Update 26.06.2008: read latest news about this exploit here…

Abstract

Intego reports (read details here) a “bug” in Apple’s Remote Desktop (ARD) application. In short: the ARD Agent runs AppleScripts always with root privileges. Now, when you put shell-commands into that AppleScript they are executed as “root”. ARD doesn’t require any admin/root password to do so.

An Example

Heise.de (read here – german only) has prepped a simply example to show us where we are… open a console and simply enter:

• mymacbox$ osascript -e 'tell app “ARDAgent“ to do shell script “whoami“';

The answer will be:

• root

We won’t delve into this too deeply, but in the meantime there have already been posted several ways to use this exploit. One shows how to open a root-shell on TCP port 9999, which is really scary simple. At first it was expected people need physical access to the machine, but it is confirmed that is also works if being applied on a OS X server where a user got an account with limited rights.

How to fix this

Two ways have been reported to circumvent this issue. One way might be enabling “Remote Management”:

• Open System Preferences
• Open Sharing
• Enable Remote Management

The other way – which we recommend – is to manually repair permissions of ARDAgent.app via

• mymacbox$ chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Conclusion

Get yourself a Mac virusscanner (consider our premium sponsors). Viruses for MacOS X are chomping at the bit…