[HN Gopher] Get root on macOS 13.0.1 the macOS Dirty Cow bug
___________________________________________________________________
Get root on macOS 13.0.1 the macOS Dirty Cow bug
Author : todsacerdoti
Score : 84 points
Date : 2022-12-17 21:25 UTC (1 hours ago)
(HTM) web link (worthdoingbadly.com)
(TXT) w3m dump (worthdoingbadly.com)
| jeffbee wrote:
| Why can't C programmers stop themselves from writing something
| like: size = (unsigned)(expression);
|
| ? The contradiction is stark. If a variable deserves the name
| `size` it deserves the type `size_t` as well.
| andix wrote:
| Every time I use C it feels like working on wiring without
| popping the breaker.
|
| A LOT of code just shouldn't be C or C++.
| TheRealPomax wrote:
| I think the real question is "if this is so bad, why does the
| language allow it". Because asking why people use the language
| in a way it was designed for has the obvious "because they can,
| and the language allows them to" as answer.
| duped wrote:
| There's nothing fundamentally bad about the code above. It's
| a smell but could make sense.
|
| Like for example if I'm writing an interpreter that runs on
| devices with limited memory size_t might be bigger than I
| need for the length of a buffer in user code, and using a
| shorter integer might be a useful optimization.
|
| This is really an example where you have a sharp tool and
| need training/oversight/experience to use it safely. And even
| with those things, mistakes happen. The same is true of power
| tools as memory unsafe systems code.
| TapamN wrote:
| That really seems like something that should generate warning,
| when a value assigned to a size_t was cast to a type smaller
| than size_t from a value that was as >= size_t.
| size_t v; //64-bit size_t v = (unsigned)0xff00000001;
| printf("%zu\n", v); //Prints 1
|
| I don't get any warnings for this on GCC 9.4 or Clang 15.0.4
| with Wall+Wextra.
|
| If you wanted to deliberately do that kind of cast, for some
| reason, you could prevent the warning like this:
| v = (size_t)(unsigned)0xff00000001;
| MaxLeiter wrote:
| The project zero bug linked in the post (which I recommend
| reading first) has more details on the exploit
|
| https://bugs.chromium.org/p/project-zero/issues/detail?id=23...
| MichaelZuo wrote:
| "Will this be useful for jailbreak? Probably not.
|
| This - as far as I can tell - affects userspace processes only.
| Jailbreaks require a kernel exploit. (The Apple Security release
| notes says that this bug may allow "arbitrary code with kernel
| privileges", but I can't see how.)
|
| You might still do something cool on iOS with this, but I'm not
| sure what you'd overwrite: codesigning should protect all
| executables and libraries. (I have not tested this: let me know
| if you find anything!)"
|
| Looks like system integrity protection? or some other mechanism
| preventing this?
| waynecochran wrote:
| As root the machine is yours to do what you will -- as I have
| unfortunately learned the hard way many many moons ago.
| anyfoo wrote:
| Not on iOS or macOS (unless SIP is disabled), no.
| waynecochran wrote:
| Can't you disable SIP as root? What can't you do as root?
| You could replace the kernel. I guess I am use to the Linux
| world where I build kernels and install as root.
| LoganDark wrote:
| With SIP you can only reboot the machine into recovery
| mode, but the user would then have to go into the
| recovery mode terminal and run `csrutil disable` to
| disable SIP.
|
| You can't disable SIP on a live system and you can't
| automate actions in recovery mode.
| forgotmypw17 wrote:
| How crazy is it that getting root on your own device is an
| accomplishment?
| count wrote:
| Many, many macOS devices are not 'your own' devices, and have
| access to many development backends and infrastructures.
| TheRealPomax wrote:
| That has nothing to do with this. Everyone can become root on
| their mac by typing their password. This exploit shows that
| you you can compile a bit of code that can then bypass that
| and run anything it wants with full root permissions.
| andix wrote:
| Only if you have admin permissions. If you don't have them,
| you need to type in the password of an admin to become
| root.
| dvzk wrote:
| In most cases, yes, but that's not what the parent meant.
| In managed environments, it's common to not have root login
| access, and local privilege escalation is sometimes more
| critical than normal.
| fathyb wrote:
| This is a privilege escalation exploit, it gets a root shell
| from a non-root process. You can get root privileges on macOS
| using su/sudo.
| andix wrote:
| It depends. Privilege escalation can allow rootkits to install
| themselves. To get a really severe exploit you usually need to
| combine a remote code execution with a privilege escalation. So
| this would only be one part.
|
| But you never know if somebody already has another zero day
| exploit in their pocket and waits for such an opportunity. Some
| bugs are there for years before they are found. This doesn't
| mean that nobody found them before. It only means that nobody
| used them in a way that it got detected.
| e40 wrote:
| Is a rootkit possible with SIP turned on? Seems like that's
| what it is designed to prevent.
| anyfoo wrote:
| Every time there is something about "root" and macOS or
| iOS, there is a flurry of people who extrapolate their
| Linux (or BSD or what not) experience, without considering
| that the security model on iOS and macOS does by far not
| only consist of POSIX.
| jackson1442 wrote:
| it's privilege escalation, the script is not being run as sudo
|
| also you can enable root by going to Directory Utility ->
| (unlock) -> Edit -> Enable Root User. Haven't found a need for
| this though.
| mritun wrote:
| Flamebait?
|
| If you know the password you can enter it when 'su' asks. This
| vulnerability allows all processes, even untrusted one, to gain
| root privileges- which is a problem _if_ that is not what you
| intend.
|
| MacOS is actually less locked down than a Linux server built by
| even a half competent sysadmin.
| gjsman-1000 wrote:
| > MacOS is actually less locked down than a Linux server
| built by even a half competent sysadmin.
|
| In no way is this true. Linux servers built by half-competent
| sysadmins don't have System Integrity Protection, read-only
| boot images with digital signatures, or even proper secure
| boot.
| akerl_ wrote:
| The vulnerability isn't that the person who owns the machine
| can get root. Your user on a personal Mac is, by default, an
| Administrator, and can just sudo to root.
|
| The "accomplishment" is that somebody who can execute code on
| your laptop (say, somebody who notices you forgot to lock your
| laptop at Starbucks, or a malicious app developer, or somebody
| who compromises the update server for an app you use) can
| escalate to root.
| reaperducer wrote:
| _How crazy is it that getting root on your own device is an
| accomplishment?_
|
| We're not living in Commodore 64 days anymore.
|
| The vast majority of people have to be protected from
| themselves, or they'd all be following online instructions to
| delete files in Win32 to free up space.
|
| On HN, people know what they're doing, but for some reason
| complain as if every person on the planet has the same level of
| technical knowledge they do. They don't. People on HN like to
| moan about not being able to hack stuff because they think it
| gives them street cred. It doesn't.
|
| HN: "This product is awful! It has no security!"
|
| Also HN: "This product is awful! Its has security!"
| TheRealPomax wrote:
| For a random bit of code that's running on your machine? _zero
| day levels of crazy_ : that should never be possible, and you
| should update your macos if you haven't yet.
|
| This is not about "you being able to become root", of course
| you can do that whenever you want, with authentication. This is
| a random bit of code that compiles to something that goes
| "cute, let me just get root access without any passwords or
| user noficiations. Tadah, I can do whatever _I_ want on this
| system now "
| lucb1e wrote:
| > This is not about "you being able to become root", of
| course you can do that whenever you want
|
| "of course", yeah...
|
| Tell that to iOS and most Android users (even among techies,
| 95% is afraid of the steps you have to take for getting root
| on your own damn phone). This used to be normal but for our
| own good it has been decided that this is not normal now
| anymore. That kids are growing up with this worries me. When
| is the market ready for Microsoft and Apple to decide the
| same for desktops? Not running the DRM and trying to WINE
| some application is going to be similarly thwarted as doing
| banking on a phone that the user fully owns is today.
| waynecochran wrote:
| It doesn't have to be your machine -- imagine this is a Mac in
| a lab or a cloud machine.
___________________________________________________________________
(page generated 2022-12-17 23:00 UTC)