MacMegasite

As you’ve probably heard, a vulnerability in Apple Remote Desktop allows remote users to execute commands as root when logged in as a regular user. The problem is that ARDAgent has its [B]setuid[/B] bit set and is owned by root, which means that it will run as root. Since it’s scriptable, any commands sent via AppleScript (including those sent remotely using the [B]osascript[/B] command) will also run as root. To demonstrate this, try the following:

osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘

It will say that you’re root!

A temporary fix is to clear the [B]setuid[/B] bit on ARDAgent, which will cause it to run as the logged in user rather than root:

sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

If you try it now, you’ll see that it’s no longer running as root. However, there may be other applications lurking around with the same problem.

This entry was posted on Friday, June 20th, 2008 at 10:43 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.