Hi,
While searching through macOS I came about an application located in /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app called LockScreen.app. This application, as I understand it, locks a mac users computer and make the touch bar, keyboard, and mouse unresponsive. It also puts a lock icon on the screen. The only way to quit this app is to either have a process in the background set to quit the app after a certain time or to ssh into the computer and kill the process, or to force shutdown the Mac. If ssh is turned off (as it is by default) and a there is no process in the background set to quit it, then the only way to quit the application would be to restart.
I have also come to realize that this application is under the System directory. Meaning that it is protected from alteration or deletion due to SIP (System Integrity Protection). Therefore to remove the program someone would have to disable SIP.
So....
My question is, Could one use this application to create an apple script (get past malware/virus detection + works on all Macs without need to download extra software) that would open this application, add it self to the login process (with a LaunchAgent + reopening the on every login to make the restarting futile) and/or a login item, constantly kill the ssh process (preventing ssh), all without prompting for a administrators password?
***I am not asking this question because I have the intent of using this program in the way I have described it. I am asking because I would like to know if am missing something that would prevent someone from doing this and if not, then to make people aware of this venerability.
P.S. I do know that safe-mode would prevent the application from opening in safe mode but it is still a huge venerability in my opinion that should be fixed immediately by Apple.
Thanks, Josh
While searching through macOS I came about an application located in /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/LockScreen.app called LockScreen.app. This application, as I understand it, locks a mac users computer and make the touch bar, keyboard, and mouse unresponsive. It also puts a lock icon on the screen. The only way to quit this app is to either have a process in the background set to quit the app after a certain time or to ssh into the computer and kill the process, or to force shutdown the Mac. If ssh is turned off (as it is by default) and a there is no process in the background set to quit it, then the only way to quit the application would be to restart.
I have also come to realize that this application is under the System directory. Meaning that it is protected from alteration or deletion due to SIP (System Integrity Protection). Therefore to remove the program someone would have to disable SIP.
So....
My question is, Could one use this application to create an apple script (get past malware/virus detection + works on all Macs without need to download extra software) that would open this application, add it self to the login process (with a LaunchAgent + reopening the on every login to make the restarting futile) and/or a login item, constantly kill the ssh process (preventing ssh), all without prompting for a administrators password?
***I am not asking this question because I have the intent of using this program in the way I have described it. I am asking because I would like to know if am missing something that would prevent someone from doing this and if not, then to make people aware of this venerability.
P.S. I do know that safe-mode would prevent the application from opening in safe mode but it is still a huge venerability in my opinion that should be fixed immediately by Apple.
Thanks, Josh