[CharlesS]

Ugh, I was resolving to cut down on my posting here, but this just has to be reported since many people's computers are now wide open.

Prologue:

OS X's implementation of AppleScript has a problem. It's had this problem since Panther at least, and I've reported it to Apple on several occasions since 2004. It always gets flagged "Behaves Correctly" by Apple's development team. The problem is: Applications that are running as root can accept AppleScript commands from applications that are not running as root. And since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a "do shell script" command and pretty much run anything they want as root.

Fringe case, you say? If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program "iHook" - and it only takes one such screwup to allow hackers to root your computer. But no, they decided to flag it "Behaves Correctly" and ignore it. Well, two days ago I made the mistake of mentioning this bug to someone in #macdev, and then yesterday, it comes out that...

IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX.

Enter this in the Terminal, and you get 'root':

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

The fix would be:

1. Change the permissions of /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent to 755 or something other than being setuid root

(example command: sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)

2. Never run Repair Permissions, because that will set it back to the way it was.

3. Send Apple bug reports to get them to fix this!

Turns out this has been posted on Slashdot, so I hope Apple enjoys all the horrible press they're going to get. They've known about this for almost four years...

edit: one thing to add is that contrary to the Slashdot article, this isn't limited just to Tiger and Leopard - I've tested it in Panther, and it works there too. It may even go back to systems earlier than that for all I know...

[Arkham_c]

It's a big flaw, but not as bad as it could be. In order for it to work, the user who owns the Terminal also has to be logged into the GUI. It won't work for example, if you ssh in as a different user, or if nobody is logged in locally.

[MacosNerd]

Doesn't sound like a Huge, Crazy, Ridiculous OS X Security Hole to me. Especially in light of Arkham_c
And it does seem to be operating as apple intended. I've not seen any cocoa apps run as root on my computer. That doesn't mean there are, just there aren't any on my computer.

I suppose I'd not want to use any of those apps as well.

Like many security advisorys this seems high on hyperbole and low on relevance

[CharlesS]

You didn't read my post, did you? There's an AppleScript-aware app with the setuid bit set so it will run as root every single time it's launched, and it's on your computer right now.

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

Any little freeware app you download can use this AppleScript to execute anything as root from a plain, vanilla OS X installation. They could put a malicious startup item or kernel extension in /System, they could mess with the config files in /etc, they could just run rm -rf / and completely erase all attached disks. Basically, they could do anything you'd normally need to enter your admin password for, without requiring your admin password. Also, every user on the system can snoop into other users' home folders, change the admin password, or really do whatever he/she wants. You don't think that's a big security hole?

[moep]

osascript -e 'tell application "ARDAgent" to do shell script "chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"'

it works!

[Chuckit]

This is a crazy vulnerability, like Charles said. It completely destroys the OS X security model for anyone logged into the GUI — and to be honest, that's how OS X is generally used. This means that even the "A script needs to check whether you can install this software" step in the Installer could totally compromise your system. Hopefully Apple fixes this quickly.

Until then, to repeat what Charles said, here's how you can protect yourself:
1. Open up Terminal
2. Copy and paste the following, all on one line:

sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

3. Hit return.
4. It will now ask you for your password. Type your password in and hit return. (It won't show your password while you're typing it, but don't worry, it's there but invisible.)

After this, it's important that you don't repair your permissions or it will undo the fix.

BTW, thanks for letting everyone know about this, Charles.

[mduell]

Note this is a local root exploit, not a remote root exploit.

[MacosNerd]

Originally Posted by CharlesS 

You didn't read my post, did you? There's an AppleScript-aware app with the setuid bit set so it will run as root every single time it's launched, and it's on your computer right now.

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

No I read it but I misunderstood what you were saying. The little example provides enough illumination so the likes of myself can comprehend some of the ramifications.

[Chuckit]

Originally Posted by mduell 

Note this is a local root exploit, not a remote root exploit.

Unless you have Remote Apple Events turned on.

[Horsepoo!!!]

I think we all need to calm down...especially CharlesS.

[CharlesS]

So you don't think any process on the whole system being able to essentially use sudo without an admin password, making OS X's security model pretty much the same as OS 9's, is a big deal?

[Randman]

It's something to be concerned with but the thread headline is high on the hyberbole. Nothing like fear-mongering.

[Horsepoo!!!]

Originally Posted by CharlesS 

So you don't think any process on the whole system being able to essentially use sudo without an admin password, making OS X's security model pretty much the same as OS 9's, is a big deal?

It's a big deal but I think the .bom has really gone off on your end.

[Chuckit]

Originally Posted by Randman 

It's something to be concerned with but the thread headline is high on the hyberbole. Nothing like fear-mongering.

Uh…your computer has a rootkit on it by default. It could have been stated more calmly, but I do think it's pretty important for people to know this is a huge vulnerability and take care of it.

[Randman]

Originally Posted by Chuckit 

Uh…your computer has a rootkit on it by default. It could have been stated more calmly, but I do think it's pretty important for people to know this is a huge vulnerability and take care of it.

I agree that people should know about it, and to take whatever steps to assure it's not used against you. But saying "Huge, Crazy, Ridiculous" is a bit overdramatic.

[ghporter]

This is indeed serious. Unless everyone immediately disables ANYTHING that can remotely do anything on their computer (like Remote Apple Events) AND somehow vets every tiny app they use (including widgets), then this built-in root kit will be a problem for someone sooner than later.

Charles, I assume you've reported the bug? How does one do this? I'm going to report it too.

[Arkham_c]

It's been on slashdot, and it came to there from one of the security sites that reports stuff to Apple, so yes, it's been reported.

It's pretty easy to fix -- in fact forum user moep described how to use the exploit to patch the exploit, which is pretty clever and funny.

It's still a local exploit, not a remote one, which reduces the severity of it. It does of course need to be fixed, but my machine was innoculated within 5 minutes of the Slashdot story being posted on Wednesday morning:

Slashdot | Mac OS X Root Escalation Through AppleScript

[Chuckit]

The proper way to report a bug is with Apple's bug report form. You have to sign up for a free ADC account to log in. (If you really don't want to sign up for ADC, you can also use the OS X feedback form, but I don't know how high a priority that gets.)

[CharlesS]

Originally Posted by ghporter 

This is indeed serious. Unless everyone immediately disables ANYTHING that can remotely do anything on their computer (like Remote Apple Events) AND somehow vets every tiny app they use (including widgets), then this built-in root kit will be a problem for someone sooner than later.

I'm glad someone realizes this.

Charles, I assume you've reported the bug? How does one do this? I'm going to report it too.

Of course I've reported it. However, bug reporting is like voting - the more people report a specific bug the more likely it is to get fixed. So, I'd recommend you go to http://bugreport.apple.com and report it also.

And do fix the permissions on that ARDAgent binary!

[besson3c]

Guys, this is a massive security hole, it deserves to be emphasized, and those of us who want to blow this off based solely on their gut feelings need to pull their heads out of their asses, to be blunt...

On any Unix system it is always a bad thing to run your services as root. This alone is a security red flag. To run a service as root *and* to provide a Unix shell with root access is probably about the biggest security hole that is imaginable.

Also, could this not be turned into a remote exploit simply by creating an executable shell script with a .command type wrapper generated by Terminal (which I believe is just an XML file) and issuing an:

Code:
open /your/exploit/shell/script.command

So:

Code:
osascript -e 'tell app "ARDAgent" to do shell script "open /your/exploit/shell/script.command"'

[Hal Itosis]

Truly flabbergasting.
This is like a skript kiddie's wet dream.
[all they need to do is 'fill in the blank'.]

[besson3c]

Disregard what I wrote, there is a far easier way to do this...

I just created a shell script using nothing but the Terminal:

Code:
#!/bin/sh
rm -f /test

(/test was a dummy file I just created, chowned as root, and chmodded 600)

Then:

Code:
$ rm -f /test
rm: /test: Permission denied

Code:
osascript -e 'tell application "ARDAgent" to do shell script "/Users/me/test.sh"'

executed just fine.


So, you don't need a GUI to execute this attack, all you need is shell access.

[besson3c]

Originally Posted by Arkham_c 

It's a big flaw, but not as bad as it could be. In order for it to work, the user who owns the Terminal also has to be logged into the GUI. It won't work for example, if you ssh in as a different user, or if nobody is logged in locally.

I just proved you wrong.

[CharlesS]

Originally Posted by besson3c 

Also, could this not be turned into a remote exploit simply by creating an executable shell script with a .command type wrapper generated by Terminal (which I believe is just an XML file) and issuing an:

Fortunately, this won't work, because the system fortunately seems to be smart enough to block me from opening the Terminal via SSH - the open command won't launch it, and while I can start it by typing the full path to its binary, it doesn't seem to get registered with the system, doesn't get a Dock icon, and isn't any better at sending AppleScripts than SSH is. I also am not able to send AppleScripts to ARDAgent via SSH or via anything I started from SSH. So it's not a remote exploit.

It is, however, pretty much the most severe local exploit possible.

[besson3c]

Originally Posted by CharlesS 

Fortunately, this won't work, because the system fortunately seems to be smart enough to block me from opening the Terminal via SSH - the open command won't launch it, and while I can start it by typing the full path to its binary, it doesn't seem to get registered with the system, doesn't get a Dock icon, and isn't any better at sending AppleScripts than SSH is. I also am not able to send AppleScripts to ARDAgent via SSH or via anything I started from SSH. So it's not a remote exploit.

It is, however, pretty much the most severe local exploit possible.

Disregard what I wrote about Terminal .command files and check out my example that illustrates how you can get this to work with a shell script. This makes it a remote exploit (providing you have SSH/shell access), no?

[Chuckit]

Originally Posted by besson3c 

I just proved you wrong.

No, he was saying it requires an instance of the windowserver to be running with the same user you're using for SSH. As far as I can tell, this is the case. The osascript program depends on the windowserver being there.

Originally Posted by CharlesS 

Fortunately, this won't work, because the system fortunately seems to be smart enough to block me from opening the Terminal via SSH - the open command won't launch it, and while I can start it by typing the full path to its binary, it doesn't seem to get registered with the system, doesn't get a Dock icon, and isn't any better at sending AppleScripts than SSH is. I also am not able to send AppleScripts to ARDAgent via SSH or via anything I started from SSH. So it's not a remote exploit.

It works if you have that user logged into the GUI. I just logged into a 10.4 box through SSH and successfully opened TextEdit through osascript. Strangely, though, ARDAgent does not appear to be scriptable (locally or otherwise) on either of the 10.4 machines I tried it on.

BTW, since it requires you to log into a local shell account on the machine, it's still a local exploit, isn't it? http://wiki.linuxquestions.org/wiki/Local_exploit

[besson3c]

Originally Posted by Chuckit 

No, he was saying it requires an instance of the windowserver to be running with the same user you're using for SSH. As far as I can tell, this is the case.

osascript and/or ARDAgent require WindowServer? Okay, but why does this have to be the same user you are using for SSH? Any user can escalate to root using this technique, so really if this required WindowServer that would simply mean that somebody has to be logged in, if WindowServer is not active at the login panel, right?

[CharlesS]

I think that the user you're sending the commands as has to have a window server in order to launch apps.

Originally Posted by Chuckit 

It works if you have that user logged into the GUI. I just logged into a 10.4 box through SSH and successfully opened TextEdit through osascript.

Yeah, but if someone's logged in to that account, it's probably someone else's account and not yours. And if you've got access to someone else's user account, all you have to do is modify their com.apple.loginitems.plist file to make your evil command a login item and wait for the next time they show up.

[Chuckit]

Originally Posted by besson3c 

osascript and/or ARDAgent require WindowServer? Okay, but why does this have to be the same user you are using for SSH? Any user can escalate to root using this technique, so really if this required WindowServer that would simply mean that somebody has to be logged in, if WindowServer is not active at the login panel, right?

Nope. Only applications run by the GUI user can connect to the windowserver. Otherwise you get the error "kCGErrorRangeCheck : Window Server communications from outside of session allowed for root and console user only".

[cgc]

Couldn't resist:

Originally Posted by Aliens Movie (1986)

Hudson: That's it man, game over man, game over! What the <beep> are we gonna do now? What are we gonna do?
Burke: Maybe we could build a fire, sing a couple of songs, huh? Why don't we try that?

[jmiddel]

Chuckit,
will the script 'sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' run in Tiger also?

Thanks, Jan

[besson3c]

Originally Posted by Chuckit 

Nope. Only applications run by the GUI user can connect to the windowserver. Otherwise you get the error "kCGErrorRangeCheck : Window Server communications from outside of session allowed for root and console user only".

Ahhh, so it's very much like Xorg/X11 in this sense...

Still, you could do all the damage you wanted with a loginhook - unfettered access, just like Charles said...

[besson3c]

Originally Posted by jmiddel 

Chuckit,
will the script 'sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' run in Tiger also?

Thanks, Jan

Unless the path has changed, it will, and if it won't it will just tell you that the file cannot be found. Go ahead and try it!

[Chuckit]

Originally Posted by jmiddel 

Chuckit,
will the script 'sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' run in Tiger also?

Thanks, Jan

Yes, it will.

[turtle777]

I just came back from the Apple Store.

So in the future, this would mean I could gain FULL access over any Mac that I'm logged in via a Guest account ?

Wow, just wow.

I think for their OWN sake, Apple needs to fix this ASAP. Otherwise, I see their whole Apple Store Macs being brutalized.

-t

[besson3c]

Yeah, somebody should go in to an Apple Store and see if they can arrange getting some sort of free gift in exchange for compromising one of their machines

[turtle777]

Worth a try.

I'm sure those overly self-confident geniuses would never believe that it will take you less than 30 seconds to gain root access to any machine.

-t

[OreoCookie]

Your bug gets more attention in the media now, congrats
I guess now Apple has no choice but to fix it

[villalobos]

When I try this "osascript -e 'tell application "ARDAgent" to do shell script "whoami"'",
I get this "31:55: execution error: ARDAgent got an error: AppleEvent timed out. (-1712)"

Does that mean the vulnerability does not work on my machine? Is that because something is messed up on my system? (its on 10.4.11).

Edit. Does not work in the Script editor either (obviously)

2nd edit : is it a Leopard issue only?

[turtle777]

Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

The Heise.de report sounds like this is a ARDAgent issue only.

-t

[Maflynn]

Originally Posted by CharlesS 

OS X's implementation of AppleScript has a problem. It's had this problem since Panther at least

Originally Posted by villalobos 

2nd edit : is it a Leopard issue only?

No Panther as well as reported by the OP

[Horsepoo!!!]

Originally Posted by turtle777 

Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

The Heise.de report sounds like this is a ARDAgent issue only.

-t

Right...it's not only ARDAgent. But ARDAgent is the app that can allow AppleScripts to bypass security measures right out of the box as CharlesS explained.

But like I said in another thread, if you don't leave tons of ports open and if you're careful with what you download, you're safe.

Those that aren't careful deserve to get pwned. It's the equivalent of copying your house keys stamping your address on them and handing them out to perfect strangers. And then wondering why all your stuff is gone when you come back from work the next day.

[CharlesS]

Originally Posted by turtle777 

Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

The Heise.de report sounds like this is a ARDAgent issue only.

-t

Yeah, I know. I really hope Apple takes the path of just making it so root applications can't accept AppleScripts from non-root applications instead of just taking the easy way out and patching ARDAgent so it ignores AppleScript commands, thus letting this problem lie dormant, waiting for the next root app that forgets about it.

[Horsepoo!!!]

One thing's for sure, Apple can remove this page and probably should: Apple - Mac OS X Leopard - Technology - Security

Snow Leopard may be the best thing to come out of Apple if they actually do focus on security. And I hope QuickTime X really is a total rewrite. It has to be a total rewrite if Apple is trying to be serious about security.

[CharlesS]

Indeed. If Vista had something like this, we'd be laughing our asses off at it.

[ghporter]

Aside from trusting that the changed permissions for ARDAgent does the job, is there any way to test this without creating dummy files a la besson's example? Maybe I'm simply looking for a "quick and dirty" sort of test for whether or not a machine is vulnerable without looking at ARDAgent's permissions.

[Simon]

Originally Posted by ghporter 

Aside from trusting that the changed permissions for ARDAgent does the job, is there any way to test this without creating dummy files a la besson's example? Maybe I'm simply looking for a "quick and dirty" sort of test for whether or not a machine is vulnerable without looking at ARDAgent's permissions.

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

You don't want to see root come back.

[besson3c]

Originally Posted by Horsepoo!!! 

Right...it's not only ARDAgent. But ARDAgent is the app that can allow AppleScripts to bypass security measures right out of the box as CharlesS explained.

But like I said in another thread, if you don't leave tons of ports open and if you're careful with what you download, you're safe.

Those that aren't careful deserve to get pwned. It's the equivalent of copying your house keys stamping your address on them and handing them out to perfect strangers. And then wondering why all your stuff is gone when you come back from work the next day.

What does leaving ports open have to do with this?

This is a rootkit, and as discussed it's possible for any user on the machine you are using to cause damage to any other user on the system. A rootkit is far more severe than a piece of spyware or virus, because not only can it be used for both, but it can also be used for crime related purposes.

[Chuckit]

Sending Charles' example command to ARDAgent will answer the question definitively. If whoami says that ARDAgent is root, then it's vulnerable; if it says it's your user, then ARDAgent is safe.

[Chuckit]

Originally Posted by turtle777 

Correct me if I'm wrong, but the culprit is NOT only ARDAgent.

Other apps could be exploited as well, as long as they are flagged to run as root.

Yes, but as far as we know right now, ARDAgent is the only app that has the combination of scriptable+suid.