Microsoft Windows XP (and Vista) have interapplication communication systems - they allow programs to identify and talk to eachother. Very useful. With Vista, Microsoft put in a complex security system that prevents lower privileged programs from talking to higher privileged programs, with the aim that trojans wouldn’t be able to gain admin privilege just by talking to admin services.
There was a flaw found in it, but I’ve heard that it would be a bitch to exploit, and it would require a flaw in the targetted service too.
Mac OS X also has an interapplication communication system called Applescript. You can actually also use it as a scripting language. Applescript has been around since System 7 on the Classic Mac OS, and then for some reason it was shoehorned into OS X (which has a Unix-y security system).
Applescript doesn’t take notice of what permissions each program is running with, so any program can communicate with any other Applescript-aware program. This isn’t a good thing, but it’s not a bad thing. Any program that uses the Cocoa or Carbon APIs is also automatically Applescript-aware with at least a small vocab of commands. This isn’t necessarily a bad thing.
One of the Applescript commands available is "run shell script". A program can send an Applescript command to another program, telling it to execute a particular string as a shell script. Pointless? Yes. Useful? No. Dangerous? FUCKING HELL YES IT’S FUCKING DANGEROUS!
Any Cocoa or Carbon program running on your Mac OS X system can tell any other Cocoa or Carbon program running as root to execute a shell script, WITH ROOT PERMISSIONS. This is pretty bad, until you realise that Apple ships a Cocoa program with Mac OS X that is setuid root; in other words, when it runs, it runs as root.
Yes. Any program you run can become root in just one line of easy-to-understand code. Any program you are running that has a remote exploit can run this Applescript code to give a remote attacker access to your entire system.
Oh, this must be a flaw in Unix, right? Wrong. Unix is working perfectly well, it’s the overlying operating system that has a bad flaw in its design. Migrating a scripting language designed to run on a single-user system, over to a multi-user Unix system, was just asking for trouble.
This must be a recent problem? No, the basic problem has existed since OS 10.0. Apple has been aware of it for four years. Yeah, but it must be getting fixed for 10.6 Snow Leopard? No, Apple has shown no interest in fixing either the basic problem (the "run shell script" command) or the immediate problem (shipping a Cocoa program that runs as setuid when it doesn’t need to), and it is still present in development builds of 10.6.
THERE IS NO SIMILAR FLAW FOR VISTA. If there are local admin vulnerabilities in Vista, they require a fair bit of knowledge and a fair few lines of code to exploit. Nothing you could accidentally stumble into. But I can see somebody accidentally exploiting the OS X vulnerability when trying to do some Applescripting.
Microsoft’s security department absolutely pwns Apple’s.
I don’t need to worry about it, because I don’t use an operating system that’s been designed by a monkey and engineered by a git, but if you use Mac OS X you should be afraid. Very afraid. Who knows what other "beige box" vulnerabilities there are yet to be discovered?
Entries (RSS)