View Single Post
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-22, 21:14

Statistics on Leopard.

I find 76 setuid root binaries on the entire system. If I exclude files not installed by Apple (Mac OS X, iLife, iWork, etc), then I get down to… 68 setuid root binaries. Most of these are clearly helper tools to do specific privileged tasks, which means they're designed to securely perform one task and are probably extremely difficult to exploit (if at all).

Now, paring this down to a list of setuid binaries who are also the primary executable in an application bundle, where they're not clearly a simple "helper tool":

Code:
| grep '/\([^/]*\).app/Contents/MacOS/\1$'
I get all of 2 application bundles (which are the only thing AppleScript might be able to target), and they are:

Code:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
So I'm going to go out on a limb and guess check_afp.app doesn't support AppleScript. I could be wrong. Either way, ARDAgent.app is the only application on my ENTIRE SYSTEM that might fall victim to this, and I'm guessing it's setuid root because it Absolutely Needs To Be™.

My guess: ARDAgent.app doesn't launch when I use Screen Sharing, so it must be truly tied to Apple Remote Desktop. ARD has the ability to install packages and applications on managed hosts, as well as doing many other system-level tasks remotely. I'm guessing that it's setuid root so that it can perform these remote activities as root (since that's a requirement), without authenticating via something akin to sudo (since it can't). Thus, it may actually be impossible for ARDAgent.app to fulfill its duties for ARD while blocking this type of exploit.

More technical details!

AppleScript works by parsing your script, compiling it into a set of AppleEvents, which are then packaged up in a standard format and shipped to the target application (which need not reside on the local host; they can be sent remotely). It's possible that ARD may use this feature (see: code reuse) to compile its actions once on the management console, and then blast the AppleEvents to all the managed machines. I'm nearly certain that some of these capabilities require the use of whatever do shell script compiles to, so even the "block shell scripts from AppleScript under root" solution is not acceptable.

So, barring a major overhaul of how the entire Apple Remote Desktop system works (if my speculation is correct), this is an entrenched problem that Apple cannot solve, instead of one they're simply ignoring. And I still maintain that it's not so huge as everyone wants it to be.

The more I think about this, the more sense it makes.

Apparently I call the cops when I see people litter.
  quote