Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

It's Not New It Starts with 10.2

It goes back to the beginning and it's a part of most everything you do.


Get It

Try It

Charles Srstka was right: the ARDAgent security hole goes back further than he'd been able to test - further back than OS X version 10.3 Panther.

The ARDAgent security hole goes all the way back to version 10.2 Jaguar. It's been there from the get-go - when NSAppleScript was incorporated into Cocoa in August 2002.

Rixstep pulled out a dusty old iBook running 10.2 and tested the capability of 'osascript' to push Unix commands through arbitrary Cocoa apps.

And it works. Unfortunately.

NSAppleScript

NSAppleScript is part of the Foundation framework. It's been there since 10.2 - August 2002. Six years.

As it's part of the Foundation framework it's linked by all Cocoa apps. Tests show interactivity is necessary above and beyond Foundation linkage to make the osascript exploit work.

35:36: syntax error: No user interaction allowed. (-1713)

But tests also show osascript can 'push' Unix commands through most any Cocoa app on your hard drive. And as Charles Srstka pointed out: the commands are run in the context of the target process - if that process is running as root your Unix commands will run as root as well.

[Note this takes no special code to work - merely linking with the Foundation framework is all that's needed. Ed.]

Bad day in Cupertino.

Where the Fault Lies

The fault - the potential vulnerability - is in AppleScript itself as it's manifested in the Cocoa frameworks. AppleScript is a 'technology' that predates OS X. It's part of the old 'MacOS'. Putting something like AppleScript in Cocoa is a strange marriage to say the least: the idea that processes in a protected environment can influence and control each other isn't the best ever.

The danger: Charles Srstka said it best.

Fringe case, you say? If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program 'iHook' - and it only takes one such screwup to allow hackers to root your computer.

Known Issue

Several people have resubmitted the 'bug' to Apple. They've been told Apple are now working on the issue. Which is good news - up to now Srstka's been repeatedly told everything 'behaves correctly'.

Note that Srstka warned Apple of this vulnerability four years ago - before the discovery of the SUID bit on ARDAgent.

Well, two days ago I made the mistake of mentioning this bug to someone in #macdev and then yesterday it comes out that...

IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX.

What You Can (and Should) Do

A list of measures you can take to protect your computer is found here. The following can be added to the list.

1. OOTB the Tiger and Leopard /Applications hives have 4 SUID root binaries.

/Applications/System Preferences.app/Contents/Resources/installAssistant
/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool

Note these are 'command line' binaries embedded in  Resources subdirectories - they're not vulnerable.

$ osascript -e 'tell application "/Applications/System Preferences.app/Contents/Resources/installAssistant" to do shell script "whoami"'
90:91: syntax error: No user interaction allowed. (-1713)
$ osascript -e 'tell application "/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool" to do shell script "whoami"'
88:89: syntax error: No user interaction allowed. (-1713)
$ osascript -e 'tell application "/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy" to do shell script "whoami"'
88:89: syntax error: No user interaction allowed. (-1713)
$ osascript -e 'tell application "/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool" to do shell script "whoami"'
98:99: syntax error: No user interaction allowed. (-1713)

2. Leopard's /System hive has 18 binaries with the SUID bit set. These need to be tested.

/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIELaneConfigTool
/System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool
/System/Library/CoreServices/SecurityFixer.app/Contents/Resources/securityFixerTool
/System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav
/System/Library/Filesystems/AppleShare/afpLoad
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/PrinterSharingTool
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/SCHelper
/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneSettingTool
/System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper
/System/Library/Printers/Libraries/aehelper
/System/Library/Printers/Libraries/csregprinter
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/Locum
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/Resources/DiskManagementTool
/System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner
/System/Library/PrivateFrameworks/NetworkConfig.framework/Versions/A/Resources/NetCfgTool

3. Tiger's /System hive has 22 binaries with the SUID bit set. These need to be tested.

/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIELaneConfigTool
/System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
/System/Library/CoreServices/SecurityFixer.app/Contents/Resources/securityFixerTool
/System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav
/System/Library/Filesystems/AppleShare/afpLoad
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/PrinterSharingTool
/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Commands/update_sharing
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Commands/update_sharing
/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Commands/update_sharing
/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneSettingTool
/System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper
/System/Library/Printers/Libraries/aehelper
/System/Library/Printers/Libraries/csregprinter
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/AirPortNetworkPrefs.bundle/Contents/Resources/AirPortCfgTool
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/Locum
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/Resources/DiskManagementTool
/System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner
/System/Library/PrivateFrameworks/NetworkConfig.framework/Versions/A/Resources/NetCfgTool

4. You've undoubtedly added software to your computer since you got it - you have to check that software too.

Game Over Anyway?

There's a recurring and incessantly annoying idea being passed around.

* Oh well if you have local access it's game over anyway. *

Should you really believe the above is true: Rixstep heartily recommend a new exciting program for OS X called PokerGame.

For if you really believe it's that simple it's truly game over - for you at any rate.

Those without clues - lose.
 - Axioms of Ancient Appalachia, Pierson Education Inc

If you find something wrong with Apple's OS you can be certain it's a beige artifact screwing things up again.
 - Operating Systems: Principles and Implementation, Bloomsbury Publishing Plc

See Also
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.