Huge, Crazy, Ridiculous OS X Security Hole

[AmericanYellow]

Ugh, I was resolving to cut down on my posting here, but this just has to be reported since many people's computers are now wide open.

 

Prologue:

 

OS X's implementation of AppleScript has a problem. It's had this problem since Panther at least, and I've reported it to Apple on several occasions since 2004. It always gets flagged "Behaves Correctly" by Apple's development team. The problem is: Applications that are running as root can accept AppleScript commands from applications that are not running as root. And since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a "do shell script" command and pretty much run anything they want as root.

 

Fringe case, you say? If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program "iHook" - and it only takes one such screwup to allow hackers to root your computer. But no, they decided to flag it "Behaves Correctly" and ignore it. Well, two days ago I made the mistake of mentioning this bug to someone in #macdev, and then yesterday, it comes out that...

 

IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX.

 

Enter this in the Terminal, and you get 'root':

 

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

 

The fix would be:

 

1. Change the permissions of /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent to 755 or something other than being setuid root

 

(example command: sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent)

 

2. Never run Repair Permissions, because that will set it back to the way it was.

 

3. Send Apple bug reports to get them to fix this!

 

Turns out this has been posted on Slashdot, so I hope Apple enjoys all the horrible press they're going to get. They've known about this for almost four years...

 

edit: one thing to add is that contrary to the Slashdot article, this isn't limited just to Tiger and Leopard - I've tested it in Panther, and it works there too. It may even go back to systems earlier than that for all I know...

 

Thanks Charles

[kinkster]

"IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX."

 

 

What does this part mean? Anyhow I find it kind of worrying that Apple responds to a security flaw like that.

[AmericanYellow]

"IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX."

 

 

What does this part mean? Anyhow I find it kind of worrying that Apple responds to a security flaw like that.

 

 

I find it worrying myself.

[Headrush69]

http://theiphoneproject.org/index.php/comp.../86-ard-patcher

[~pcwiz]

http://theiphoneproject.org/index.php/comp.../86-ard-patcher

 

So this would fix this exploit for good? Would using it cause any harm to OS X?

[Headrush69]

So this would fix this exploit for good? Would using it cause any harm to OS X?

Shortly after releasing the tool we are going to provide an in-depth article on the exploit and why the solutions you can find online (including this one) work (or don't work).

The source code IS also provided so you can see what it's doing before they release the article. (I'll leave that for you to read/learn )