|
features post Articles
(Articles)
online chat server:
irc.xor.cx
channel:
#neworderrandom article
quotable quotes If the facts don't fit the theory, change the facts. Albert Einstein (attributed)
|
Mac Attack Part 1: The Mac Hack
@ Articles -> Security
Mar 07 2002, 21:07 (UTC+0) | kdm writes:  Part one of our Mac series, earlier this week, n2k and myself visited a "Mac Store" and had a little fun yanking their administrator access on the new Mac OSX. Continued will be a tale of adventure and intrigue, as well as an informational document regarding necessity of securing a machine beyond just the user login. Also included is a little preview of Friday's article on jacking into that Mac Store 2mbit/s internet connection without wires.
We arrived at the Mac Store on a fateful, chilly winter's eve around 6pm to be greeted by our loveable apple user. We spent a bit of time scanning for possible weak passwords (as we had found that the apple user's password wasn't really a password at all) to no avail, though I personally still assume that root is given a weak pass.
From there, we were given the suggestion to mount the drive outside of normal OS booting and seize our prize, unfortunately that didn't work as hoped. The apple-s (special thanks to mac dork, iggy_ for that command) we held down on boot got us to an interesting screen with instructions on how to mount our Mac's hdd. After doing that, it was a simple su command. Prompted for a root pass? I think not :) Their failsafe was to not allow root's passwd to be reset. Through n2k's mad conjuring skillz, he the possibility of taking advantage of a pseudo root, adding the basic apple user to the ADMIN group. This particular version of Darwin (which is just a hax0red bsd) required us to use the visudo command to edit the sudo file, while in most Linux and Unix distributions, just editing the sudo file with any old text editor will do.
Most people will say but onni, why didn't you guys just add a new user in the admin group, wouldn't that have been easier? and then I'd respond well Jimmy, the fact that Mac decided to remove any command prompt variant of 'adduser' or 'useradd' so we had to work with the only user we were given, and then add additional users through the graphical user administration program within Mac OSX.
In my opinion, the major accomplishment was not actually getting administrator privs, it was actually the fact that we did all of this while the Mac sales agents were standing right behind us - although n2k was politely asked not to delete "the password file." We proceeded to giggle like little schoolgirls at the thought that we expected to do something malicious. In fact, we went as far as to document how we did what we did before we left, hopefully they'll take heed and try and work something into the next Mac OSX patch. As for the fact that they Mac Store staff didn't do anything, we can't stress enough that it's your responsibility to stop anyone that looks questionable from touching your machines - I don't care if you only get paid minimum wage, it's a moral responsibility to your employer (not to say you can't let us roam free though ;). Anyways, for shitz and giggles, here's the actual note;
so is it still being rooted even if it's mac osx? thanks for the fun, make sure to remove all of the additional users we added, and remove apple from the admin family!
hugz and kisses
n2k & onni
neworder.box.sk
ps if Barbie is so popular, how come you have to buy all of her friends? seriously, that's such a rip off...
and now for the pics!
photos
first shot is the ibook i was using. second shot is of one of the store attendants reading our note :)
desktop shots
  
first grab is of me adding my first administrative user. second shot is after i've added all the users. third shot is n2k sporting the nice homepage (ya, he got the cool g4 laptop with wide screen)
preview
 
first is of yours truly surfing with some 2mbit/s action. second is a traceroute proving our network location. |
| Top of page
|
