particular versions of Apache, MySQL and PHP installed, or with Fink. But it could also be with OS X, in which case this is a much more serious issue that many are making out. Until we know more about the methods used, we can’t say for sure – but either way, it’s a worry.

  • James Bailey

    “The hacker used a local privilege escalation technique to gain root access from a normal account. This means that the same technique is open to any malware writer ”

    Prove it.

    I’m serious. There is no evidence at all that any of this is real. None. Unless the mysterious hacker decides to step forward with his exploit, I’m unwilling to believe it. I just can’t believe that there is an obvious root exploit that no one in the white hat security community knows about? It seems far fetched to me. On the other hand, if the hacker steps forward I will retract that.

    Right now all we have is a dubious contest and even more dubious reporting.

  • ConradGempf

    I’m with James Bailey. I have yet to hear of a single person who heard of this alleged Swedish challenge until after it was allegedly over. There were similar challenges before UWisconsin, and they were reported around the web beforehand and during.

    How did the hacker hear of the challenge that they were they able to respond so quickly when none of the rest of us heard a thing?

    Yeah, no system is perfect and all that, but I think you have to practice not only “Skeptical Computing” but skeptical reading.

  • Steve Kayner

    AFAIK, the “rm my mac” contest is still on, and no one has rm’ed the Mac. One guy was able to deface the website, but he didn’t succeed in the challenge, which was to wipe the drive.

    Google on “rm my mac”–it’s still there as of this afternoon.

    Steve.

  • nikolaus heger

    While a privilege escalation hack is bad in the Unix world, it’s not going to affect any normal mac users. Hackers need to ask me for an account before they hack my machine? Uh, scary!

    The other thing is that any unix system can be configured to be easily hacked. That’s not news.

  • http://technovia.typepad.com Ian Betteridge

    James, Conrad: You’re right to be sceptical. However, if this was a hoax with the intention of defaming OS X, it seems like a poor attempt. Had I wanted to do the same, I’d have actually had the box RM’d, and I wouldn’t have let people have shell accounts – that way, it would have appeared to be a more interesting hack. I would also not have announced that Fink and other bits of software were installed. So, on balance, the idea that it’s a hoax seems unlikely to me.

    Steve: You’re right, and this alone leads me to think that it’s an Apache security hole rather than an OS X one.

    Nikolaus: You’re missing the point. The point is that any application you run has the same rights as you, an ordinary user. If there’s a way of escalating the privs of an ordinary user to root, it means that any application you run could do the same – which in turn makes it easier to write a malicious piece of software.

  • mark james

    A long term problem I see in OS X is the fact Apple still releases applications which run as root. Disk Utility being the worst offender. What good really is OS X’s impressive security, when the OS comes with the ability to wipe all data on a disk without any need for passwords?

  • http://rm-my-Mac.WideOpenBSD.ORG/ rmm (a) WIDEOPENBSD.ORG

    James, Conrad,

    A mail about the challenge was sent to a private mailing list that day and it spread from there. It’s a small world.

    It wasn’t a configuration issue that let the visitors gain more interesting privileges. Neither was it a bug in Apache, MySQL, LDAP or PHP. It was in something in the default install of Mac OS X and that bug (and others :-) is still there today, both in the PPC and the x86 releases.

    It’s true it was just a local privilegie escalation but combined with one of the Mail.App bugs we could face more interesting scenarios, well-known from the Windows world.