| About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack | |
Home » Industry Watch
Cocktail ShakerThat 'perfect mixture' for OS X got a bit mixed up.
That wondrous apps such as Term's Little Helper, OnyX, and Cocktail - the Wizards of OS X - are only pushing sudo command lines with AppleScript has been known for some time; that they're not doing anything for you that you couldn't do better yourself has been the obvious disappointing conclusion. But that any of them would be so unconscionable as to broadcast your password in the clear was unthinkable - or perhaps simply not thought of. Scenario: malfeasant code somehow makes it to your disk. It can't escalate as it doesn't have your admin password - yet. So it runs a background (invisible) shell process with the ps command piped through to grep and looking for anything with sudo. As soon as that wizardry known as Cocktail runs, with your password submitted in the clear, the bad code picks it up and phones it home. Or for that matter, anyone could wander over to your box and execute ps while you're trustfully waiting for Cocktail to finish fixing your 'prebindings' or something equally unimportant... In any case: You're toast. From the SecurityFocus advisory. Since Cocktail needs administrative privileges the user is prompted for the admin password upon startup. The actual maintenance is done by command line utilities that are executed in an insecure manner: Cocktail creates a new process and lets /bin/sh pipe the admin password using echo into sudo, which then will execute the utility, like this: sh -c echo 'PASSWORD' | sudo -p '' -S sudo update_prebinding -root / Exploitation: Knowing Cocktail is waiting for some Unix utility to have finished its work, just execute 'ps ax' on the terminal and search for the password. Comments.
See Also |
| About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack |
| Copyright © Rixstep. All rights reserved. |