DISQUS

Matasano Chargen: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

  • stephen · 1 year ago
    thats pretty funny. The bug itself isn't too worrisome, but it is indicative of some serious oversights in design that I am sure will get released and discovered in the very near future....very near....like around February '09 ;-)
  • john · 1 year ago
    On Leopard, in which directory is the plist for ARDAgent?
  • Mo · 1 year ago
    You can work around this issue (should you want to), by enabling ARD. Perversely.

    I guess when ARD is turned on, ARDAgent acts as smartly as it should be all of the time. Quite why you're able to script it at *all* when ARD's switched off is beyond me.
  • André Medeiros · 1 year ago
    Yeah, nice going.

    I used another workaround for the matter tho.
  • Kirk · 1 year ago
    Nothing personal, but you haven't understood it. ARDAgent doesn't have an AppleScript dictionary. But it does have the ability to pass AppleScripts on to the OS as Root. So you can look for dictionaries all you like, and that won't change anything.
  • Bill · 1 year ago
    First, Having ARD on is NOT an effective workaround for this issue.

    Second, I think there's a difference between "having an AppleScript dictionary" (which means handling some custom AppleScript commands) and just handling system AppleScript commands (like "do shell script"). ARDAgent falls into the latter, as do any "normal" applications without having to do anything special related to AppleScript.
  • brunerd · 1 year ago
    Well if you turn ARD on and have any local users that are standard, then those standard users can run root commands with ARD if Allow All Users (the default) radio button is selected... I noticed that a while back, didn't seem quite right: http://www.brunerd.com/blog/2008/03/08/ard-secu...
  • Eric Monti · 1 year ago
    @tom:

    > Who cares if someone busts root on your Mac?

    > It’s a single-user system. I let you in on a
    > Matasano state secret: if you break the “tqbf”
    > account on my laptop, I’m in trouble. If you’re
    > malware and just trying to spread, or redirect my
    > browser to phishing pages, you’re wasting your
    > time with this “root” silliness.

    That raises this point then eh?

    sh-3.2$ id
    uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody)
    sh-3.2$ osascript -e 'tell app "Finder" to do shell script "whoami"'
    emonti
  • js · 1 year ago
    $ id
    uid=501(jsiren) gid=501(jsiren) groups=501(jsiren), 81(appserveradm), 79(appserverusr), 80(admin)
    $ uname -a
    Darwin (redacted) 8.11.1 Darwin Kernel Version 8.11.1: Wed Oct 10 18:23:28 PDT 2007; root:xnu-792.25.20~1/RELEASE_I386 i386 i386
    $ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
    23:47: execution error: ARDAgent got an error: Connection is invalid. (-609)

    What am I doing wrong, or does this not work in Tiger? (10.4.11)
  • Max Howell · 1 year ago
    It's so easy to target. You just need to figure out how to make some internet enabled software execute Applescript, and almost all of them do. If Safari has an exploit where it executes Applescript without asking the user first.. well, that would suck.

    This single-user system argument is weird. We all use single-user systems, and none of us want keyloggers installed behind our backs.
  • Ken · 1 year ago
    When I run osascript -e 'tell app "ARDAgent" to do shell script "whoami" all I get is "Damn, that was fun"

    I put my own bin directory before /usr/bin in my PATH

    cat ~/bin/osascript
    $ echo "Damn, that was fun"

    Now if I wanted I could create an application that asked me if I wanted to run the osascript first, if I click Yes it would then forward that request to the real osascript, wherever that now is.

    Or did I miss something entirely?
  • peter · 1 year ago
    >This single-user system argument is weird. We all use single-user systems,
    > and none of us want keyloggers installed behind our backs.

    In the simplest case, in order for this vulnerability to work, the malicious program needs to be already running on your machine, which will most likely be under your user account. Which means that it will already have access to ALL your data and can do ALL the damage to your system that it wants, including installing backdoors/keyloggers etc. Having root will not make the situation that much worse.

    That is, unless you have many users on your machine, in which case having root access will allow the the trojan to affect other users.
  • Matt Schinckel · 1 year ago
    Seems like a non-issue on my (Leopard) machine:

    user@host:/tmp$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
    23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)