|Home » Industry Watch » The Technological
Walking into an Apple Store
Strange things can await.
'Alpha' tells the story.
|Haven't been to the Apple store lately. Walked in, tried to run the following:|
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
Returned as 'apple' (a lowly user account).
Then I took a peek at the perms for com.apple.systemloginitems.plist. They were 644.
And I thought that 10.5.4 didn't fix either issue?
'These are not the holes you're looking for...'
What Alpha is looking at here are the two current root exploits for Leopard: the ARDAgent hole and the 'SLIHack'. And indeed: 10.5.4 patched neither hole.
So someone at the store was toying with the security holes and at least one of the responses was therefore to be expected.
It's another matter with com.apple.systemloginitems.plist: assuming an ownership of root:admin (0:80) permissions of 0644 will prevent anyone but root from editing it - but that won't stop more than the beige hacker anyway.
It's the directory itself that's vulnerable: with the same ownership and permissions of 0775 /Library/Preferences can still be corrupted.
In which case - as com.apple.systemloginitems.plist is still readable by group admin - a rogue process running on an admin need only copy com.apple.systemloginitems.plist, modify it, then move it into place, deleting the original in the process.
The ultimate danger here is that files concerning root (which must be protected) are mixed in an impossible coexistence with files that are not - when the only proper place for such files is in a protected area such /System/Library/Preferences (which doesn't even exist yet).
And for now both root exploits work on 10.6 'Snow Leopard' as well.
Learning Curve: Rooting 10.5.4
Industry Watch: Get Root on 10.5.4
Industry Watch: ARDAgent - Here to Stay?
Learning Curve: ARDAgent on Snow Leopard