CocktailTE: Arsenic & Other Laces

Krzysztof/Kristofer Szymanski
Rating: (four burnt toasts)

Ekuddsv 20 B
Ekerö 17834 SE
+46 701 492200
+46 8 560 35950

Collateral damage:
$15 - $700 [sic] out of your wallet (for all time)
5431296 bytes (6856704 bytes after full expansion)
Loss of hair, sleep, bloodshot eyes, nausea, indigestion

The following discussion presumes the reader is acquainted with what the Cocktail application does - that is, absolutely nothing the BSD subsystem Apple shipped with OS X for your benefit already does better and safer. The question here is not what's done with CocktailTE, but how. Sit firmly in your seat.

Introduction

Skärholmen is one of the ugliest of a few very ugly suburbs of Stockholm. It's accessible with the 'T-bana' going south out of the capital for about half an hour.

It's a dangerous place from time to time, and it's the world headquarters of Cocktail, one of the most inventive of the 'Wizards of OS X'.

People have in the past been wont to sing the praises of Cocktail. Not everyone knows immediately upon coming to OS X and Unix how to manage the command line; but that these people should not have a clue five years after the operating system's introduction is inexcusable, and Cocktail continues to surge on and take advantage of those unwilling or simply too scared to do the silly things Cocktail can do on their own.

Cocktail used to be a free app. Then, as anyone can read in the numerous comments at MacUpdate, it suddenly went 'shareware'. Unwitting users downloaded the latest version, overwrote their previous free copy, and were greeted after a few runs by the great news that the app had expired. Needless to say users weren't happy with this unexpected 'product enhancement'.

Recently someone discovered what should have long ago been suspected: as Cocktail was simply embedding AppleScript modules that in turn invoked extremely simple shell scripts, there was no way the poor app could submit the admin password in a secure fashion; instead it echoes it in the clear to sudo.

Any interloper can sit there with ps and grep and pick it up and '0WN' the machine.

So what's going on inside this perfectly mixed-up app anyway?

Payload

The download image (DMG) for CocktailTE ('Tiger Edition') is a walloping 1517285 bytes - this to perform a small number of Unix functions which weigh nothing at all.

Once the DMG is on disk and double-clicked, the user is greeting by the following dialog.

The full text of the EULA the user has to agree to - just to see the product - follows. Note the cute bit at the very bottom: this will be encountered later, along with a 'plain English' translation.

Clicking the 'agree' button mounts the virtual drive with the CocktailTE application.

Inside The Drink

The contents of the CocktailTE DMG are curious to say the least.

% ls -a
.background        Cocktail Extras        Cocktail.app
%

Now one would assume 'Cocktail.app' was the actual CocktailTE application - which would be a rather fatal mistake. For now it's of primary interest to look inside the second of the above items.

Cocktail Extras

As revolting as anything a software engineer ever saw, 'Cocktail Extras' contains three ostensibly bona-fide Cocoa applications. After drilling down through a directory with a megabyte help file and yet another with a tonne of almost identical icons, one finds a 'Droplets' subdirectory.

Some droplets.

% ls
Delete DS Store.app        Delete Items.app        Lock Or Unlock Items.app
%

[As this discussion continues, try to keep in mind that Xscan, a generic file scanning utility that finds (and deletes, moves, copies) anything, and by Unicode regular expression, and that in addition can isolate file system vulnerabilities, has an executable of only 32000 bytes on disk [sic]. Ed.]

A closer inspection of these three 'applications' reveals a curious thing: they're absolutely identical - right down to an embedded 'Droplet' script in the 'Resources/Scripts' subdirectory. Otherwise they're completely identical.

And their executables are each a lovely 46776 bytes.

That the one deletes .DS_Store files is obvious from the package name; that one should need so much code just to wrap an AppleScript that in turn is going to wrap a Unix shell script that is only going to do the following - coupled with the fact that dismal users buy this charade - is unforgivable to say the least.

find / -name '\.DS_Store' -exec rm -f {} \;

Worse still, each package contains the same 'error.tiff' file for a walloping 80544 bytes, and it's only the standard Aqua 'critical info' icon the system serves up for applicable situations - you already have this icon in your system.

And if you can swallow the TIFF, try washing it down with the application icons: again, they're identical, they each weigh 40303 bytes, and they look like the following. Take Alka-Seltzer. Take the whole box.

[The CocktailTE 'folder' comes with a gorgeous 40 KB background image created in Adobe and aptly code-named 'Ducky'. The 'icon' in the 'Cocktail Extras' directory contains a booby trap: it uses the name 'Icon\n' (it appends a newline character to screw up attempts to decipher it). Drink it up. Ed.]

NSAppleScriptEnabled

Each of these 'applications' - as the 'main' CocktailTE - comes with the great Info.plist entry:

<key>NSAppleScriptEnabled</key>
<string>YES</string>

As none of them are really running any 'real' code, just AppleScript behind the scenes (and hopefully dazzling you).

The 'Lock Or Unlock Items' application is a pathetic wrapper around chflags - see the tool's manpage for more info. [And for the record, using these flags can bring a lot of misery down on you: some of them cannot be reset in other than single user mode. So be careful. Ed.]

Subtotal

The subtotal for 'Cocktail Extras' is 1576960 bytes.

Try to remember that the subtotal for the Unix BSD subsystem which does all that CocktailTE does and hundreds of times more - and which you already have on disk - is ZERO additional bytes.

[And that CLIX which at least gives you a GUI for it is only 10% of the above - and you get access to (currently) 1405 (one thousand four hundred five) functions instead. Ed.]

The Big Drink

Onto the big drink. All that's gone before is but an aperitif - something to whet your appetite. What follows now is the main course - the entré. This should satisfy you fully. [You may never want to eat or drink again. Ed.]

Cocktail.app

Collateral damage: 3817472 bytes.

Help System

This is another case in point for conscientious engineering: aside from the file 'background.png' in the 'img' directory, the contents of 'gfx' and the latter are identical.

[Isn't it nice to know this 'software engineer' has your best interests at heart and isn't wasting your bandwidth - and your disk space - through kindergarten sloppiness? Ed.]

As soon as you open the main 'index' file you see - once again (and how many times is it by now) - the same disclaimer disguising as a 'EULA'.

You also learn that some of the icons come from 'The Iconfactory' - but you could have guessed that by now.

And way at the bottom is that swizzle stick again:

'The copyright holder retains and holds exclusive discretion for determining if and when this license may be returned to the copyright holder and the license fee refunded.'

Meaning two things:

1. What you think you have in your 'EULA' for this monstrosity is not the true story.

2. You can get pissed all you want at this guy and his app but he's not going to give you any money back unless he wants to - and guess if he wants to.

Swizzle, swizzle.

[Note that otherwise this 'help system' is an exact duplicate of the megabyte PDF you already have - except for the elusive disclaimer so you can't ever get your money back. Three cheers for technology. When has anyone ever gone to such elaborate lengths to glamorously package so little? Ed.]

pbdevelopment.plist

Each application package contains the above mentioned file. What it's good for no one's ever discovered; that it's supposed to be removed when software ships was assumed to be known by all.

All it contains is the path to the development files - which as we learn are located aptly on the desktop (no sophisticated file management here thank you).

Resources

The Resources directory of CocktailTE when expanded contains the following. Talk about toxic.

% ls -F
Back.png*                      Output.icns                    cfirewall.sh*
Background.png*                Pilot.png*                     cfs.sh*
BackgroundIcon.png             Preferences.png*               cfsr.sh*
Clear.tiff                     Print.tiff                     cftp.sh*
Cocktail.app/                  Registration.png               cinstall.sh*
CocktailNetworkOptimization/   Rotate.tiff                    clookupd.sh*
CocktailNetworkSettingsEn0/    Save.tiff                      clpr.sh*
CocktailNetworkSettingsEn1/    Scripts/                       cmail.sh*
Delete.tiff                    Sent.aif*                      cnetinfo.sh*
Disks.png*                     System.png*                    cno.tar
Empty.icns*                    Warning.tiff*                  cns0.tar*
English.lproj/                 c0.sh*                         cns1.tar*
Files.png*                     c501.sh*                       cp.tar
Forward.png*                   c502.sh*                       cpanic.sh*
Home.png*                      c503.sh*                       cppp.sh*
Icon.icns                      c504.sh*                       csecure.sh*
Interface.png*                 ccups.sh*                      csystem.sh*
Link.icns*                     ccupsp.sh*                     cws.sh*
Message.tiff*                  ccupsr.sh*                     cwsf.sh*
Network.png*                   cds.sh*                        cwsn.sh*
Options.png                    cdsr.sh*                       cwsr.sh*
%

Anything suffixed with a '/' is a directory; anything suffixed with a '*' is supposedly an executable. [Yes, Patricia, von Planck screwed up the file modes all right! What did you expect - PNGs running as applications? Patricia! Ed.]

Cocktail.app/Cocktail.app?

The big achievement here is that this benevolent author has actually embedded another Cocktail app (the real one perhaps) inside the first one. (It's inside the file 'cp.tar'.) This in itself should propel him without further delay into the software engineering hall of shame.

Options.tiff

Embedded way inside this second Cocktail.app in turn embedded inside the first one is a megabyte file with ostensibly no content whatsoever. And it still takes a megabyte on disk. It's got a height of 363 pixels, a width of 573 pixels, and it's completely transparent - that's it. A megabyte. Thank you very much.

Stripped?

Neither Cocktail executable is stripped for 'release'. Both contain extraneous debugging information and other flotsam and jetsam that only encumber the user.

204360 => 47520?

The embedded Cocktail executable is an inexcusable monster: a simple Apple ADC operation on the mutant reduces its size from 204360 bytes to the more acceptable 47520 bytes - the author provided you with a dirty 'debug' image that's not supposed to ever reach you. Another 150,000+ bytes (over 300% of the actual content size) of your bandwidth and disk space wasted, thank you very much.

.DS_Store

The CocktailTE documentation denigrates .DS_Store files, even going so far as to use scare tactics against you (yes they did contain sensitive information but this was years ago) yet a package hidden in a 'tar' file has one. Its contents follow in the appendices.

Networking Stuff

It also becomes apparent at this time that good old Cocktail - which has your admin password, remember - is going to install daemons and/or kernel extensions on you. [Nice to know, isn't it? Nice the author told you too, isn't it? Ed.]

The contents of the file 'CocktailNetworkOptimization' follow.

#!/bin/sh
. /etc/rc.common
#CheckForNetwork
StartService ()
{
ConsoleMessage "Optimizing network"

The contents of the file 'CocktailNetworkSettingsEn0' follow.

#!/bin/sh
. /etc/rc.common
CheckForNetwork
#if [ "${NETWORKUP:=-NO-}" = "-YES-" ]; then

The contents of the file 'CocktailNetworkSettingsEn1' follow.

#!/bin/sh
. /etc/rc.common
CheckForNetwork
#if [ "${NETWORKUP:=-NO-}" = "-YES-" ]; then

NIBs

The NIBs ship with all development files intact and in place. End users don't need this. NIBs are supposed to be trimmed: that's what Apple themselves do.

Scripts

The Scripts subdirectory is a masterpiece.

% ls
Cocktail.scpt  Files.scpt     Network.scpt   Scheduler.scpt Toolbar.scpt
Disks.scpt     Interface.scpt Pilot.scpt     System.scpt
%

The total collateral damage for this directory alone is over a megabyte: 9 items, 1029590 logical bytes, 2032 blocks (1040384 physical bytes). Naturally all these AppleScript files are 'compiled' so the user can't read them and see how easy all of this actually was. And all of this is just to execute a few dinky Unix command lines.

Finale: The Actual Code

But what it all boils down to is a bunch of rather straightforward Unix command lines and shell scripts. And naturally CocktailTE has those too. But not surprisingly they take little or no disk space at all.

There are 58 (fifty eight) shell scripts embedded in CocktailTE; the largest are only 934 (nine hundred thirty four) bytes; the smallest are 51 (fifty one) and 53 (fifty three) bytes respectively.

All told this takes only 35483 bytes storage or 0.6533% - less than one percent [sic] - of the bomb you just put on your computer.

Sent.aif

Just when you thought the ordeal was over you have a final insult: Sent.aif, a simple system sound you probably have somewhere else already. It's almost inaudible and it's more than almost worthless.

Chalk up another 193590 bytes to obscenity.

Like Your Cocktail?

The author of this unique piece of engineering and ingenuity poses the final question.

Go ahead, don't be shy: tell him - tell him you absolutely love it. Heck - buy it twice and show your support.

What were you going to do with that $30 anyway? Buy a book on Unix?

[You still don't like the command line? Then migrate to Windows: they don't have a command line anymore (or so they say). OS X has a command line: get over it, get used to it - grow up. Ed.]

Postscript: 'Data Remnants'

Many have been the tales of woe about this sucker - everything ranging from rejected registration data, no response from the program's author, crashed Internet connections - to 'data remnants'.

There's not much one can do about rejected registration data - especially if the program's author doesn't reply - and there's not much one can do about crashed Internet connections save dumping the sorry thing - but there is something one can do about the 'data remnants'.

People have namely tried Cocktail for a day or two, trashed it, seen a new version, decided to try again - but it doesn't work. Something left surreptitiously on the system stops it from running.

When confronted directly about this Szymanski denied leaving files behind after the uninstall; when asked how it was then possible to stop people from using a trial upgrade the courteous Szymanski offered that it wasn't files he was leaving behind but 'data remnants'.

Szymanski then went on to attempt to humiliate those who questioned his logic, stating that they basically won't get the time of day if they don't know the difference between 'files' and 'data remnants'.

But 'data remnants' is only a cutesy term for 'stealth'; the bottom line is Szymanski is still corrupting (invading) user systems.

Fortunately with powerhouse utilities like these it's easy to see what he's up to.

If you've fallen prey to the Szymanski 'data remnants' trick all you need to do is issue the following command from your terminal to be free of the pest.

Appendices

Cocktail Shaker
Cocktail's .DS_Store
Cocktail.app (1) Xstrings
Cocktail.app (2) Xstrings
Cocktail.scpt Xstrings
Disks.scpt Xstrings
Files.scpt Xstrings
Interface.scpt Xstrings
Network.scpt Xstrings
Pilot.scpt Xstrings
Scheduler.scpt Xstrings
System.scpt Xstrings
Toolbar.scpt Xstrings
Unix Shell Source

CocktailJE & CocktailPE

Cocktail[JPT]E: Acknowledgements