« I/O errors and bad blocks | Main | OS X 10.4.7 »

OS X authentication dialogs can lie(!)

Some time ago now, in fact in November of 2003, I reported to Apple that it was possible to make the authentication dialog lie about which program was asking for authorisation to do something. This is filed as rdar://3486235, for any Apple employees watching.

Here's an amusing demonstration:

SteveJobs.png

(the program that did this was definitely not called “Steve Jobs”)

Very funny, but quite scary because it means it's much too easy to trick an end-user into giving a potentially malicious program root privileges. Apple have been widely—and, to my mind, rather unfairly—lambasted for their attitude towards security holes, but in this case I'm sorry to report that the critics are quite correct. I'm sure they'll fix this now I've published it on the Internet, but I really shouldn't have had to do this; it should have been fixed back in 2003 when it was first reported.

Update: Allan Odgaard has quite rightly pointed out that even with this fixed, it is currently possible for a third-party program to replicate the look and UI of the system authentication dialog. This is true and is another problem that should really be addressed; reserving a particular key combination and making it always go to the system rather than user apps is one way around that issue (that's what Windows does, for instance).

Another, perhaps better approach might be to have the Security Server share some secret with the user, and present that in the authentication dialog to prove that it really is the Security Server and not some bogus process.

The problem is that the dialog that appears gets the name of the calling program from argv[0], which as everyone knows is under the control of the calling program's parent process. So, for instance, if you write something like this:

#include <unistd.h>


int main (void)

{

  execl ("/usr/libexec/authopen",

         "/Applications/Utilities/Disk Utility.app",

         "-stdoutpipe",

         "/dev/rdisk0",

         NULL);

  return 0;

}

which asks the special authopen program to give the calling process a file handle for /dev/rdisk0, what you'll find is that it displays a dialog box like this

Authentication dialog

and in case you think that opening up the detail area will save you from getting caught out by a potentially malicious use of this bug, take a look at this:

Authentication dialog with expanded detail

Now, that definitely wasn't Disk Utility asking for authorisation. It was the program whose source code is shown above. And if you authenticate, that program gets a file handle for /dev/rdisk0, which is clearly a huge security problem as it effectively gives it access to all of your data. Equally, it could use its own helper tool (rather than authopen) and simply ask for root privileges for whatever malicious purpose it had in mind. But this demonstrates the problem quite ably.

Ordinarily I don't approve of people publishing security holes, because it puts end-users at risk, but this one makes it too easy to trick a user into giving away privileged access to his or her machine, and Apple still haven't fixed it, over two years after it was reported. It's also a sufficiently common issue that the comp.unix.programmer frequently asked questions document actually mentions that “it is possible to invoke programs with arbitrary values of argv[0]”, so the fact that you can set argv[0] to whatever you like is hardly an unknown feature, nor is it likely that the black hats don't already know about this.

Posted by Alastair on June 28, 2006 12:34 PM |

TrackBack

TrackBack URL for this entry:
http://www.alastairs-place.net/movabletype/mt-tb.cgi/71.

Comments

Perhaps part of the security team's problem with this bug is that there is no way for the end user to verify that any authentication dialog is real.

From a security perspective there's not necessarily a lot of difference between this bug and a bug that says "Hey look, I can write an app to pop up a dialog that looks like the auth dialog, and fool you into entering your password." In both cases you are being tricked into giving your password to an unauthorized source.

So they could fix this bug, but the larger bug would remain: end users are still literally unable to verify the authenticity of any authorization dialog. That's not really an excuse for not fixing it, and certainly not an excuse for not documenting it. But I'm just guessing at their reasoning.

Windows NT's solution to that was the ctrl-alt-delete logon -- the login dialog only appears when you hit an untrappable key combination. I don't know what Apple's got up their sleeve for this, but they've certainly known about it for a while. I hope they've got something planned for Leopard.

Posted by: Drew Thaler [TypeKey Profile Page] | June 28, 2006 11:16 PM

Indeed, you're right, there isn't a way for end users to verify that an authentication dialog is real. There certainly should be, though.

The Windows NT approach works reasonably well, though it can be a bit wearing pressing “secure attention sequence” keypresses at times. Another approach I quite like is having the Security Server share some secret with the user that it can then display in the dialog box to verify its identity.

FWIW, I think that the fact that you can currently subvert the system's own dialog is still a somewhat bigger hole; it's much easier to use the ready implemented version that will run something for you as root than it is to roll your own.

Posted by: alastair [TypeKey Profile Page] | June 28, 2006 11:25 PM

That's true. Subverting the system dialog is much worse, since a sufficiently savvy user with reason to be suspicious could detect a Trojan putting up a fake dialog (eg, using /bin/ps) but would still get fooled by the fake "real" dialog.

I thought there was an audit process inside Apple these days for processes that run as setuid root. I'm surprised the argv[0] trust problem - which is pretty obvious to anyone who's ever written setuid code - made it through. I'm even more surprised that they still haven't fixed it after two and a half years.

Posted by: Drew Thaler [TypeKey Profile Page] | June 28, 2006 11:39 PM

Drew, I'm currenly using OS X 10.4. I certainly hope that they don't hide their wonderful fix for this up their sleeves to only release it in Leopard.

Posted by: chrisbassett [TypeKey Profile Page] | June 29, 2006 09:02 AM

As a possible compliment to fixing the security hole in the system dialog, is there some Apple-Human-Inteface-Guidelines-Compatible way of making the genuine dialog universally identifiable in such a way that a trojan could not reliably replicate it? What I'm thinking of is something along the lines of "skinning", where the user-selected "skin" would only be revealed by the system to its own security server... provide enough variations to make a chance match by a trojan that picks just one unlikely, and it becomes not very worthwhile to try to exploit that hole, while not interfering with the "flow" of user interaction any further than the existing dialog.

This is, of course, just an example of the "secret" alastair's suggested, but hopefully one that could still fit fairly seamlessly into the rest of the system. Even something as simple as an initial user setup option the very first time you sign in: "please pick your security color"... then all authentication dialog boxes use that as the background color in the password field. If you don't see the color you picked, don't enter your password: since it's user-specific and only accessible to the security server, even shared-access machines give a modest level of protection against inside-job fakers.

Posted by: Robin [TypeKey Profile Page] | June 29, 2006 06:10 PM

Yes, this is precisely the kind of thing I had in mind. I like the idea of a colour as it's particularly easy to understand, though you'd have to be careful to take account of colour-blindness when implementing such a thing.

I also think you'd have to have the dialog wait until you'd entered your user ID before showing the colour, as the dialog can also be used to allow a systems administrator to temporarily grant rights to a user for a particular purpose (i.e. it might be the sysadmin entering his or her credentials).

Posted by: alastair [TypeKey Profile Page] | June 29, 2006 11:22 PM

To the best of my knowledge, the authentication dialogs from the system are the only ones that float over top of every other application, even when various applications are switched in and out of the foreground.

I do like the idea of some shared secret, though, as an additional security measure. The color idea -- or perhaps an image -- is similar to some things I've been seeing on secure Web sites recently.

Posted by: Nameless [TypeKey Profile Page] | July 1, 2006 11:37 PM

It's certainly true that they float over most other things, but I don't think that it's impossible for other applications to do the same thing. AFAIK it's controlled by the “window level”, which you can set in Cocoa using -setLevel:.

Posted by: alastair [TypeKey Profile Page] | July 2, 2006 12:50 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)