Bug without a password, allows for use of ‘sudo’ in OS X
A bug in Apple’s OS X operating system can give a user nearly full access to the system without supplying a password.
Ars Technica is reporting a 5-month-old flaw in OS X, which revolves around the use of the “sudo” Unix command. This command is used in place before other commands, to run commands as another user, and primarily the root or system account to allow full access for administrative purposes.
The sudo command is therefore quite powerful, as it can be used to bypass access permissions and give full access to information in one’s account, or allow for modification of system files.
Normally the sudo command is off-limits to everyone except administrators, and even with administrative access it requires you supply your password to run. Ars Technica has found that a flaw in OS X allows the use of the sudo command without the need for a password. If you set the Mac’s clock back to January 1, 1970, (the epoch, or logical “beginning of time” for Unix systems), apparently you can use the sudo command to gain root access and use it without authenticating.
This problem appears to revolve around the way the system stores prior credentials for the sudo command. While at first glance it appears this issue allows anyone access to the system, it only affects systems in specific ways — it only works if the current user is an administrator, is currently logged in, and has authenticated the sudo command in the current log-in session.
Running “sudo su” to switch users and exist as the root user (shown here), requires you authenticate (see the “password” prompt). After 10 minutes this should expire and require you enter your password again. By changing the date you can bypass this requirement. (Credit: Screenshot by Topher Kessler/CNET)
Generally, when you use sudo, the system will save your password for subsequent uses of the command, and expire this password after 10 minutes of no sudo use. However, this bug allows someone with access to the system to set the system date, and bypass the need for a password. One scenario exploiting this would be if you log into your system and use sudo for some purpose, and then leave your computer while you are still logged in. At this point, a hacker sits down at your system and tries a “sudo” command, only to find it has been over 10 minutes and a password is now required. However, the hacker simply resets the system date using Apple’s “systemsetup” command, and now has access to the “sudo” command.
This problem apparently affects the sudo command in numerous Unix and Linux distributions as well. The difference, though, is that those systems require authentication to change the system date, whereas OS X does not.
While not necessarily a significant bug, it is one that could potentially be exploited. The bug affects OS X versions 10.7 through 10.8.4, and has been given a Common Vulnerabilities and Exposures ID to hopefully get it addressed as quickly as possible.