[HN Gopher] Get root on macOS 13.0.1 the macOS Dirty Cow bug ___________________________________________________________________ Get root on macOS 13.0.1 the macOS Dirty Cow bug Author : todsacerdoti Score : 84 points Date : 2022-12-17 21:25 UTC (1 hours ago) (HTM) web link (worthdoingbadly.com) (TXT) w3m dump (worthdoingbadly.com) | jeffbee wrote: | Why can't C programmers stop themselves from writing something | like: size = (unsigned)(expression); | | ? The contradiction is stark. If a variable deserves the name | `size` it deserves the type `size_t` as well. | andix wrote: | Every time I use C it feels like working on wiring without | popping the breaker. | | A LOT of code just shouldn't be C or C++. | TheRealPomax wrote: | I think the real question is "if this is so bad, why does the | language allow it". Because asking why people use the language | in a way it was designed for has the obvious "because they can, | and the language allows them to" as answer. | duped wrote: | There's nothing fundamentally bad about the code above. It's | a smell but could make sense. | | Like for example if I'm writing an interpreter that runs on | devices with limited memory size_t might be bigger than I | need for the length of a buffer in user code, and using a | shorter integer might be a useful optimization. | | This is really an example where you have a sharp tool and | need training/oversight/experience to use it safely. And even | with those things, mistakes happen. The same is true of power | tools as memory unsafe systems code. | TapamN wrote: | That really seems like something that should generate warning, | when a value assigned to a size_t was cast to a type smaller | than size_t from a value that was as >= size_t. | size_t v; //64-bit size_t v = (unsigned)0xff00000001; | printf("%zu\n", v); //Prints 1 | | I don't get any warnings for this on GCC 9.4 or Clang 15.0.4 | with Wall+Wextra. | | If you wanted to deliberately do that kind of cast, for some | reason, you could prevent the warning like this: | v = (size_t)(unsigned)0xff00000001; | MaxLeiter wrote: | The project zero bug linked in the post (which I recommend | reading first) has more details on the exploit | | https://bugs.chromium.org/p/project-zero/issues/detail?id=23... | MichaelZuo wrote: | "Will this be useful for jailbreak? Probably not. | | This - as far as I can tell - affects userspace processes only. | Jailbreaks require a kernel exploit. (The Apple Security release | notes says that this bug may allow "arbitrary code with kernel | privileges", but I can't see how.) | | You might still do something cool on iOS with this, but I'm not | sure what you'd overwrite: codesigning should protect all | executables and libraries. (I have not tested this: let me know | if you find anything!)" | | Looks like system integrity protection? or some other mechanism | preventing this? | waynecochran wrote: | As root the machine is yours to do what you will -- as I have | unfortunately learned the hard way many many moons ago. | anyfoo wrote: | Not on iOS or macOS (unless SIP is disabled), no. | waynecochran wrote: | Can't you disable SIP as root? What can't you do as root? | You could replace the kernel. I guess I am use to the Linux | world where I build kernels and install as root. | LoganDark wrote: | With SIP you can only reboot the machine into recovery | mode, but the user would then have to go into the | recovery mode terminal and run `csrutil disable` to | disable SIP. | | You can't disable SIP on a live system and you can't | automate actions in recovery mode. | forgotmypw17 wrote: | How crazy is it that getting root on your own device is an | accomplishment? | count wrote: | Many, many macOS devices are not 'your own' devices, and have | access to many development backends and infrastructures. | TheRealPomax wrote: | That has nothing to do with this. Everyone can become root on | their mac by typing their password. This exploit shows that | you you can compile a bit of code that can then bypass that | and run anything it wants with full root permissions. | andix wrote: | Only if you have admin permissions. If you don't have them, | you need to type in the password of an admin to become | root. | dvzk wrote: | In most cases, yes, but that's not what the parent meant. | In managed environments, it's common to not have root login | access, and local privilege escalation is sometimes more | critical than normal. | fathyb wrote: | This is a privilege escalation exploit, it gets a root shell | from a non-root process. You can get root privileges on macOS | using su/sudo. | andix wrote: | It depends. Privilege escalation can allow rootkits to install | themselves. To get a really severe exploit you usually need to | combine a remote code execution with a privilege escalation. So | this would only be one part. | | But you never know if somebody already has another zero day | exploit in their pocket and waits for such an opportunity. Some | bugs are there for years before they are found. This doesn't | mean that nobody found them before. It only means that nobody | used them in a way that it got detected. | e40 wrote: | Is a rootkit possible with SIP turned on? Seems like that's | what it is designed to prevent. | anyfoo wrote: | Every time there is something about "root" and macOS or | iOS, there is a flurry of people who extrapolate their | Linux (or BSD or what not) experience, without considering | that the security model on iOS and macOS does by far not | only consist of POSIX. | jackson1442 wrote: | it's privilege escalation, the script is not being run as sudo | | also you can enable root by going to Directory Utility -> | (unlock) -> Edit -> Enable Root User. Haven't found a need for | this though. | mritun wrote: | Flamebait? | | If you know the password you can enter it when 'su' asks. This | vulnerability allows all processes, even untrusted one, to gain | root privileges- which is a problem _if_ that is not what you | intend. | | MacOS is actually less locked down than a Linux server built by | even a half competent sysadmin. | gjsman-1000 wrote: | > MacOS is actually less locked down than a Linux server | built by even a half competent sysadmin. | | In no way is this true. Linux servers built by half-competent | sysadmins don't have System Integrity Protection, read-only | boot images with digital signatures, or even proper secure | boot. | akerl_ wrote: | The vulnerability isn't that the person who owns the machine | can get root. Your user on a personal Mac is, by default, an | Administrator, and can just sudo to root. | | The "accomplishment" is that somebody who can execute code on | your laptop (say, somebody who notices you forgot to lock your | laptop at Starbucks, or a malicious app developer, or somebody | who compromises the update server for an app you use) can | escalate to root. | reaperducer wrote: | _How crazy is it that getting root on your own device is an | accomplishment?_ | | We're not living in Commodore 64 days anymore. | | The vast majority of people have to be protected from | themselves, or they'd all be following online instructions to | delete files in Win32 to free up space. | | On HN, people know what they're doing, but for some reason | complain as if every person on the planet has the same level of | technical knowledge they do. They don't. People on HN like to | moan about not being able to hack stuff because they think it | gives them street cred. It doesn't. | | HN: "This product is awful! It has no security!" | | Also HN: "This product is awful! Its has security!" | TheRealPomax wrote: | For a random bit of code that's running on your machine? _zero | day levels of crazy_ : that should never be possible, and you | should update your macos if you haven't yet. | | This is not about "you being able to become root", of course | you can do that whenever you want, with authentication. This is | a random bit of code that compiles to something that goes | "cute, let me just get root access without any passwords or | user noficiations. Tadah, I can do whatever _I_ want on this | system now " | lucb1e wrote: | > This is not about "you being able to become root", of | course you can do that whenever you want | | "of course", yeah... | | Tell that to iOS and most Android users (even among techies, | 95% is afraid of the steps you have to take for getting root | on your own damn phone). This used to be normal but for our | own good it has been decided that this is not normal now | anymore. That kids are growing up with this worries me. When | is the market ready for Microsoft and Apple to decide the | same for desktops? Not running the DRM and trying to WINE | some application is going to be similarly thwarted as doing | banking on a phone that the user fully owns is today. | waynecochran wrote: | It doesn't have to be your machine -- imagine this is a Mac in | a lab or a cloud machine. ___________________________________________________________________ (page generated 2022-12-17 23:00 UTC)