So the setuid/gid binaries inside app bundles looked like this list on
my target box:
-rwsrwxr-x 1 root wheel 55344 Oct 8 2007 /Applications/System
Preferences.app/Contents/Resources/installAssistant
-rwsr-xr-x 1 root admin 119760 Dec 19 2007
/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
-rwsr-xr-x 1 root admin 83200 Jan 22 21:16
/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
-rwsr-xr-x 1 root admin 55760 Sep 24 2007
/Applications/Utilities/ODBC
Administrator.app/Contents/Resources/iodbcadmintool
-rwxr-sr-x 1 root procmod 194944 Sep 24 2007
/Developer/Applications/Performance
Tools/CHUD/Saturn.app/Contents/MacOS/Saturn
-rwxr-sr-x 1 root procmod 659168 Sep 24 2007
/Developer/Applications/Performance
Tools/Shark.app/Contents/MacOS/Shark
-rwsr-sr-x 1 root wheel 18292 Sep 24 2007
/System/Library/CoreServices/Expansion Slot
Utility.app/Contents/Resources/PCIELaneConfigTool
-rwsr-xr-x 1 root wheel 38432 Jan 25 15:54
/System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool
-rwsr-xr-x 1 root wheel 1439952 Nov 15 2007
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
-rwsr-xr-x 1 root wheel 55808 Sep 23 2007
/System/Library/CoreServices/SecurityFixer.app/Contents/Resources/securityFixerTool
-rws--x--x 1 root daemon 65008 Feb 26 22:52
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
Looks like Saturn, Shark, ARDAgent, and check_afp follow the pattern I
think is vulnerable, namely, they reside at
<VULN>.app/ContentsMacOS/<VULN>
Shark and Saturn are dev tools, and are only setgid procview, since
are debug-like tools. It seems to me that the setgid bit isn't honored
when doing applescript, because none of these apps report an elevated
gid.
check_afp is the only other setuid binary, but doesn't seem to
understand do shell script...
| 