Cocoa mail archive
Re: Cocoa can be used to execute arbitrary (privileged) code !
FROM : Jean-Daniel Dupas
DATE : Thu Jun 19 23:13:18 2008
That's why you should basically never link on high-level framework
with a setuid tools.
Le 19 juin 08 à 20:48, Charles Steinman a écrit :
> This is in fact a Cocoa vulnerability, so it seems relevant to this
> list. All Cocoa applications automagically come with rudimentary
> AppleScript support (including "do shell script"), so any Cocoa app
> that runs with suid is a security risk unless you short circuit the
> Foundation scripting support.
>
> Cheers,
> Chuck
>
>
> --- On Thu, 6/19/08, Jerry LeVan <jerry.<email_removed>> wrote:
>
>> From: Jerry LeVan <jerry.<email_removed>>
>> Subject: Cocoa can be used to execute arbitrary (privileged) code !
>> To: "cocoa-Dev Dev" <<email_removed>>
>> Date: Thursday, June 19, 2008, 7:22 AM
>> Last night while browsing Slashdot I found this:
>>
>> http://it.slashdot.org/it/08/06/18/1919224.shtml
>>
>> It gives a simple command that can be used to
>> basically execute code as root.
>>
>> osascript -e 'tell app "ARDAgent" to do shell
>> script "whoami"'
>>
>> The above will print "root" and replacing
>> "whoami" will other
>> commands will cause the commands to be executed as root.
>>
>> Looks like a job for NSTask...
>>
>> This is certainly easier than using the Authentication
>> protocols :)
>>
>> The "root" problem is that the ARDAgent
>> executable is
>> suid'ed to root!
>>
>> I was surprised than none of the common mac sites has
>> picked up on this...
>>
>>
>> Jerry
>> _______________________________________________
>>
>> Cocoa-dev mailing list (<email_removed>)
>>
>> Please do not post admin requests or moderator comments to
>> the list.
>> Contact the moderators at
>> cocoa-dev-admins(at)lists.apple.com
>>
>> Help/Unsubscribe/Update your Subscription:
>> http://lists.apple.com/mailman/options/cocoa-dev/<email_removed>
>>
>> This email sent to <email_removed>
>
>
>
> _______________________________________________
>
> Cocoa-dev mailing list (<email_removed>)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/cocoa-dev/<email_removed>
>
> This email sent to <email_removed>
>
DATE : Thu Jun 19 23:13:18 2008
That's why you should basically never link on high-level framework
with a setuid tools.
Le 19 juin 08 à 20:48, Charles Steinman a écrit :
> This is in fact a Cocoa vulnerability, so it seems relevant to this
> list. All Cocoa applications automagically come with rudimentary
> AppleScript support (including "do shell script"), so any Cocoa app
> that runs with suid is a security risk unless you short circuit the
> Foundation scripting support.
>
> Cheers,
> Chuck
>
>
> --- On Thu, 6/19/08, Jerry LeVan <jerry.<email_removed>> wrote:
>
>> From: Jerry LeVan <jerry.<email_removed>>
>> Subject: Cocoa can be used to execute arbitrary (privileged) code !
>> To: "cocoa-Dev Dev" <<email_removed>>
>> Date: Thursday, June 19, 2008, 7:22 AM
>> Last night while browsing Slashdot I found this:
>>
>> http://it.slashdot.org/it/08/06/18/1919224.shtml
>>
>> It gives a simple command that can be used to
>> basically execute code as root.
>>
>> osascript -e 'tell app "ARDAgent" to do shell
>> script "whoami"'
>>
>> The above will print "root" and replacing
>> "whoami" will other
>> commands will cause the commands to be executed as root.
>>
>> Looks like a job for NSTask...
>>
>> This is certainly easier than using the Authentication
>> protocols :)
>>
>> The "root" problem is that the ARDAgent
>> executable is
>> suid'ed to root!
>>
>> I was surprised than none of the common mac sites has
>> picked up on this...
>>
>>
>> Jerry
>> _______________________________________________
>>
>> Cocoa-dev mailing list (<email_removed>)
>>
>> Please do not post admin requests or moderator comments to
>> the list.
>> Contact the moderators at
>> cocoa-dev-admins(at)lists.apple.com
>>
>> Help/Unsubscribe/Update your Subscription:
>> http://lists.apple.com/mailman/options/cocoa-dev/<email_removed>
>>
>> This email sent to <email_removed>
>
>
>
> _______________________________________________
>
> Cocoa-dev mailing list (<email_removed>)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/cocoa-dev/<email_removed>
>
> This email sent to <email_removed>
>
