today an anonymous slashdot user posted this little shell command, that uses the ARDAgent to gain root access, without ever needing to authenticate.
the script is:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
Can be used to things like:
osascript -e 'tell app "ARDAgent" to do shell script "scutil --set ComputerName SomeName"'
that would normally require authentication.
It has been tested by quite a few people, and has been found only to work you are physically at a computer and its logged in.
However where I work we use Network Shares as our home folder, and this hack doesnt seem to work. And I just wanted to make sure that there was no way it would work.
When I run the command:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
I get:
execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)
I just tested that on the MacBook Pro I use day to day using an admin account, a normal account and the built in guest account and I have to say...
CRIKEY!
I was hoping maybe it was only a problem if you were logged in as an admin user, but it isn't. I'll test it at work tomorrow when I can get access to my test machines and try it with network clients.
This is really some quite major privilege escalation, it's a built in rootkit.
Thank you very much for bringing that to my attention.
OK, I am SSH'd into a server at work and I'm getting the same error you are. That's put my mind at rest enough for me to go to bed and be able to sleep, though I'll probably have nightmares
I'll also do more testing tomorrow to see what I find.
As I understand it, local GUI login is required by the same user that is issuing the command.
So if Joe is using the machine, and someone either makes Joe run the command (trojan), or someone else is logged into the terminal as Joe then the command will work.
Anyway, there are a couple of things you can do to plug this hole (or make it much smaller).
You can remove the setuid bit from the executable, tar or remove the ARD product entirely, or if you require ARD for whatever reason (server access...) you can change privileges on the osascript executable to at least restrict who can run the command unchallenged.
