|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
That 'perfect mixture' for OS X got a bit mixed up.
That wondrous apps such as Term's Little Helper, OnyX, and Cocktail - the Wizards of OS X - are only pushing sudo command lines with AppleScript has been known for some time; that they're not doing anything for you that you couldn't do better yourself has been the obvious disappointing conclusion.
But that any of them would be so unconscionable as to broadcast your password in the clear was unthinkable - or perhaps simply not thought of.
Scenario: malfeasant code somehow makes it to your disk. It can't escalate as it doesn't have your admin password - yet. So it runs a background (invisible) shell process with the ps command piped through to grep and looking for anything with sudo.
As soon as that wizardry known as Cocktail runs, with your password submitted in the clear, the bad code picks it up and phones it home.
Or for that matter, anyone could wander over to your box and execute ps while you're trustfully waiting for Cocktail to finish fixing your 'prebindings' or something equally unimportant... In any case:
From the SecurityFocus advisory.
Since Cocktail needs administrative privileges the user is prompted for the admin password upon startup. The actual maintenance is done by command line utilities that are executed in an insecure manner: Cocktail creates a new process and lets /bin/sh pipe the admin password using echo into sudo, which then will execute the utility, like this:
sh -c echo 'PASSWORD' | sudo -p '' -S sudo update_prebinding -root /
Knowing Cocktail is waiting for some Unix utility to have finished its work, just execute 'ps ax' on the terminal and search for the password.
- Even Cocktail doesn't need your sudo password for everything. That it like the other 'wizards' demands it on startup is simply holding you hostage.
- You just don't ever type passwords like this in the clear - ever.
- This exploit might not be easy to fix, and it might exist in the other 'wizards' as well.
- CLIX of course has no such vulnerability. Maybe it's time you took your life in your hands and tried the command line Apple gave you for free? At least you won't be donating the farm to the black hats.
Industry Watch: More Shakers
Learning Curve: The Wizards of OS X
The Very Ugly: CocktailTE: Arsenic & Other Laces