Slashdot Mirror
Mac OS X Root Escalation Through AppleScript
An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.
Could somebody explain how running a script requires physical access?
A proud member of the Onion-in-Hand alliance
It seems perfectly serious since one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy.
I'm not familiar with AppleScript but that doesn't sound like it requires physical access to me. Can't you SSH or remote desktop into an OS X server and run that command to get root access? That seems like a serious vulnerability to me.
But Apple have made exactly the same marketing mistakes that Microsoft did in selling their respective OSes as ones that can be used easily by people with no knowledge of computers - people still click on attachments they shouldn't, still give their passwords to phishing web sites and still don't install regular security updates and scan their PCs for virii.
And in the case of this specific exploit, I am sure that a number of newbie Apple users would happily tap in "osascript -e 'tell app "ARDAgent" to do shell script "whoami"'" into their computers purely because "Jim The Friendly Computer Support Engineer" told them to do it.
So let's not beat about the bush - ANY exploit that isn't fixed as quickly as possible is a problem because there's always at least one spotty teenager trying to become a HAX0R who is prepared to try his luck against some poor unwitting user.
Gentoo Linux - another day, another USE flag.
First, yes, this is a serious bug. It's a classic blunder, like getting into a land war in Asia, and is similar to the in NT3.51's scheduler to get LOCALSYSTEM rights, or the one in /bin/write in 2BSD to get a root shell.
It's also easy to fix.
And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.
THe thing is, it's not true that "one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy". It's not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista's jail around IE, and whatever APple does along those lines.
Security is like sex. Once you're penetrated you're ****ed.
The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has. ActiveX and all its kin. It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered.
You do realize that the comment you linked is dead wrong and it does in fact work on OSX out-of-the-box, right? I just tried it on my macbook pro which has Leopard and I have made no modifications to it. It works.
This code could easily be wrapped into the preflight scripts for an Installer package in OS X, or integrated into any piece of malware to escalate itself to root without any user interaction beyond downloading it and launching it. In this sense, the arguments against the DNSChanger Trojan Horse of "it requires an admin password to be installed" becomes null and void. This is fairly serious, folks. One-click privilege escalation is way too easy for script-kiddies and professional malware distributers alike to integrate into their nasty programs.
No, what's good about Linux, and to a slightly lesser extend OSX, is that Unix is an incredibly simple system at it's core, so there are relatively few possible exploitation vectors and they are all well understood.
:)
Unfortunately KDE, Qt, X11, Gtk, Gnome, and the whole "let's make Linux into Windows" desktop hodgepodge that's layered on top of UNIX[1] is incredibly complex, has many components running with elevated privileges, and while it has fewer exploitation vectors than Windows it's conceptually more complex than the NeXTstep-derived equivalents in OS X.
And on top of that, many linux distros have resurrected the absolutely insane concept of Autorun CDs, something Apple was smart enough to abandon back in the dark ages of floppy distribution.
So, all in all, "do not be so proud of this technological terror". I'd go on, but I've got work to do.
[1] No, X11 is not really a UNIX API, it was designed to be platform independent, ran on UNIX and VMS from the start, and completely ignores many of the fundamental design goals of UNIX as well as many of the most useful *results* of those design goals.
The real hole is not so much this script, since you need to get something running on a target machine, but the fact that Apple Mail will execute Mac friendly *.app attachments at all just by clicking on them.
If you have physical access to a machine and the disk isn't encrypted, you can get root. How dense do you have to be to find this surprising, or even mildly interesting?
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.
What about non personal deployments?
Like corporate installations?
Kiosk installations?
Any small business that wants to secure a machine?
How about a class room that you want kiddies to run games but not wipe the OS?
Physical access MEANS if they can access the hardware (inside the case). It DOES NOT mean typing something on the freaking keyboard, when logged in as a low level user.
In the IT world you password lock boot media, lock cases,etc. If an IT person can't secure a machine without removing the keyboard, there MIGHT be a security problem.
(SlashDot Editors? WTF?)
It's a submission from an anonymous user that doesn't cite any sources. That's pretty shoddy, even by Slashdot standards.
Are you really so lazy that you need a source for something so trivially replicated?
There are shills on slashdot. Apparently, I'm one of them.
#1 - We probably have 5-6 Apple XServes and will grow that to around 12-15. But there are hundreds of WinTel servers corporate wide.
#2 - We are in the midst of standardizing the Macs to corporate standards. They are around 10% - 20% of each site, but they never really had any centralized management until I came on board. Getting a standard build and removing admin rights was one of the first things I got corporate to agree to. The users really love installing their own stuff (like p2p clients, DVD ripping apps, different versions of apps) or changing things in order to 'fix' things like a down server. They complain that they don't have the ability to break their own machines anymore, but the calls for service have gone waaaay down, and their ability to interact with the corporate network, services, and their PC peers have gone waaay up. Just in numbers we have about 600 Mac users in the US, and maybe another 100 in Europe and Asia.
Most of the companies that have been acquired that had Macs, had an outside contractor come in about once a month to do maintenance, bug fixes, etc. Now they complain that it takes a couple of hours to install their scanner driver. I also had another group that used to install their own software complain to me that they all had different versions of the applications. So I removed their admin rights and put them all on the same version. Now they complain that they can't install software one at a time - which would get them back to different versions of the programs.....
The biggest secret to managing Macs is that it's really an easier job than managing PC's (IMHO), but the PC techs think it is harder. The trick is to take away admin rights and use a standard, tested build that is set up by someone who knows what they are doing. Pretty much the same rule as on the PC.
That said - and to get back on topic - ARD (http://www.apple.com/remotedesktop/Apple Remote Desktop) is an invaluable tool and one of the requirements for me taking the job. Looks like the latest version of the ARD client may fix this problem. But if users are turning off the ARD client - how can I push the new, fixed client out to them?
http://Communityville.com - A free place for new and old neighborhood webmasters to hang out.
Also, who says Apple wasn't notified of this problem in advance? I'm not saying they were or weren't, but I don't have data either way. This is the same community that loves to lambast Microsoft for their security issues (rightly so, in most cases), but fully supports immediate disclosure of exploits before patches are released by Microsoft (although MS has taken forever to fix many problems). As a network admin, I'm a fan of full disclosure, which gives the ability to do something about the issue until a patch is released. Others see things differently.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
It's only trivially replicated if you have access to a mac. Most of us here probably don't.
1) If you don't have a mac, why do you care about the exploit?
2) If you care that much, but don't have access to Apple hardware, run OS X in virtual machine.
There are shills on slashdot. Apparently, I'm one of them.
Black hats read security mailing lists. Keeping it off Slashdot only hinders innocent users from taking precautions against the defect.
Your average optical drive is rather expensive to use as a CD case you know.
Advanced users are users too!
My even better question is: why is "bah, it requires physical access" seen as an automatic "don't worry about it" around these parts?
/". Etc.
Yes, maybe a home computer doesn't have more people logging in. But:
- Workstations at work have lots of people who can log into them. If I come really early or stay late, I can go to any workstation (and a few laptops) in the building and log in with my own account. If it's possible to escalate your rights from there, I could get access to everyone's local and temporary files. Go see what the department boss is doing. Go see with which suppliers do the purchasing guys deal. I'm sure their competitors will love knowing what kind of discount they could negotiate and still steal that contract. Walk to the other building and get the CAD guys' designs.
Plus there are a lot of people who can physically get near any computer, up to CEO level. Like, say, the janitors.
- Servers even more so. There are servers where hundreds of people can log in. If you can escalate your rights to root, you can get to their files. Or you can install some rootkit on the bloody server. Or even one disgruntled L1 support guy about to quit can escalate his rights, reconfigure the backups, and do a "rm -rf
So basically not arguing with your point, but even _if_ the answer were "OMG, you need to be physically at that computer" or "OMG you'd need to be logged in anyway", it still wouldn't be much of a saving grace. There _are_ more uses for computers than as someone's email and surfing rig at home.
A polar bear is a cartesian bear after a coordinate transform.
That forum thread and knowledge base article aren't connected to this issue at all, except that both involve ARDAgent.
The claim "Apple's built-in file system permissions verifier really wanted to delete the ARDAgent program" is just nonsense.