23 June 2008 @ 16:29ARDAgent Vulnerability
Intego is reporting that Apple Remote Desktop (specifically ARDAgent) is vulnerable to a root exploit.
This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable. In this case, ARDAgent is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent’s ability to run AppleScripts, which may, in turn, include shell script commands.
The example that is circulating the internet is shown below:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
All my computers have Screen Sharing or Remote Management turned on, and in this case, the above example fails. However, after killing ARDAgent, I was able to get the example to return “root”.
A solution offered by some is to simply archive the ARDAgent.app so that it cannot be used.
cd /System/Library/CoreServices/RemoteManagement/
sudo tar -czf ARDAgent.app.gz ARDAgent.app
Another solution is to change the permissions on the ARDAgent:
sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app
If you choose to change the permissions, do not run Repair Permissions, as it will undo the fix.
by Jon | Add a comment | Tags: apple remote desktop, apple remote desktop exploit, ardagent exploit, ardagent vulnerability, root
Posted in exploits, security | Link to this