Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > Mac OS X > Huge, Crazy, Ridiculous OS X Security Hole

Huge, Crazy, Ridiculous OS X Security Hole
Thread Tools
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 19, 2008, 10:19 AM
 
Ugh, I was resolving to cut down on my posting here, but this just has to be reported since many people's computers are now wide open.

Prologue:

OS X's implementation of AppleScript has a problem. It's had this problem since Panther at least, and I've reported it to Apple on several occasions since 2004. It always gets flagged "Behaves Correctly" by Apple's development team. The problem is: Applications that are running as root can accept AppleScript commands from applications that are not running as root. And since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a "do shell script" command and pretty much run anything they want as root.

Fringe case, you say? If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program "iHook" - and it only takes one such screwup to allow hackers to root your computer. But no, they decided to flag it "Behaves Correctly" and ignore it. Well, two days ago I made the mistake of mentioning this bug to someone in #macdev, and then yesterday, it comes out that...

IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX.

Enter this in the Terminal, and you get 'root':

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

The fix would be:

1. Change the permissions of /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent to 755 or something other than being setuid root

(example command: sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)

2. Never run Repair Permissions, because that will set it back to the way it was.

3. Send Apple bug reports to get them to fix this!

Turns out this has been posted on Slashdot, so I hope Apple enjoys all the horrible press they're going to get. They've known about this for almost four years...

edit: one thing to add is that contrary to the Slashdot article, this isn't limited just to Tiger and Leopard - I've tested it in Panther, and it works there too. It may even go back to systems earlier than that for all I know...
( Last edited by CharlesS; Jun 19, 2008 at 10:44 AM. )

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 11:02 AM
 
It's a big flaw, but not as bad as it could be. In order for it to work, the user who owns the Terminal also has to be logged into the GUI. It won't work for example, if you ssh in as a different user, or if nobody is logged in locally.
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
     
Professional Poster
Join Date: Jun 2007
Status: Offline
Reply With Quote
Jun 19, 2008, 11:14 AM
 
Doesn't sound like a Huge, Crazy, Ridiculous OS X Security Hole to me. Especially in light of Arkham_c
And it does seem to be operating as apple intended. I've not seen any cocoa apps run as root on my computer. That doesn't mean there are, just there aren't any on my computer.

I suppose I'd not want to use any of those apps as well.

Like many security advisorys this seems high on hyperbole and low on relevance
( Last edited by MacosNerd; Jun 19, 2008 at 11:18 AM. Reason: reworded slightly)
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 19, 2008, 11:28 AM
 
You didn't read my post, did you? There's an AppleScript-aware app with the setuid bit set so it will run as root every single time it's launched, and it's on your computer right now.

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

Any little freeware app you download can use this AppleScript to execute anything as root from a plain, vanilla OS X installation. They could put a malicious startup item or kernel extension in /System, they could mess with the config files in /etc, they could just run rm -rf / and completely erase all attached disks. Basically, they could do anything you'd normally need to enter your admin password for, without requiring your admin password. Also, every user on the system can snoop into other users' home folders, change the admin password, or really do whatever he/she wants. You don't think that's a big security hole?

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Senior User
Join Date: Nov 2003
Status: Offline
Reply With Quote
Jun 19, 2008, 11:35 AM
 
osascript -e 'tell application "ARDAgent" to do shell script "chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"'

it works!
"The road to success is dotted with the most tempting parking spaces."
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 11:36 AM
 
This is a crazy vulnerability, like Charles said. It completely destroys the OS X security model for anyone logged into the GUI — and to be honest, that's how OS X is generally used. This means that even the "A script needs to check whether you can install this software" step in the Installer could totally compromise your system. Hopefully Apple fixes this quickly.

Until then, to repeat what Charles said, here's how you can protect yourself:
1. Open up Terminal
2. Copy and paste the following, all on one line:
sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
3. Hit return.
4. It will now ask you for your password. Type your password in and hit return. (It won't show your password while you're typing it, but don't worry, it's there but invisible.)

After this, it's important that you don't repair your permissions or it will undo the fix.

BTW, thanks for letting everyone know about this, Charles.
( Last edited by Chuckit; Jun 19, 2008 at 11:55 AM. )
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jun 19, 2008, 02:52 PM
 
Note this is a local root exploit, not a remote root exploit.
     
Professional Poster
Join Date: Jun 2007
Status: Offline
Reply With Quote
Jun 19, 2008, 02:59 PM
 
Originally Posted by CharlesS View Post
You didn't read my post, did you? There's an AppleScript-aware app with the setuid bit set so it will run as root every single time it's launched, and it's on your computer right now.

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
No I read it but I misunderstood what you were saying. The little example provides enough illumination so the likes of myself can comprehend some of the ramifications.
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 03:03 PM
 
Originally Posted by mduell View Post
Note this is a local root exploit, not a remote root exploit.
Unless you have Remote Apple Events turned on.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 19, 2008, 03:07 PM
 
I think we all need to calm down...especially CharlesS.
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 19, 2008, 03:10 PM
 
So you don't think any process on the whole system being able to essentially use sudo without an admin password, making OS X's security model pretty much the same as OS 9's, is a big deal?

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Posting Junkie
Join Date: Mar 2004
Location: MacNN database error. Please refresh your browser.
Status: Offline
Reply With Quote
Jun 19, 2008, 03:21 PM
 
It's something to be concerned with but the thread headline is high on the hyberbole. Nothing like fear-mongering.

This is a computer-generated message and needs no signature.
     
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 19, 2008, 03:22 PM
 
Originally Posted by CharlesS View Post
So you don't think any process on the whole system being able to essentially use sudo without an admin password, making OS X's security model pretty much the same as OS 9's, is a big deal?
It's a big deal but I think the .bom has really gone off on your end.
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 03:33 PM
 
Originally Posted by Randman View Post
It's something to be concerned with but the thread headline is high on the hyberbole. Nothing like fear-mongering.
Uh…your computer has a rootkit on it by default. It could have been stated more calmly, but I do think it's pretty important for people to know this is a huge vulnerability and take care of it.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Posting Junkie
Join Date: Mar 2004
Location: MacNN database error. Please refresh your browser.
Status: Offline
Reply With Quote
Jun 19, 2008, 04:29 PM
 
Originally Posted by Chuckit View Post
Uh…your computer has a rootkit on it by default. It could have been stated more calmly, but I do think it's pretty important for people to know this is a huge vulnerability and take care of it.
I agree that people should know about it, and to take whatever steps to assure it's not used against you. But saying "Huge, Crazy, Ridiculous" is a bit overdramatic.

This is a computer-generated message and needs no signature.
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jun 19, 2008, 04:46 PM
 
This is indeed serious. Unless everyone immediately disables ANYTHING that can remotely do anything on their computer (like Remote Apple Events) AND somehow vets every tiny app they use (including widgets), then this built-in root kit will be a problem for someone sooner than later.

Charles, I assume you've reported the bug? How does one do this? I'm going to report it too.

Glenn -----OTR/L, MOT, Tx
     
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 05:09 PM
 
It's been on slashdot, and it came to there from one of the security sites that reports stuff to Apple, so yes, it's been reported.

It's pretty easy to fix -- in fact forum user moep described how to use the exploit to patch the exploit, which is pretty clever and funny.

It's still a local exploit, not a remote one, which reduces the severity of it. It does of course need to be fixed, but my machine was innoculated within 5 minutes of the Slashdot story being posted on Wednesday morning:

Slashdot | Mac OS X Root Escalation Through AppleScript
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 05:14 PM
 
The proper way to report a bug is with Apple's bug report form. You have to sign up for a free ADC account to log in. (If you really don't want to sign up for ADC, you can also use the OS X feedback form, but I don't know how high a priority that gets.)
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 19, 2008, 06:34 PM
 
Originally Posted by ghporter View Post
This is indeed serious. Unless everyone immediately disables ANYTHING that can remotely do anything on their computer (like Remote Apple Events) AND somehow vets every tiny app they use (including widgets), then this built-in root kit will be a problem for someone sooner than later.
I'm glad someone realizes this.

Charles, I assume you've reported the bug? How does one do this? I'm going to report it too.
Of course I've reported it. However, bug reporting is like voting - the more people report a specific bug the more likely it is to get fixed. So, I'd recommend you go to http://bugreport.apple.com and report it also.

And do fix the permissions on that ARDAgent binary!

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 06:53 PM
 
Guys, this is a massive security hole, it deserves to be emphasized, and those of us who want to blow this off based solely on their gut feelings need to pull their heads out of their asses, to be blunt...

On any Unix system it is always a bad thing to run your services as root. This alone is a security red flag. To run a service as root *and* to provide a Unix shell with root access is probably about the biggest security hole that is imaginable.

Also, could this not be turned into a remote exploit simply by creating an executable shell script with a .command type wrapper generated by Terminal (which I believe is just an XML file) and issuing an:

Code:
open /your/exploit/shell/script.command
So:

Code:
osascript -e 'tell app "ARDAgent" to do shell script "open /your/exploit/shell/script.command"'
     
Grizzled Veteran
Join Date: Mar 2004
Status: Offline
Reply With Quote
Jun 19, 2008, 06:59 PM
 
Truly flabbergasting.
This is like a skript kiddie's wet dream.
[all they need to do is 'fill in the blank'.]
-HI-
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 07:11 PM
 
Disregard what I wrote, there is a far easier way to do this...

I just created a shell script using nothing but the Terminal:

Code:
#!/bin/sh rm -f /test
(/test was a dummy file I just created, chowned as root, and chmodded 600)

Then:

Code:
$ rm -f /test rm: /test: Permission denied
Code:
osascript -e 'tell application "ARDAgent" to do shell script "/Users/me/test.sh"'
executed just fine.


So, you don't need a GUI to execute this attack, all you need is shell access.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 07:13 PM
 
Originally Posted by Arkham_c View Post
It's a big flaw, but not as bad as it could be. In order for it to work, the user who owns the Terminal also has to be logged into the GUI. It won't work for example, if you ssh in as a different user, or if nobody is logged in locally.
I just proved you wrong.
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 19, 2008, 07:15 PM
 
Originally Posted by besson3c View Post
Also, could this not be turned into a remote exploit simply by creating an executable shell script with a .command type wrapper generated by Terminal (which I believe is just an XML file) and issuing an:
Fortunately, this won't work, because the system fortunately seems to be smart enough to block me from opening the Terminal via SSH - the open command won't launch it, and while I can start it by typing the full path to its binary, it doesn't seem to get registered with the system, doesn't get a Dock icon, and isn't any better at sending AppleScripts than SSH is. I also am not able to send AppleScripts to ARDAgent via SSH or via anything I started from SSH. So it's not a remote exploit.

It is, however, pretty much the most severe local exploit possible.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 07:43 PM
 
Originally Posted by CharlesS View Post
Fortunately, this won't work, because the system fortunately seems to be smart enough to block me from opening the Terminal via SSH - the open command won't launch it, and while I can start it by typing the full path to its binary, it doesn't seem to get registered with the system, doesn't get a Dock icon, and isn't any better at sending AppleScripts than SSH is. I also am not able to send AppleScripts to ARDAgent via SSH or via anything I started from SSH. So it's not a remote exploit.

It is, however, pretty much the most severe local exploit possible.
Disregard what I wrote about Terminal .command files and check out my example that illustrates how you can get this to work with a shell script. This makes it a remote exploit (providing you have SSH/shell access), no?
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 07:46 PM
 
Originally Posted by besson3c View Post
I just proved you wrong.
No, he was saying it requires an instance of the windowserver to be running with the same user you're using for SSH. As far as I can tell, this is the case. The osascript program depends on the windowserver being there.

Originally Posted by CharlesS View Post
Fortunately, this won't work, because the system fortunately seems to be smart enough to block me from opening the Terminal via SSH - the open command won't launch it, and while I can start it by typing the full path to its binary, it doesn't seem to get registered with the system, doesn't get a Dock icon, and isn't any better at sending AppleScripts than SSH is. I also am not able to send AppleScripts to ARDAgent via SSH or via anything I started from SSH. So it's not a remote exploit.
It works if you have that user logged into the GUI. I just logged into a 10.4 box through SSH and successfully opened TextEdit through osascript. Strangely, though, ARDAgent does not appear to be scriptable (locally or otherwise) on either of the 10.4 machines I tried it on.

BTW, since it requires you to log into a local shell account on the machine, it's still a local exploit, isn't it? http://wiki.linuxquestions.org/wiki/Local_exploit
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 07:49 PM
 
Originally Posted by Chuckit View Post
No, he was saying it requires an instance of the windowserver to be running with the same user you're using for SSH. As far as I can tell, this is the case.
osascript and/or ARDAgent require WindowServer? Okay, but why does this have to be the same user you are using for SSH? Any user can escalate to root using this technique, so really if this required WindowServer that would simply mean that somebody has to be logged in, if WindowServer is not active at the login panel, right?
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 19, 2008, 07:56 PM
 
I think that the user you're sending the commands as has to have a window server in order to launch apps.

Originally Posted by Chuckit View Post
It works if you have that user logged into the GUI. I just logged into a 10.4 box through SSH and successfully opened TextEdit through osascript.
Yeah, but if someone's logged in to that account, it's probably someone else's account and not yours. And if you've got access to someone else's user account, all you have to do is modify their com.apple.loginitems.plist file to make your evil command a login item and wait for the next time they show up.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 08:09 PM
 
Originally Posted by besson3c View Post
osascript and/or ARDAgent require WindowServer? Okay, but why does this have to be the same user you are using for SSH? Any user can escalate to root using this technique, so really if this required WindowServer that would simply mean that somebody has to be logged in, if WindowServer is not active at the login panel, right?
Nope. Only applications run by the GUI user can connect to the windowserver. Otherwise you get the error "kCGErrorRangeCheck : Window Server communications from outside of session allowed for root and console user only".
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
cgc
Professional Poster
Join Date: Mar 2003
Location: Down by the river
Status: Offline
Reply With Quote
Jun 19, 2008, 08:19 PM
 
Couldn't resist:
Originally Posted by Aliens Movie (1986)
Hudson: That's it man, game over man, game over! What the <beep> are we gonna do now? What are we gonna do?
Burke: Maybe we could build a fire, sing a couple of songs, huh? Why don't we try that?
     
Grizzled Veteran
Join Date: Dec 2001
Location: Land of Enchantment
Status: Offline
Reply With Quote
Jun 19, 2008, 09:00 PM
 
Chuckit,
will the script 'sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' run in Tiger also?

Thanks, Jan
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 09:03 PM
 
Originally Posted by Chuckit View Post
Nope. Only applications run by the GUI user can connect to the windowserver. Otherwise you get the error "kCGErrorRangeCheck : Window Server communications from outside of session allowed for root and console user only".
Ahhh, so it's very much like Xorg/X11 in this sense...

Still, you could do all the damage you wanted with a loginhook - unfettered access, just like Charles said...
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 19, 2008, 09:05 PM
 
Originally Posted by jmiddel View Post
Chuckit,
will the script 'sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' run in Tiger also?

Thanks, Jan
Unless the path has changed, it will, and if it won't it will just tell you that the file cannot be found. Go ahead and try it!
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 19, 2008, 09:16 PM
 
Originally Posted by jmiddel View Post
Chuckit,
will the script 'sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' run in Tiger also?

Thanks, Jan
Yes, it will.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 19, 2008, 11:18 PM
 
I just came back from the Apple Store.

So in the future, this would mean I could gain FULL access over any Mac that I'm logged in via a Guest account ?

Wow, just wow.

I think for their OWN sake, Apple needs to fix this ASAP. Otherwise, I see their whole Apple Store Macs being brutalized.

-t
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 20, 2008, 02:02 AM
 
Yeah, somebody should go in to an Apple Store and see if they can arrange getting some sort of free gift in exchange for compromising one of their machines
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 20, 2008, 02:15 AM
 


Worth a try.

I'm sure those overly self-confident geniuses would never believe that it will take you less than 30 seconds to gain root access to any machine.

-t
     
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Jun 20, 2008, 05:04 AM
 
Your bug gets more attention in the media now, congrats
I guess now Apple has no choice but to fix it
I don't suffer from insanity, I enjoy every minute of it.
     
Mac Elite
Join Date: Apr 2000
Status: Offline
Reply With Quote
Jun 20, 2008, 05:44 AM
 
When I try this "osascript -e 'tell application "ARDAgent" to do shell script "whoami"'",
I get this "31:55: execution error: ARDAgent got an error: AppleEvent timed out. (-1712)"

Does that mean the vulnerability does not work on my machine? Is that because something is messed up on my system? (its on 10.4.11).

Edit. Does not work in the Script editor either (obviously)

2nd edit : is it a Leopard issue only?
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jun 20, 2008, 08:52 AM
 
Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

The Heise.de report sounds like this is a ARDAgent issue only.

-t
     
Professional Poster
Join Date: Mar 2002
Location: Boston
Status: Offline
Reply With Quote
Jun 20, 2008, 09:00 AM
 
Originally Posted by CharlesS View Post
OS X's implementation of AppleScript has a problem. It's had this problem since Panther at least
Originally Posted by villalobos View Post
2nd edit : is it a Leopard issue only?
No Panther as well as reported by the OP
~Mike
     
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 20, 2008, 09:24 AM
 
Originally Posted by turtle777 View Post
Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

The Heise.de report sounds like this is a ARDAgent issue only.

-t
Right...it's not only ARDAgent. But ARDAgent is the app that can allow AppleScripts to bypass security measures right out of the box as CharlesS explained.

But like I said in another thread, if you don't leave tons of ports open and if you're careful with what you download, you're safe.

Those that aren't careful deserve to get pwned. It's the equivalent of copying your house keys stamping your address on them and handing them out to perfect strangers. And then wondering why all your stuff is gone when you come back from work the next day.
( Last edited by Horsepoo!!!; Jun 20, 2008 at 09:36 AM. )
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 20, 2008, 09:32 AM
 
Originally Posted by turtle777 View Post
Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

The Heise.de report sounds like this is a ARDAgent issue only.

-t
Yeah, I know. I really hope Apple takes the path of just making it so root applications can't accept AppleScripts from non-root applications instead of just taking the easy way out and patching ARDAgent so it ignores AppleScript commands, thus letting this problem lie dormant, waiting for the next root app that forgets about it.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Banned
Join Date: Jun 2003
Status: Offline
Reply With Quote
Jun 20, 2008, 09:44 AM
 
One thing's for sure, Apple can remove this page and probably should: Apple - Mac OS X Leopard - Technology - Security

Snow Leopard may be the best thing to come out of Apple if they actually do focus on security. And I hope QuickTime X really is a total rewrite. It has to be a total rewrite if Apple is trying to be serious about security.
     
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jun 20, 2008, 09:52 AM
 
Indeed. If Vista had something like this, we'd be laughing our asses off at it.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jun 20, 2008, 11:05 AM
 
Aside from trusting that the changed permissions for ARDAgent does the job, is there any way to test this without creating dummy files a la besson's example? Maybe I'm simply looking for a "quick and dirty" sort of test for whether or not a machine is vulnerable without looking at ARDAgent's permissions.

Glenn -----OTR/L, MOT, Tx
     
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Jun 20, 2008, 11:19 AM
 
Originally Posted by ghporter View Post
Aside from trusting that the changed permissions for ARDAgent does the job, is there any way to test this without creating dummy files a la besson's example? Maybe I'm simply looking for a "quick and dirty" sort of test for whether or not a machine is vulnerable without looking at ARDAgent's permissions.
osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

You don't want to see root come back.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jun 20, 2008, 11:19 AM
 
Originally Posted by Horsepoo!!! View Post
Right...it's not only ARDAgent. But ARDAgent is the app that can allow AppleScripts to bypass security measures right out of the box as CharlesS explained.

But like I said in another thread, if you don't leave tons of ports open and if you're careful with what you download, you're safe.

Those that aren't careful deserve to get pwned. It's the equivalent of copying your house keys stamping your address on them and handing them out to perfect strangers. And then wondering why all your stuff is gone when you come back from work the next day.

What does leaving ports open have to do with this?

This is a rootkit, and as discussed it's possible for any user on the machine you are using to cause damage to any other user on the system. A rootkit is far more severe than a piece of spyware or virus, because not only can it be used for both, but it can also be used for crime related purposes.
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 20, 2008, 11:19 AM
 
Sending Charles' example command to ARDAgent will answer the question definitively. If whoami says that ARDAgent is root, then it's vulnerable; if it says it's your user, then ARDAgent is safe.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jun 20, 2008, 11:24 AM
 
Originally Posted by turtle777 View Post
Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.
Yes, but as far as we know right now, ARDAgent is the only app that has the combination of scriptable+suid.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
 
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 06:29 AM.
All contents of these forums © 1995-2014 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2014, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2