Matasano Chargen - Latest Comments in Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Matt Schinckel — Mon, 30 Jun 2008 06:43:30 -0000

Seems like a non-issue on my (Leopard) machine:

user@host:/tmp$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

peter — Wed, 25 Jun 2008 07:36:47 -0000

>This single-user system argument is weird. We all use single-user systems,
> and none of us want keyloggers installed behind our backs.

In the simplest case, in order for this vulnerability to work, the malicious program needs to be already running on your machine, which will most likely be under your user account. Which means that it will already have access to ALL your data and can do ALL the damage to your system that it wants, including installing backdoors/keyloggers etc. Having root will not make the situation that much worse.

That is, unless you have many users on your machine, in which case having root access will allow the the trojan to affect other users.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Ken — Wed, 25 Jun 2008 03:39:45 -0000

When I run osascript -e 'tell app "ARDAgent" to do shell script "whoami" all I get is "Damn, that was fun"

I put my own bin directory before /usr/bin in my PATH

cat ~/bin/osascript
$ echo "Damn, that was fun"

Now if I wanted I could create an application that asked me if I wanted to run the osascript first, if I click Yes it would then forward that request to the real osascript, wherever that now is.

Or did I miss something entirely?

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Max Howell — Sat, 21 Jun 2008 08:24:05 -0000

It's so easy to target. You just need to figure out how to make some internet enabled software execute Applescript, and almost all of them do. If Safari has an exploit where it executes Applescript without asking the user first.. well, that would suck.

This single-user system argument is weird. We all use single-user systems, and none of us want keyloggers installed behind our backs.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

js — Sat, 21 Jun 2008 04:05:47 -0000

$ id
uid=501(jsiren) gid=501(jsiren) groups=501(jsiren), 81(appserveradm), 79(appserverusr), 80(admin)
$ uname -a
Darwin (redacted) 8.11.1 Darwin Kernel Version 8.11.1: Wed Oct 10 18:23:28 PDT 2007; root:xnu-792.25.20~1/RELEASE_I386 i386 i386
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
23:47: execution error: ARDAgent got an error: Connection is invalid. (-609)

What am I doing wrong, or does this not work in Tiger? (10.4.11)

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Eric Monti — Fri, 20 Jun 2008 18:42:48 -0000

@tom:

> Who cares if someone busts root on your Mac?

> It’s a single-user system. I let you in on a
> Matasano state secret: if you break the “tqbf”
> account on my laptop, I’m in trouble. If you’re
> malware and just trying to spread, or redirect my
> browser to phishing pages, you’re wasting your
> time with this “root” silliness.

That raises this point then eh?

sh-3.2$ id
uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody)
sh-3.2$ osascript -e 'tell app "Finder" to do shell script "whoami"'
emonti

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

brunerd — Fri, 20 Jun 2008 13:30:01 -0000

Well if you turn ARD on and have any local users that are standard, then those standard users can run root commands with ARD if Allow All Users (the default) radio button is selected... I noticed that a while back, didn't seem quite right: http://www.brunerd.com/blog/2008/03/08/ard-secu...

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Bill — Fri, 20 Jun 2008 10:28:39 -0000

First, Having ARD on is NOT an effective workaround for this issue.

Second, I think there's a difference between "having an AppleScript dictionary" (which means handling some custom AppleScript commands) and just handling system AppleScript commands (like "do shell script"). ARDAgent falls into the latter, as do any "normal" applications without having to do anything special related to AppleScript.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Kirk — Fri, 20 Jun 2008 09:35:17 -0000

Nothing personal, but you haven't understood it. ARDAgent doesn't have an AppleScript dictionary. But it does have the ability to pass AppleScripts on to the OS as Root. So you can look for dictionaries all you like, and that won't change anything.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

André Medeiros — Fri, 20 Jun 2008 04:03:46 -0000

Yeah, nice going.

I used another workaround for the matter tho.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Mo — Fri, 20 Jun 2008 02:47:43 -0000

You can work around this issue (should you want to), by enabling ARD. Perversely.

I guess when ARD is turned on, ARDAgent acts as smartly as it should be all of the time. Quite why you're able to script it at *all* when ARD's switched off is beyond me.

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

john — Thu, 19 Jun 2008 19:55:37 -0000

On Leopard, in which directory is the plist for ARDAgent?

Re: Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

stephen — Thu, 19 Jun 2008 15:25:31 -0000

thats pretty funny. The bug itself isn't too worrisome, but it is indicative of some serious oversights in design that I am sure will get released and discovered in the very near future....very near....like around February '09 ;-)