ARD Security Hole and 5 Solutions to Fix it
20 June 2008, Hedi |
This security hole has been discovered by Intego (like the previous one).
This one is due to Apple Remote Desktop (on Leopard and Tiger). This is a dangerous one because it allows users to execute scripts and commands as root (which allow a malicious user complete access to the system) even if you’re logged in as a non-root user!
Users must download and run the scripts in order for their computer to become infected. The trojan will install itself in the /Library/Caches folder, and will set itself to run at startup.
The problem is that ARDAgent has its setuid bit set and is owned by root, which means that it will run as root. Since it’s scriptable, any commands sent via AppleScript (including those sent remotely using the osascript command) will also run as root.
To see if your system is secure or not, try this:
tell application "ARDAgent" to do shell script "whoami"
If it says “root” your system is not secure…
You can also go forward in testing the security of your computer by trying this:
tell application "ARDAgent" to do shell script "touch /test;chmod 700 /test"
A test file will be created in the root of your hard drive on which you have no rights but you can delete it by writing your administrator password!
If that’s the case, 4 solutions to protect yourself:
- Use extreme caution when running AppleScript files or applications sent to you in an email, or downloaded from the internet;
- Having Remote Management turned on from your Sharing preferences, but it’s not the best solution since it will run that service even if you don’t need it;
- Install VirusBarrier X5 for Mac; I’m personally against installing an antivirus on a Mac (solution proposed by Intego of course);
- Clear the setuid bit on ARDAgent, which will cause it to run as the logged in user rather than root by running this command from the Terminal:
sudo chmod 755 /System/Library/CoreServices/RemoteManagement/
ARDAgent.app/Contents/MacOS/ARDAgent - Change the permissions on ARDAgent and will be broken if you repair permissions or make a system/ARD update):
sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/
ARDAgent.app
Posted in Security & Maintenance
One Response
[...] Patcher is a free utility that patches the infamous ARDAgent exploit in Mac OS X 10.4 and 10.5. This is a fix to the exploit found a few days ago in Apple Remote [...]