Monday, 9 January 2012

OS X's Parental Control Loophole

In recent releases of Mac OS X (as of this date, Lion is the most recent), Apple has bundled a parental control feature that allows a guest user environment separated from everybody else to log in with limited abilities. The control panel that configures it allows you to limit Internet access, what applications can and cannot be launched, and how much time the guest user may have on the machine per day. It's pretty handy if you have children, if you wish to create a kiosk of sorts, or if you would like to share a machine with guests visiting your home.

The way the parental controls appear to function is that it limits you within the Finder for application control. This means that the Finder dictates what you can and cannot launch and what you can do within the computer. For those who are unfamiliar with OS X, the Finder is akin to Explorer in Windows.

However, since it's the Finder that controls everything, it is possible to break out of the sandboxed environment and do more than what you are permitted to. Here are some things I figured out that you can do:

  • Even if you're limited to what you can do within the Finder with regards to file access, allowing an application that opens text files permits you to browse the files on the machine. This means that you can in theory pull up configuration files and so forth within TextEdit and then edit them without having to find them within the Finder.

  • Help files can be launched without any limitation.

I had hoped to add more into the points, but during the experimentation process I didn't do any sort of note-taking.

Keeping in mind that since you can freely browse files and the Finder is in control of what you can launch, it is possible to create a hole for launching any application freely if you do not limit certain applications. For example, if you were to go and allow one to run Quicksilver or Steam, it is possible to launch the Terminal.

During my tests, I used Steam as an example and went about doing the following:

  1. Had Steam allowed within the guest environment to be executed.

  2. Logged into the environment and then logged into Steam after entering a one-time code.

  3. Added Terminal as a non-Steam game (or application in this case).

  4. Able to launch Terminal.

What this means is that to rely on OS X's parental controls, you'll have to take into account any applications that can launch other applications are a potential loophole. It appears that after logging out that OS X will wipe any data that is created during the login session, but it still doesn't mean that privilege escalation is impossible using this technique.

Side note: My girlfriend had decided to let me play with her Macbook Pro by putting me in a guest environment. I am not sure how it got to this point, but we started to limit the applications I could use after I said I probably could break out of the sandbox she created. This is how I came to determine the above.