Aug 032014

heroLast week I observed a strange quirks of OS X Mavericks and AVFoundation: When writing a video using AVFoundation data caching is always enabled. Caching by itself provides a huge performance boost by the cost of reliability. Generally this wouldn’t be a problem, because you can easily disable caching by using fcntl and F_NOCACHE. However as AVFoundation does not expose the corresponding file descriptor this is not possible. Now think about the result of the following scenarios:

  1. You write a video file on an external storage while the volume is disconnected
  2. You write a video to a network volume and someone reboots a switch
  3. You write to a local disk and a power outage occurs

Yes, all these issues result in data loss as the cache has to be purged! This is especially problematic as the Unified Buffer Cache can grow up to hundreds of MB. This can result in the loss of several seconds or even minutes of video data.

I had to use all my Google-foo to find the blog post “Hacking the Mac OSX Unified Buffer Cache” that provides a possible solution. The undocumented? fcntl flag F_GLOBAL_NOCACHE allows you to disables the Unified Buffer Cache globally for a specific file. This even works for all already opened file handles. Thereby it is possible to mitigate all the problems outlined above. Stefan Bechtold wrote the command line wrapper UBCUtil that allows you to test the flag without modifying your code.

What a day…

Apr 222014

Bildschirmfoto 2014-04-22 um 21.47.50Have you ever wondered why Apple is moving from AFP to SMB2?

Well, here’s one example:
If you are connected to an AFP server (either OS X or netatalk) and you duplicate a really large file the complete AFP connection on the client stalls. In the background the client instructs the server to duplicate the file. However it blocks until the copy process is finished. This is a good idea implemented poorly. It causes all applications doing I/O operations on the sharepoint to either freeze until the operation is finished or even crash.

The best part: If you are using SMB you can duplicate files and don’t hang your applications. I could verify this behavior down to OS X Lion. Maybe it’s even true for Snow Leopard…

Mar 112014

Last year there was a bug in OS X that allowed a local attacker to gain root privileges by abusing sudo’s cache. A few month earlier (January 2013) I informed Apple about a similar problem caused by OS X’s default tty_tickets = off setting. This insecure configuration allows all applications to misuse a cached sudo authentication within the cache timeout. The same issue was discussed in this thread on the Debian mailing list in 2010!

The sudo man page reads:

[…] Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time […]

As Mac OS X uses the default value, a 5 minute timeout is used. That means if a admin user runs sudo, a malicious script can run privileged commands without any further user interaction for 5 minutes. My PoC installs a launchd configuration file (sh.bogner.sudo_escalation.plist) that loads at startup. This script tries to launch as root as soon as the user used sudo.


How to Reproduce

  1. The PoC has to be installed (with the installer command)
  2. The currently logged in user has to be member of the admin group
  3. The user or any application (like an installer) has to use the sudo command
    Like: sudo echo “Show me what the PoC does”
  4. should be launched as root

My bug report was acknowledged and ignored. This problems exists on all fully patched versions of OS X including Snow Leopard (10.6), Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). That’s a really bad time to fix!

The Fix

The reaction time is especially disappointing as the fix is very easy and without any side effects (at least for me):

  1. Open a terminal window and type (or better copy and paste):
    export EDITOR=nano #you can skip this step if you know how to use vi
    sudo visudo #enter you password afterwards
  2. Add the following line after Defaults env_keep += “HOME MAIL” (it should look like this):

    Defaults        tty_tickets
  3. Press [CTRL]+[o] followed by [ENTER] to save your changes
  4. and [CTRL]+[x] to exit the editor
  5. Now you can verify your steps by retesting the PoC
Jul 302013

It sounds like a simple task to configure a Windows client to connect to a L2TP/IPsec server hosted by Mac OS Server. However it’s not.


To setup the connection you need the following informations:

  • Username and password of a VPN enabled account
  • the L2TP/IPsec shared secret
  • official IP or hostname of the VPN server
  • Administrator account on the Windows machine


The first step it the most important one. Open the registry editor (regedit) on the Windows PC as administrator and add the DWORD AssumeUDPEncapsulationContextOnSendRule with a hex value of 00000002 within HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent. To apply the changes you have to reboot.

Then add a new VPN connection using the Set up new connection or network assistant in the Network and Sharing Center. Be sure to enable the checkbox Don’t connect now, just set it up so I can connect later.

To finish the last step open the Properties dialog of your newly created VPN connection. Within the Security tap change the type to L2TP/IPsec and set the shared secret within the Advanced settings. Furthermore change the dropdown menu Data encryption to Optional encryption.

Now you are able to connect to the VPN service!