[MacOS] Root Exploit in Apple Remote Desktop (ARD)

Update 26.06.2008: read latest news about this exploit here... Abstract Intego reports (read details here) a "bug" in Apple's Remote Desktop (ARD) application. In short: the ARD Agent runs AppleScripts always with root privileges. Now, when you put shell-commands into that AppleScript they are executed as "root". ARD doesn't require any admin/root password to do so. An Example Heise.de (read here - german only) has prepped a simply example to show us where we are... open a console and simply enter:
  • mymacbox$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
The answer will be:
  • root
We won't delve into this too deeply, but in the meantime there have already been posted several ways to use this exploit. One shows how to open a root-shell on TCP port 9999, which is really scary simple. At first it was expected people need physical access to the machine, but it is confirmed that is also works if being applied on a OS X server where a user got an account with limited rights. How to fix this Two ways have been reported to circumvent this issue. One way might be enabling "Remote Management":
  • Open System Preferences
  • Open Sharing
  • Enable Remote Management
The other way - which we recommend - is to manually repair permissions of ARDAgent.app via
  • mymacbox$ chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Conclusion Get yourself a Mac virusscanner (consider our premium sponsors). Viruses for MacOS X are chomping at the bit...
You can leave a response, or trackback from your own site.

One Response to “[MacOS] Root Exploit in Apple Remote Desktop (ARD)”

  1. […] Hace unos días se hablaba de Root Exploit in Apple Remote Desktop, que permite que cualquier usuario o aplicación pudiese ejecutar comandos como root sin ningún tipo de autorización. […]

Leave a Reply