Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Cocoa can be used to execute arbitrary (privileged) code !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cocoa can be used to execute arbitrary (privileged) code !

Subject: Cocoa can be used to execute arbitrary (privileged) code !
From: Jerry LeVan <email@hidden>
Date: Thu, 19 Jun 2008 10:22:47 -0400

Last night while browsing Slashdot I found this:

http://it.slashdot.org/it/08/06/18/1919224.shtml

It gives a simple command that can be used to
basically execute code as root.

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

The above will print "root" and replacing "whoami" will other
commands will cause the commands to be executed as root.

Looks like a job for NSTask...

This is certainly easier than using the Authentication
protocols :)

The "root" problem is that the ARDAgent executable is
suid'ed to root!

I was surprised than none of the common mac sites has
picked up on this...


Jerry
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

Follow-Ups:

Re: Cocoa can be used to execute arbitrary (privileged) code !
From: Andrew Farmer <email@hidden>
Re: Cocoa can be used to execute arbitrary (privileged) code !
From: Charles Steinman <email@hidden>
Re: Cocoa can be used to execute arbitrary (privileged) code !
From: lbland <email@hidden>

Prev by Date:
Re: NSViewContoller contained subviews not redrawing

Next by Date:
Re: Cocoa can be used to execute arbitrary (privileged) code !

Previous by thread:
Re: NSViewContoller contained subviews not redrawing

Next by thread:
Re: Cocoa can be used to execute arbitrary (privileged) code !

Index(es):

Date
Thread