Mac OS 9 Lives

Classic Mac OS Software => Hacking the System, Mac OS 9.3, and Beyond ! => Topic started by: rwbaskette on October 19, 2016, 06:13:57 PM

Title: Vulnerabilities in Mac OS 9
Post by: rwbaskette on October 19, 2016, 06:13:57 PM
Hello all, new guy here.

I was wondering if anyone had an idea on where you could find a list of known vulnerabilities for Mac OS 9.

The CVE database only goes back as far as 1999, and it doesn't appear there were many to begin with.

http://www.cvedetails.com/product/155/Apple-Mac-Os.html?vendor_id=49

I though it might be fun to see if they were patch-able
Title: Re: Vulnerabilities in Mac OS 9
Post by: Protools5LEGuy on October 21, 2016, 06:37:07 PM
No idea, but here are some links

http://www.securityfocus.com/bid/2715 (http://www.securityfocus.com/bid/2715)  MacOS 9 Personal Web Sharing Remote DoS Vulnerability


http://www.securiteam.com/exploits/5RP0W0A35G.html (http://www.securiteam.com/exploits/5RP0W0A35G.html)  Mac OS 9 Multiple Users Control Panel password vulnerability

http://seclists.org/bugtraq/2001/Jan/21 (http://seclists.org/bugtraq/2001/Jan/21)  Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability


https://books.google.es/books?id=tC_ZpAyGwiMC&pg=PA103&lpg=PA103&dq=known+vulnerabilities+for+Mac+OS+9&source=bl&ots=oU3OMIxG2R&sig=axkM-GSTiVF54Z_EzbXUdcL0W5I&hl=es&sa=X&ved=0ahUKEwj8g9bMoO3PAhUHPRoKHXF0DJ44KBDoAQgbMAA#v=onepage&q=known%20vulnerabilities%20for%20Mac%20OS%209&f=false (https://books.google.es/books?id=tC_ZpAyGwiMC&pg=PA103&lpg=PA103&dq=known+vulnerabilities+for+Mac+OS+9&source=bl&ots=oU3OMIxG2R&sig=axkM-GSTiVF54Z_EzbXUdcL0W5I&hl=es&sa=X&ved=0ahUKEwj8g9bMoO3PAhUHPRoKHXF0DJ44KBDoAQgbMAA#v=onepage&q=known%20vulnerabilities%20for%20Mac%20OS%209&f=false)

https://books.google.es/books?id=3jqBnS4b3EgC&pg=PR19&lpg=PR19&dq=known+vulnerabilities+for+Mac+OS+9&source=bl&ots=_Uiw8-087O&sig=8HUr4L0Z5Zf2QlMU7AHJtEv6twY&hl=es&sa=X&ved=0ahUKEwj8g9bMoO3PAhUHPRoKHXF0DJ44KBDoAQhgMAk#v=onepage&q=known%20vulnerabilities%20for%20Mac%20OS%209&f=false (https://books.google.es/books?id=3jqBnS4b3EgC&pg=PR19&lpg=PR19&dq=known+vulnerabilities+for+Mac+OS+9&source=bl&ots=_Uiw8-087O&sig=8HUr4L0Z5Zf2QlMU7AHJtEv6twY&hl=es&sa=X&ved=0ahUKEwj8g9bMoO3PAhUHPRoKHXF0DJ44KBDoAQhgMAk#v=onepage&q=known%20vulnerabilities%20for%20Mac%20OS%209&f=false)
Title: Re: Vulnerabilities in Mac OS 9
Post by: rwbaskette on October 25, 2016, 01:00:16 PM
Thanks for posting those resources.

The "Maximum Security" book looked interesting, but Google has decided it would rather not show me the actual pages.

It is somewhat comforting to know that there aren't many at the operating system level floating out there.

The applications are a whole other matter. I'm not sure where to start with that list other than "Classilla is probably as patched as it gets"
Title: Re: Vulnerabilities in Mac OS 9
Post by: Custos on October 19, 2019, 09:08:23 PM
Has anyone actually been able to perform any legit exploits? Would seem that most hackers would have long forgot about os9 and any of it's vulnerabilities.
Title: Re: Vulnerabilities in Mac OS 9
Post by: IIO on October 19, 2019, 11:10:55 PM
there are about 36 malsoftware for MacOS, of which 6 or 7 can cause actual harm. the newest one is from 2001. :)

all trojans i know are systemextensions, which can be removed by removing the systemextension. all file infectors i know can be "repaired" using norton so you dont loose any files. good old times....
Title: Re: Vulnerabilities in Mac OS 9
Post by: Custos on October 20, 2019, 04:30:08 AM
There was a certain disk iso floating around "DAW stuff" when installing a few things I had to remove some system extensions. I've suspected someone purposely snuck something in there considering every time I've messed with it problems would arise. I don't trust anything that's free to be brutally honest.
Title: Re: Vulnerabilities in Mac OS 9
Post by: IIO on October 20, 2019, 09:34:19 AM
yes - but run norton with final 2006 update while unstuffing & booting and all is good.
Title: Re: Vulnerabilities in Mac OS 9
Post by: Daniel on October 20, 2019, 12:45:59 PM
There's likely all sorts of possible exploits. I have no idea about network based ones (except for really weak encryption), but it is hard to see how the Driver Descriptor Map and Resource Compression could possibly be made secure.

One runs code from a newly inserted disk and the other runs code in the resource file itself to decompress other resources (this can be used to run code the moment a resource fork is opened with the Resource Manager).

Those are less vulnerabilities and more features working as intended without any attention paid to security at all.

Even with antivirus there are so many ways to get full access. Does norton scan the 'krnl' resource in the System File which is used to update the NanoKernel on Old World Macs? Does it scan Apple CPU Plugins? Both are very obscure pieces of code that get run in PowerPC supervisor mode, where they can do anything.
Title: Re: Vulnerabilities in Mac OS 9
Post by: Custos on October 20, 2019, 01:22:17 PM
Someone gaining root access is the least of my worries. I don't allow any of my os9 machines to have internet access. 110 that really cleared a lot up for me. I've had suspicions about this for a few years now with little time to address it.
Title: Re: Vulnerabilities in Mac OS 9
Post by: IIO on October 20, 2019, 03:09:58 PM
i think one could say that something like "root" doesnt exist in MacOS9.

MacOS9 is always in "admin" - not higher or lower.  (that includes the socalled "user" system, which is a joke.)

trojans like backorifice are system extensions and you can only install it willingly. it would let me shut down your machine if i know your IP, but not touch any files, because OS9 doesnt really have an interface or shell for controlling the system.

perl or flash might have additional backdoors, but nobody uses this. :)
Title: Re: Vulnerabilities in Mac OS 9
Post by: IIO on October 20, 2019, 03:21:36 PM
Even with antivirus there are so many ways to get full access. Does norton scan the 'krnl' resource in the System File which is used to update the NanoKernel on Old World Macs? Does it scan Apple CPU Plugins?

i didnt mean to hijack the original thread topic, but a potential vulnerability is not equal to the existence of real danger in the form of a malware.

20 years ago about 100 times more people than today were using this OS - including the military, airports, the police ... and there was no such thing as you describe.

or at least we dont know. :)

beside 666 and a few nasty worms, which some idiots spreads across public sites back in the days, every other potential risk is in my opinion "too theoretical to bother about."

when i say this, i presuppose that everyone who does serious work on OS9 - and also downloads files from untrusted sources on the same machine - that he uses norton to scan new files.

i also presuppose that people always make backups of important files.

a harddisk failure or a burglary is far, far more likely than the appearance of a new malware for OS9.
Title: Re: Vulnerabilities in Mac OS 9
Post by: Custos on October 20, 2019, 04:21:45 PM
Theft? I feel bad for anyone attempting that one 😆. Been considering updating everything to SSD. There are some projects I would prefer to keep around for as long as possible.
Title: Re: Vulnerabilities in Mac OS 9
Post by: adespoton on August 24, 2020, 01:18:09 PM
yes - but run norton with final 2006 update while unstuffing & booting and all is good.

Necro-ing this topic to add a bit more detail for people looking at it later....

Norton with the 2006 update will provide you with Norton virus definitions.  These are essentially checksums across parts of the data or resource forks that try to match known viruses and trojans.  As such, there's nothing scanning here for unknown behavior, kernel access, dodgy calls to the toolbox, etc. like, for example, GateKeeper does (the system extension, not the OS X security overlay).

So yeah, in reality, you're likely fine scanning with that version of Norton, unless you're opening MS Office documents -- personally, I just stick to keeping autorun disabled and using the last version of Disinfectant, with GateKeeper as well when I suspect something dodgy and unknown might be going on.

As for vulnerabilities (the original topic), there's plenty of those; some were on bugtraq back in the day, but many many are there that are documented for other platforms -- use after free for example has absolutely no mitigations on Mac OS 9, so all you need to do is scan any piece of software (including System software, Extensions, CPs, etc) for somewhere that fails to properly dispose of memory after executing, and you've got a vulnerability.

In reality, these days the only software that would pose a real risk is something that sits on the Internet or connects to it.  But I'm sure that after scanning the CVE database, someone would be able to find a usable overload in Open Transport that would enable a remote attacker to inject shellcode and do whatever they want.

The strong part of the OS 9 security model is that by default, it doesn't run any network-connected services, and any that do run are either extensions or applications.

That being said, one vulnerability that I recall having fun with back in the day was that Open Transport (or possibly MacTCP and MacPPP, I can't recall how far back this was) had absolutely no channel protection for dialup modems; so if you knew someone was connecting to the internet via a standard modem, you could send them TCP echo packets containing AT instructions, and the OS would dutifully send the modem whatever AT commands you desired... this was usually ATH0, but could be anything else.

So, are we looking for specific vulnerabilities here, or just anything targeting a vanilla OS 9 install with networking enabled?  I'm sure a minimal amount of poking could find something in either space.
Title: Re: Vulnerabilities in Mac OS 9
Post by: IIO on August 24, 2020, 05:09:38 PM
Quote
Norton with the 2006 update will provide you with Norton virus definitions.  These are essentially checksums across parts of the data or resource forks that try to match known viruses and trojans.  As such, there's nothing scanning here for unknown behavior, kernel access, dodgy calls to the toolbox, etc. like, for example, GateKeeper does (the system extension, not the OS X security overlay).

i cant rember - doenst norton autoprotect obeyes the system folder and warns you when you move 666 into extensions?

i usually turn autoprotect on when unstuffing files from outside my LAN.

Quote
and you've got a vulnerability.

you are probably right that there are types of vulnerabilities which were completely uncovered.

but there are a few others which dont exist. for example you cant root a server when the OS doesnt have user and groups and filerights anyway. 
and you cant catch a drop install from a website which you cant access because of https.^^

Quote
But I'm sure that after scanning the CVE database, someone would be able to find a usable overload in Open Transport that would enable a remote attacker to inject shellcode and do whatever they want.

yep.

or macPPP/freePPP. but which is more a sytem 7 thing.

DoS? in real life... your DSL router should handle that. in theory... OS9 itself is probably literally waiting for attacks to come into every of its holes.