MoAB Day 5 Fix Script

The fix for day 5’s bug sadly can’t be affected through runtime patching alone. It requires changing the permissions on disk of a number of files and directories which are vulnerable to being edited by default. I’m providing scripts you can run in Terminal.app to change these permissions to safe values.

• bom-safety.py (sig) changes the permissions to safe values.


• bom-unsafety.py (sig) changes the permissions back to Apple’s original (unsafe) values.

You can run these scripts in Terminal.app as root using sudo:

sudo /usr/bin/python bom-safety.py

It’ll print a message when it is done or if it encounters a problem.

Finlay Dobbie pointed out that certain Apple installers like X11.app or XCode Tools may change these permissions back to vulnerable values again.

In order to re-run the bom-safety script you must rename the backup it creates at /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom.orig.

• Set the sticky bit on /Library/Receipts


• Set the sticky bit on the paths down to each of the critical BOMs


• Unset the group-write bit on the critical BOMs


• Create root-owned 0-length place holders for critical BOMs/paths
  that don’t exist


• Backup /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom


• Make a 1-bit change to the
  /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom file that causes
  repair permissions to keep the sticky bit set on /Library/Receipts
  rather than removing it.


• Print a completed message

As always, you shouldn’t run code when you can’t understand it yourself, trust someone who understands it, or trust the author of the code. For those wondering if I actually wrote the code downloadable above I am providing GPG signatures above for your review. Ironically, the current available GnuPG for Mac has a code execution security hole since early December. I’m building new universal binaries of GPG now and will post them later today.