Tag Archives: Apple Remote Desktop

[MacOS] Trojan horse uses MacOS X ARD vulnerability

Last week we reported about the vulnerability of the Apple Remote Desktop (read here). Now Brian Krebs of the Washington Post (read here) found out that readymade scripts are available yet on the net.

The scripts are compiled into an exploit tool called “Applescript Trojan Horse Template”. The scripts allow any user to run programs without having legitimate privileges. The template is designed to be bundled with any software. This means by downloading software from dark places on the net you may be in danger of being attacked stealthy.

After installation a keystroke logger (keylogger) is installed and and a VNC (virtual network computing) server is installed, that allows attackers to remotely access a victim’s computer. Moreover a PHP shell gets installed that allows tracking the victim’s computer using dynamic DNS services.

Our recommendation: get yourself a Mac virus scanner as soon as possible. The virus free time is almost over. Apple gains market shares and hackers become more and more interested in Mac based machines…

[MacOS] Root Exploit in Apple Remote Desktop (ARD)

Update 26.06.2008: read latest news about this exploit here

Abstract

Intego reports (read details here) a “bug” in Apple’s Remote Desktop (ARD) application. In short: the ARD Agent runs AppleScripts always with root privileges. Now, when you put shell-commands into that AppleScript they are executed as “root”. ARD doesn’t require any admin/root password to do so.

An Example

Heise.de (read here – german only) has prepped a simply example to show us where we are… open a console and simply enter:

  • mymacbox$ osascript -e 'tell app ARDAgent to do shell script whoami';

The answer will be:

  • root

We won’t delve into this too deeply, but in the meantime there have already been posted several ways to use this exploit. One shows how to open a root-shell on TCP port 9999, which is really scary simple. At first it was expected people need physical access to the machine, but it is confirmed that is also works if being applied on a OS X server where a user got an account with limited rights.

How to fix this

Two ways have been reported to circumvent this issue. One way might be enabling “Remote Management”:

  • Open System Preferences
  • Open Sharing
  • Enable Remote Management

The other way – which we recommend – is to manually repair permissions of ARDAgent.app via

  • mymacbox$ chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Conclusion

Get yourself a Mac virusscanner (consider our premium sponsors). Viruses for MacOS X are chomping at the bit…