Jump to content
7 posts in this topic

Recommended Posts

Security researchers reported last week that they've spotted a Mac Trojan horse in the wild that could compromise machines running Apple Inc.'s Mac OS X 10.4 or 10.5. SecureMac, a Mac-specific anti-virus vendor, posted an alert last Thursday that its researchers had found a Trojan horse, dubbed "AppleScript.THT," being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple's instant messaging and video chat software, were also taking place. The company classified the threat posed by the Trojan as "critical." The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

 

"[it] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing." SecureMac's warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug. Malicious AppleScript, said Intego, can call ARDAgent, which then gives that script full "root" access to the system. Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it's injected after a successful attack using another vulnerability, such as a browser bug.

 

Source: Computer World

First, this is NOT a virus, it is a trojan, but that doesn't mean it is not a serious issue.

It is a local privilege escalation exploit, that means it does NOT need you to enter your password for it to do whatever it does.

This exploit can be added to installers preflight scripts etc, and you wouldn't even know it.

 

To test if your system is vulnerable:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

This uses the suid bit in ardagent to escalate the permissions of the local user to root.

 

There is a workaround fix:

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

This removes the suid bit, so it won't escalate permissions anymore. If you do the osascript command again, it should return your user instead of root.

Hacks are open to this also. don't kid yourself, take the steps needed to secure your box. Security is not as much an issue but it is still something to keep in mind. This command could be packaged in a preflight or postflight of some tool or some kext / driver pkg ,run at install time and you wouldn't even know.

http://www.macworld.com/article/134165/2008/06/ardagent.html

 

So that’s the bad news. There are some glimmers of good news in the gloom, though. First, it’s relatively easy to protect yourself from this security hole. The major security product vendors have updated (or will soon update) their code to patch this particular hole (and any known malware that takes advantage of it), so if you use such a product, make sure you update your virus definitions.

 

If you don’t use an anti-virus program, there’s a relatively simple method to temporarily plug this hole all on your own. (But please have a current backup before proceeding). Navigate to /System -> Library -> CoreServices -> RemoteManagement, and Control-click on ARDAgent. In the contextual menu that appears, select Compress ARDAgent (in 10.5; in 10.4, I believe it will say Create Archive of ARDAgent). This will create a zip file of ARDAgent on your Desktop (as you don’t have rights to modify the original folder).

 

Next, drag ARDAgent to the trash can, provide your admin password when asked, then empty the trash. Finally, drag the zipped version of ARDAgent into the RemoteManagement folder, again providing your password when asked. (This last bit is optional; you can keep the file wherever you like, but I find it easier to store it where I know it belongs.)

 

When Apple releases a security update to patch this hole, expand the zip archive before running Software Update—so that Software Update will find the full application to patch. Note that this solution will prevent anyone from using Apple Remote Desktop to control your Mac. If you’re in such an environment where someone needs access to Apple Remote Desktop—say, in a business or in a school—you’ll need to speak to your administrators about their preferred solution to this problem.

Even Chrysaor's script works great.

 

A simple test

Before running the script

 

$ osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

root

 

After running the script

 

$ osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

UC

×
×
  • Create New...