Mac OS X Security Issue – USB Keyboard Root Access – Mac OS X 10.2.7 and Prior

Advisory Title: USB Keyboard Init Crash -> Root Access
Release Date: 2003 October 31
Affected Products: Mac OS X 10.2.7 and prior (possibly 10.2.8)
Severity: Moderate
Impact: Root Access
Where: Local System
Author: Jason Storm (jms@lasergun.org)

VULNERABILITY

With access to a USB Keyboard connected to the computer running Mac OS X 10.2.7 and prior (and possibly 10.2.8) the user can hold down control-c during startup to be dropped to the administrative full controlling root shell prompt due to init crashing.

init will crash within three minutes into the booting process and will drop you into a root shell. With access to the root shell there is full control over the system including deleting and modifying files that are critical to the system.

Jason notes that this security bug in the system is dependant on the USB keyboard being used and it will work with G3 powerbook with a external USB keyboard attached to it.

Internal Development Feature

The bug was originally presented to Apple in 1998 but was told it was a ‘internal development feature’ that would be removed and was reported later on it was still present but wasn’t removed. This bug or ‘feature’ is not present in Mac OS X Panther with the documented control-c bootup process.

Included is a copy of the e-mail submited to us and bugtraq.