23 June 2008 @ 16:29ARDAgent Vulnerability

Intego is reporting that Apple Remote Desktop (specifically ARDAgent) is vulnerable to a root exploit.

This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable. In this case, ARDAgent is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent’s ability to run AppleScripts, which may, in turn, include shell script commands.

The example that is circulating the internet is shown below:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

All my computers have Screen Sharing or Remote Management turned on, and in this case, the above example fails. However, after killing ARDAgent, I was able to get the example to return “root”.

A solution offered by some is to simply archive the ARDAgent.app so that it cannot be used.

cd /System/Library/CoreServices/RemoteManagement/
sudo tar -czf ARDAgent.app.gz ARDAgent.app

Another solution is to change the permissions on the ARDAgent:

sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app

If you choose to change the permissions, do not run Repair Permissions, as it will undo the fix.

Be Sociable, Share!

by | Add a comment | Tags: , , , ,
Posted in exploits, security | Link to this

Add a Comment

Show who you are with a Gravatar.


Sign up for PayPal and start accepting credit card payments instantly.

Staples Logo

Get fed!

rss icon subscribe to Geek stuff

rss icon Geek stuff in your inbox

Add the "Geek stuff" Google Gadget to your homepage

Add the "Daily Deals" Google Gadget to your homepage


Search Amazon

Search Amazon.com
Search Amazon.co.uk

Recent Forum Topics


    Web hosting by ICDSoft