We were doing some test and queries using Facebook osquery to create some packs and noticed something not common when analyzing apps table.
osquery> SELECT name, bundle_short_version, bundle_version, bundle_identifier FROM apps WHERE name LIKE '%gotomeeting%';
+------------------------+----------------------+----------------+-------------------------+
| name | bundle_short_version | bundle_version | bundle_identifier |
+------------------------+----------------------+----------------+-------------------------+
| GoToMeeting.app | 8.24.0.8569 | 8569 | com.logmein.GoToMeeting |
| GoToMeeting (8404).app | 8.21.0.8404 | 8404 | com.logmein.GoToMeeting |
| GoToMeeting (8473).app | 8.22.0.8473 | 8473 | com.logmein.GoToMeeting |
| GoToMeeting (8557).app | 8.23.0.8557 | 8557 | com.logmein.GoToMeeting |
| GoToMeeting (8569).app | 8.24.0.8569 | 8569 | com.logmein.GoToMeeting |
| GoToMeeting (8625).app | 8.25.0.8625 | 8625 | com.logmein.GoToMeeting |
| GoToMeeting (8679).app | 8.26.0.8679 | 8679 | com.logmein.GoToMeeting |
| GoToMeeting (8789).app | 8.27.0.8789 | 8789 | com.logmein.GoToMeeting |
+------------------------+----------------------+----------------+-------------------------+
osquery>
As you can see, multiples version of GotoMeeting were found. Analyzing a bit we noticed that main GotoMeeting application was pointing to an old version (in red) and not current one (in green).
osquery> SELECT name, bundle_short_version, bundle_version, bundle_identifier FROM apps WHERE name LIKE '%gotomeeting%';
+------------------------+----------------------+----------------+-------------------------+
| name | bundle_short_version | bundle_version | bundle_identifier |
+------------------------+----------------------+----------------+-------------------------+
| GoToMeeting.app | 8.24.0.8569 | 8569 | com.logmein.GoToMeeting |
| GoToMeeting (8404).app | 8.21.0.8404 | 8404 | com.logmein.GoToMeeting |
| GoToMeeting (8473).app | 8.22.0.8473 | 8473 | com.logmein.GoToMeeting |
| GoToMeeting (8557).app | 8.23.0.8557 | 8557 | com.logmein.GoToMeeting |
| GoToMeeting (8569).app | 8.24.0.8569 | 8569 | com.logmein.GoToMeeting |
| GoToMeeting (8625).app | 8.25.0.8625 | 8625 | com.logmein.GoToMeeting |
| GoToMeeting (8679).app | 8.26.0.8679 | 8679 | com.logmein.GoToMeeting |
| GoToMeeting (8789).app | 8.27.0.8789 | 8789 | com.logmein.GoToMeeting |
+------------------------+----------------------+----------------+-------------------------+
osquery>
If you look into Mac Applications we have:
Clicking to open GotoMeeting it'll open version 8.24.
Some questions:
- Is something wrong in my Mac or it's a real problem ? (hope so , because if it isn't, this is a huge attack surface)
- Why main Application is not pointing to correct version ?
- Why they keep all old binaries version ?
Could someone test and validate more ? I didn't have another Mac to validate this or with GotoMeeting installed since very long time ago.
Happy Hunting.
BlueOps Team
