Existing users, log in.  New users, create a free account.  Lost password?

Mac OS X  |  System / Utilities  |  Maintenance / Optimization  |  Cocktail  |  *censored*tail Leakng

Cocktail

Cocktail

(Tiger Edition) general purpose system modify/repair utility.

Version:  4.2.1

   [ Views: 945 ]

*censored*tail Leakng

Feedback Type:  Review

Contributed by: Macsure Saturday, May 07 2005 @ 06:30 PM PDT

Product Platform: MacOSX

Used Product For: Less than a month

Recommend Product: NO

*censored*tail leaks your admin password in the clear. Just take a look at this report:

From the SecurityFocus advisory:


Since *censored*tail needs administrative privileges the user is prompted for the admin password upon startup. The actual maintenance is done by command line utilities that are executed in an insecure manner: *censored*tail creates a new process and lets /bin/sh pipe the admin password using echo into sudo, which then will execute the utility, like this:


sh -c echo 'PASSWORD' | sudo -p '' -S sudo update_prebinding -root /


Exploitation:


Knowing *censored*tail is waiting for some Unix utility to have finished its work, just execute 'ps ax' on the terminal and search for the password.
==============
That, plus this app is just a pretty wrapper for running standard command line scripts.

Compared to RixSteps "Clix" - *censored*tail is just "mini-bloatware" providing 500 fewer commands than Clix. So I've become a switcher, the only money spent is on *censored*tail when "everyone was donating for it."   
Overall Rating:

Ease of Use:

Support:

Features:

Quality / Stability:

Price:

3 of 4 users found this helpful.

Rate this Review

Was this Review helpful? Yes | No

Comments

1 comments |

I agree - Ilgaz

I have a 230 page episode to edit with ThinkFree office and print, I'd better type commands my own below. (count each as command typed)

You know why people buy macs? First learn it before being a smart guy or advertise smart guys who falsely get respect.

Jun 3 14:59:30 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:30 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:30 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:30 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:30 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:40 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:40 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:40 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:40 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:40 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:53 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:53 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:53 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:53 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:54 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:54 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:54 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:54 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:54 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:54 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:55 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:55 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:55 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:55 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:55 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:56 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:56 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:56 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:56 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:57 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:57 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:57 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:57 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:57 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:58 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:58 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:58 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:58 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:58 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:59 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:59 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:59 Ilgaz authexec: executing /bin/sh
Jun 3 14:59:59 Ilgaz authexec: executing /bin/sh
Jun 3 15:00:00 Ilgaz authexec: executing /bin/sh
Jun 3 15:00:00 Ilgaz authexec: executing /bin/sh
Jun 3 15:02:09 Ilgaz authexec: executing /bin/sh
Jun 3 15:02:10 Ilgaz authexec: executing /bin/sh
Jun 3 15:02:20 Ilgaz authexec: executing /bin/sh
Jun 3 15:02:23 Ilgaz authexec: executing /bin/sh
Jun 3 15:02:33 Ilgaz authexec: executing /bin/sh
Jun 3 15:03:01 Ilgaz authexec: executing /bin/sh
Jun 3 15:03:05 Ilgaz authexec: executing /bin/sh
Jun 3 15:03:11 Ilgaz authexec: executing /bin/sh

Reply to This

Friday, June 03 2005 @ 05:17 AM PDT