This is in fact a Cocoa vulnerability, so it seems relevant to this list. All Cocoa applications automagically come with rudimentary AppleScript support (including "do shell script"), so any Cocoa app that runs with suid is a security risk unless you short circuit the Foundation scripting support.
Cheers, Chuck --- On Thu, 6/19/08, Jerry LeVan <[EMAIL PROTECTED]> wrote: > From: Jerry LeVan <[EMAIL PROTECTED]> > Subject: Cocoa can be used to execute arbitrary (privileged) code ! > To: "cocoa-Dev Dev" <cocoa-dev@lists.apple.com> > Date: Thursday, June 19, 2008, 7:22 AM > Last night while browsing Slashdot I found this: > > http://it.slashdot.org/it/08/06/18/1919224.shtml > > It gives a simple command that can be used to > basically execute code as root. > > osascript -e 'tell app "ARDAgent" to do shell > script "whoami"' > > The above will print "root" and replacing > "whoami" will other > commands will cause the commands to be executed as root. > > Looks like a job for NSTask... > > This is certainly easier than using the Authentication > protocols :) > > The "root" problem is that the ARDAgent > executable is > suid'ed to root! > > I was surprised than none of the common mac sites has > picked up on this... > > > Jerry > _______________________________________________ > > Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) > > Please do not post admin requests or moderator comments to > the list. > Contact the moderators at > cocoa-dev-admins(at)lists.apple.com > > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/cocoa-dev/acharlieblue%40yahoo.com > > This email sent to [EMAIL PROTECTED] _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
