Re: Cocoa can be used to execute arbitrary (privileged) code !
Re: Cocoa can be used to execute arbitrary (privileged) code !
- Subject: Re: Cocoa can be used to execute arbitrary (privileged) code !
- From: Charles Steinman <email@hidden>
- Date: Thu, 19 Jun 2008 11:48:09 -0700 (PDT)
This is in fact a Cocoa vulnerability, so it seems relevant to this list. All Cocoa applications automagically come with rudimentary AppleScript support (including "do shell script"), so any Cocoa app that runs with suid is a security risk unless you short circuit the Foundation scripting support.
Cheers,
Chuck
--- On Thu, 6/19/08, Jerry LeVan <email@hidden> wrote:
> From: Jerry LeVan <email@hidden>
> Subject: Cocoa can be used to execute arbitrary (privileged) code !
> To: "cocoa-Dev Dev" <email@hidden>
> Date: Thursday, June 19, 2008, 7:22 AM
> Last night while browsing Slashdot I found this:
>
> http://it.slashdot.org/it/08/06/18/1919224.shtml
>
> It gives a simple command that can be used to
> basically execute code as root.
>
> osascript -e 'tell app "ARDAgent" to do shell
> script "whoami"'
>
> The above will print "root" and replacing
> "whoami" will other
> commands will cause the commands to be executed as root.
>
> Looks like a job for NSTask...
>
> This is certainly easier than using the Authentication
> protocols :)
>
> The "root" problem is that the ARDAgent
> executable is
> suid'ed to root!
>
> I was surprised than none of the common mac sites has
> picked up on this...
>
>
> Jerry
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to
> the list.
> Contact the moderators at
> cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden