Update 26.06.2008: read latest news about this exploit here…
Intego reports (read details here) a “bug” in Apple’s Remote Desktop (ARD) application. In short: the ARD Agent runs AppleScripts always with root privileges. Now, when you put shell-commands into that AppleScript they are executed as “root”. ARD doesn’t require any admin/root password to do so.
Heise.de (read here – german only) has prepped a simply example to show us where we are… open a console and simply enter:
mymacbox$ osascript -e 'tell app“
to do shell script“
The answer will be:
We won’t delve into this too deeply, but in the meantime there have already been posted several ways to use this exploit. One shows how to open a root-shell on TCP port 9999, which is really scary simple. At first it was expected people need physical access to the machine, but it is confirmed that is also works if being applied on a OS X server where a user got an account with limited rights.
How to fix this
Two ways have been reported to circumvent this issue. One way might be enabling “Remote Management”:
The other way – which we recommend – is to manually repair permissions of ARDAgent.app via
mymacbox$ chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Get yourself a Mac virusscanner (consider our premium sponsors). Viruses for MacOS X are chomping at the bit…