ID: IRCNE2013081943
Date: 2013-08-31
According to "cnet", a bug in Apple's OS X operating system can give a user nearly full access to the system without supplying a password.
Ars Technica is reporting a 5-month-old flaw in OS X, which revolves around the use of the "sudo" Unix command. This command is used in place before other commands, to run commands as another user, and primarily the root or system account to allow full access for administrative purposes.
The sudo command is therefore quite powerful, as it can be used to bypass access permissions and give full access to information in one's account, or allow for modification of system files.
Normally the sudo command is off-limits to everyone except administrators, and even with administrative access it requires you supply your password to run. Ars Technica has found that a flaw in OS X allows the use of the sudo command without the need for a password. If you set the Mac's clock back to January 1, 1970, (the epoch, or logical "beginning of time" for Unix systems), apparently you can use the sudo command to gain root access and use it without authenticating.
One scenario exploiting this would be if you log into your system and use sudo for some purpose, and then leave your computer while you are still logged in. At this point, a hacker sits down at your system and tries a "sudo" command, only to find it has been over 10 minutes and a password is now required. However, the hacker simply resets the system date using Apple's "systemsetup" command, and now has access to the "sudo" command.
While not necessarily a significant bug, it is one that could potentially be exploited. The bug affects OS X versions 10.7 through 10.8.4.
- 2