Apple Ships SUIDs With AppleScript Dictionaries. Hilarity Ensues.

Thomas Ptacek | June 19th, 2008 | Filed Under: Apple

Item.

FAIL: Got a Mac? Pull up a Terminal and type

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

Yep, you’re root. ARDAgent is the Apple Remote Desktop agent application. It’s SUID root —- it runs as the superuser, not your user. That means it needs to be careful not to expose features that let its users muck with the system as superuser. ARDAgent has an AppleScript dictionary. One of the entries in that dictionary is “do shell script”.

Item.

This vulnerability takes us back. It’s not SunOS 4.1.3 IFS variable bad. It’s AIX “tprof” bad. It’s a SUID program whose job is to run programs as root for you. It’s “su” without the password. Well played!

Item.

All due respect to the amazing developers at Apple, who make miracles happen every day and restore childlike joy to our lives, but this confirms Dave’s thesis about Apple developers and Unix security: take a large group of C programmers who cut their teeth on the Mac Toolbox APIs and give them “The Unix You Know On The Mac You Love”, and the result is not —- pardon me for suggesting this —- “Safer by Design”.

There’s a crack team of security people at Apple doing an excellent job locking down an extremely complex operating system. But if you’re lining them up against every Apple developer and giving the developer side the “SUID” bit, it’s not a fair fight. It’s whack-a-mole.

Item.

You can fix this with “chmod u-s ARDAgent”, by removing ARDAgent, or by putting “NSEnableApplescript=YES” in the plist for ARDAgent.

Item.

Start looking for other SUIDs with AppleScript dictionaries; rack up the CVE entries now. They’re mostly harmless, after all.

Item.

There, I said it. We don’t care. Really. I didn’t even fix it on my machine. What’s the point?

My sysadmin alter-ego is infamous for messing up servers after install. I like to deploy systems with no SUIDs at all. The ISP I helped run in the ’90s —- EnterAct —- ran without an SUID “passwd” program. Changing passwords is the motivating use case for SUID. You need to be root to edit the password file. On our systems, passwd was a client of a little network service that did the change. I found the FreeBSD 2.1.4 crt0 hole because one of our dev servers got cracked, it had only one SUID that dropped creds 2 lines into “main()”, and where else could the flaw have been? So I feel like, in the course of pissing off my friends and colleagues for going on 15 years now, I’ve built up the credibility to say:

Who cares if someone busts root on your Mac?

It’s a single-user system. I let you in on a Matasano state secret: if you break the “tqbf” account on my laptop, I’m in trouble. If you’re malware and just trying to spread, or redirect my browser to phishing pages, you’re wasting your time with this “root” silliness.

Item.

For once, the Slashdot commentariat seems to be on the ball. Check out these +4’s:

THe thing is, it’s not true that “one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be ‘stopped at the gate’ by that policy”. It’s not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista’s jail around IE, and whatever APple does along those lines.

Unfortunately KDE, Qt, X11, Gtk, Gnome, and the whole “let’s make Linux into Windows” desktop hodgepodge that’s layered on top of UNIX[1] is incredibly complex, has many components running with elevated privileges, and while it has fewer exploitation vectors than Windows it’s conceptually more complex than the NeXTstep-derived equivalents in OS X.

“Malware arguably (one of the greatest scourges of modern computing) spreads by just that, local root vulnerabilities”. No, it does not. Most malware doesn’t need root to do most of the things it wants to do. Having root opens up some more possibilities, but it is by now means required.

There are those here, though, who seem intent on writing this off as a non-exploit or trying to explain it away. That’s where a concept known as “Intellectual Honesty” comes into play. You have to be honest with yourself about what you know and do. Viruses are a fact of life on computers and, while Apple is closed architecture (which by its very nature makes it MUCH more secure than other OSes), it’s only a matter of time before real viruses appear for the Apple platform that just won’t be able to be explained away.

Viewing 13 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus