Attn Sonatine Unix questions - Page 2 - SkatzPoker

anatine · 08-29-2012, 07:07 PM

Quote:

Originally Posted by SkyNigger

What's the deal with these creepy users?

http://www.semicomplete.com/articles/ssh-security/

He said it in 2005 though.

Interesting, I never really considered the implications of ssh + /bin/false.

Creepy users are generally a product of the concept of 'daemons', eg system-level workings that do not require root (so they do not get it). The numbers are basically arbitrary up until a particular group or user id is granted read/write access to otherwise privileged areas of the file system or memory. Those users exist for specific purposes relating to sundry functionality under the hood.

To my knowledge, none have passwords however, and without a password one cannot log in to them without first being root basically.

If you dump the password database and discover that some *do* have passwords, then things might get interesting, because it would not be unreasonable to assume that the password is static across multiple systems... Unlikely tho.

Comments

A+

anatine · 08-29-2012, 07:14 PM

Quote:

Originally Posted by SkyNigger

So I only found out today that you have to be logged in as a specific user to fiddle with their launchdctl / default jobs (ostensibly) - I certainly never came across any of these logged in as root.

But when I try to delete the domain using the OS X defaults command, nothing is deleted as you can see.

Nothing is deleted from my root domains either. It's almost as if I was booting from a remotely 'localised' filesystem.

OSX has a ton of super weird LDAP style emulations in it regarding services and definitions and personally its a big turn off and keeps me from really taking it very seriously. lookupd being the perfect example.

Chances are the only user allowed to access the lookupd data is delegated read-only access to certain areas of it.

Tricky little cunts.

Chances are we could mount the file system remotely and find the physical db file used for lookupd and hexedit it or something into submission but its a lot of effort with little chance of pragmatic success by itself. With the appropriate volume of whores and champagne perhaps we could justify spending a lost week tearing out the LDAP style application layers and falling back to a simple UNIX style authentication channel tho.

anatine · 08-29-2012, 07:15 PM

Quote:

Originally Posted by SkyNigger

What does Adobe Photoshop (which I have never used nor downloaded) got to do with a clean install of OS X?

My guess is that Apple licensed certain libraries from Adobe for their own image processing applications.

Apple and Adobe have an extremely symbiotic relationship going way back. This would not surprise me at all.

anatine · 08-29-2012, 07:21 PM

Quote:

Originally Posted by SkyNigger

Fuck I hate rpc from Microsoft Windows tilting. Why is it doing it to me again? Is RPC supposed to be for servers or clients or both? I hate that faggot binding shit. I hate named. I hate Berkeley. I hate MIT. I hate those fucking geeks.

But mostly I hate rpc.

And I hate servers. Why did Microsoft make Win 7 a server-client surreptitiously? No one gives me an answer. And just when Apple make Lion a server-client surreptitiously, without anyone but me noticing. What are the odds.

Oh I mean, if you wanted to make your MBA-server COMPATIBLE laptop into a Server system, back in the crazy old days you had to get a Server.app to download.

Now, and this is PROGRESS, to be a Server you have to get a Server.app to download. I know right? But that's looking at it from a glass-half-filled PoV. Up until you download that Server.app, you have a Server that's serving files and netstat'ing it's way all over the place, but you just can't control any of that functionality.

No no it would be a mistake to imagine you could with the Server.app, either. I have...explored...that avenue.

aSHS;H

I love named, and Berkeley, and ATT, and MIT. But I also have significant time under the hood on all fronts (some more than others of course).

RPC is a strange bird. I dont blame you for hating it. There is a moment in Blood Meridian where Holden, aka The Judge, discusses how he wants to kill every single thing on earth or put it all in zoos because he finds their existence without his permission offensive. Thats more or less how I feel about RPC. However, it is simply whats for dinner. So many applications use RPC to map themselves to local ports and to discover remote ports that its canon at this point. The good news is not very many services really need until you get into the real serious Windows faggotry. Pretty much all other services have non-RPC/portmap based port delegations to my knowledge, or at least have alternatives matching that description.

nextlevelshit · 08-29-2012, 07:23 PM

Quote:

Originally Posted by sonatine

My guess is that Apple licensed certain libraries from Adobe for their own image processing applications.

Apple and Adobe have an extremely symbiotic relationship going way back. This would not surprise me at all.

And all it is doing is running chmod on an existing directly making it writeable to everyone.

Scooter, the reason you have all those users is to partition the processes from each other. It is a way to sandbox them. The other alternative would be to let them share one user-id and that means all these programs would be able to run roughshod over the files of other processes. If you want to be paranoid though, look and make sure they don't have shells/passwords associated with them like sonatine suggested.

SkyNigger · 08-29-2012, 07:28 PM

http://xforce.iss.net/xforce/xfdb/25949

Quote:

Apple Mac OS X CFAllocatorAllocate() buffer overflow
macosx-cfallocatorallocate-bo (25949) High Risk
Description:

Apple Mac OS X is vulnerable to a heap-based buffer overflow in the CFAllocatorAllocate() function. By creating a malicious GIF file and persuading a victim to open the file using either Safari or the Preview application, a remote attacker could overflow a buffer and cause the affected application to crash or possibly execute arbitrary code on the system. An attacker could exploit this vulnerability by hosting the malicious file on a Web site or sending it to a victim as an email attachment.

Consequences:

Gain Access

Remedy:

Upgrade to the latest updade for Apple Mac OS X Safari (2006-003 or later), available from the Apple Web site. See References.

References:

Security-Protocols Advisory April 19th, 2006: Apple OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow.
BID-17634: Apple Mac OS X Multiple Security Vulnerabilities
BID-17951: Apple Mac OS X Security Update 2006-003 Multiple Vulnerabilities
CVE-2006-1983: Multiple heap-based buffer overflows in Mac OS X 10.4.6 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) PredictorVSetField function for TIFF or (2) CFAllocatorAllocate function for GIF, as used in applications that use ImageIO or AppKit.
OSVDB ID: 24821: Apple Mac OS X .gif Processing CFAllocatorAllocate() Function Overflow
OSVDB ID: 24822: Apple Mac OS X .tiff Processing Multiple Function DoS
SA19686: Mac OS X Multiple Potential Vulnerabilities
SA20077: Mac OS X Security Update Fixes Multiple Vulnerabilities
SECTRACK ID: 1016067: Apple QuickTime Buffer Overflows in Processing JPEG/BMP/FlashPix/PICT Images and QuickTime/AVI/MPEG4/Flash Movies Let Remote Users Execute Arbitrary Code
VUPEN/ADV-2006-1452: Apple Mac OS X Multiple Client-Side File Handling Buffer Overflow Vulnerability
VUPEN/ADV-2006-1779: Apple Mac OS X Multiple Remote and Client-Side Code Execution Vulnerabilities

And....system crash. Pretty sure that's a DoS....from the providers of the Service.

blake · 08-29-2012, 07:28 PM

SkyNigger · 08-29-2012, 07:31 PM

Quote:

Originally Posted by sonatine

To my knowledge, none have passwords however, and without a password one cannot log in to them without first being root basically.

But they could get a /bin/false deny right?

Quote:

If you dump the password database and discover that some *do* have passwords, then things might get interesting, because it would not be unreasonable to assume that the password is static across multiple systems... Unlikely tho.

How does one dump the /etc/master.passwd file?

nextlevelshit · 08-29-2012, 07:37 PM

Quote:

Originally Posted by SkyNigger

But they could get a /bin/false deny right?

How does one dump the /etc/master.passwd file?

Dump is slang for viewing it... It should just be a human readable file. Unless your version of unix is that different.

You'll see hashed passwords for accounts like root and your personal account. The other accounts should not have the hashes.

Back 20+ years ago, I was able to get on the internet in high school... (before the web) because they didn't have shadow passwords and the passwords were exceptionally weak. A FOAF had a job at the University of Texas and thus got a copy of the password file. Run a cracker on it and there ya go.. a dot matrix print out of cracked passwords. I wish I'd taken advantage of the internet ... was soooo easy to make money.. but nah, I figured I'd always be able to find a way to make easy money... wrong

anatine · 08-29-2012, 07:41 PM

Quote:

Originally Posted by SkyNigger

Sigh. I feel it is a valid question. sysctl -w returns "readonly variable" errors for all the important sysv's I want to....vary, from on to off.

bash-3.2# man -k ipv6
faith(4) - IPv6-to-IPv4 TCP relay capturing interface
icmp6(4) - Internet Control Message Protocol for IPv6
ip6(4) - Internet Protocol version 6 (IPv6) network layer
ip6(8) - Enable or disable IPv6 on active interfaces
ip6config(8) - Configure IPv6 and 6to4 IPv6 tunnelling
ip6fw(8) - controlling utility for IPv6 firewall (DEPRECATED)
ndp(8) - control/diagnose IPv6 neighbor discovery protocol
tcllib_ip(n) - IPv4 and IPv6 address manipulation
traceroute6(8) - print the route IPv6 packets will take to a network node

bash-3.2# ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULT ICAST> mtu 1500
ether b8:8d:12:3e:cb:b6
inet6 fe80::ba8d:12ff:fe3e:cbb6%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
media: autoselect
status: active
bash-3.2# ip6 -d en1
bash-3.2# ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULT ICAST> mtu 1500
ether b8:8d:12:3e:cb:b6
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
media: autoselect
status: active
bash-3.2# netstat -nA |grep c6
e2c6338 tcp4 0 0 192.168.1.2.49932 69.171.224.55.443 ESTABLISHED
e2c6db0 tcp4 0 0 192.168.1.2.54486 204.11.221.77.5222 ESTABLISHED
bash-3.2# netstat -nA |grep tcp6
bash-3.2# netstat -nA |grep udp6
dfb4bf8 udp6 0 0 *.50840 *.*
cabf6bc udp6 0 0 *.60923 *.*
cabe3e4 udp6 0 0 *.61029 *.*
cabfaec udp6 0 0 *.61932 *.*
c5454f0 udp6 0 0 *.54851 *.*
c5452d8 udp6 0 0 *.64424 *.*
c5466bc udp6 0 0 *.58356 *.*
13d1eaa0 udp6 0 0 *.64237 *.*
c5451cc udp6 0 0 *.50729 *.*
c547240 udp6 0 0 *.57039 *.*
c547aa0 udp6 0 0 *.5353 *.*

Interesting, /usr/sbin/mDNSresponder binds to ipv6 interfaces.

# man mDNSResponder
mDNSResponder(8) BSD System Manager's Manual mDNSResponder(8)

NAME
mDNSResponder -- Multicast and Unicast DNS daemon

Well then.

bash-3.2# /usr/sbin/mDNSResponder -launchd
bash-3.2# ping well.com
ping: cannot resolve well.com: Unknown host
bash-3.2# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=251 time=27.099 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 27.099/27.099/27.099/0.000 ms
bash-3.2# cat /etc/resolv.conf
#
# Mac OS X Notice
#
# This file is not used by the host name and address resolution
# or the DNS query routing mechanisms used by most processes on
# this Mac OS X system.
#
# This file is automatically generated.
#
domain home
nameserver 192.168.1.1
bash-3.2# vi /etc/resolv.conf
bash-3.2# ping well.com
ping: cannot resolve well.com: Unknown host
bash-3.2# ps axuw |grep mDNS
root 21062 0.0 0.0 2434892 576 s005 R+ 2:30PM 0:00.00 grep mDNS
_mdnsresponder 21040 0.0 0.0 2509744 2796 ?? Ss 2:29PM 0:00.03 /usr/sbin/mDNSResponder -launchd
bash-3.2# ping www.skatzpoker.com
ping: cannot resolve www.skatzpoker.com: Unknown host
bash-3.2#
bash-3.2# nslookup well.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: well.com
Address: 50.16.199.94

bash-3.2# ping well.com
ping: cannot resolve well.com: Unknown host
bash-3.2#

Perfect, loverly.

Brb, rebooting so mDNSResolver can run "correctly".

Ok back.

So yeah you can disable ipv6 on the interfaces trivially as seen above. But when you start reaching under the skirt of mDNSResolver / launchd / lookupd everything goes batshit. If I wasnt "working" right now I would have discovered/broken down the steps to bring up mDNSResolver in a way that restores services without a reboot but resources are thin and the sword of damacles is often the most suitable tool in the box.

Of course, with ipv6 disabled on the interfaces, I dont see how mDNSResolver would receive any ipv6 traffic, so the open ipv6 ports it uses are pragmatically irrelevant, however that would not be enough for compliance with our standards for success in this exorcize, admittedly.