My ARDAgent may have been hacked. Have I fixed it correctly?

[GanChan]

ARDAgent modificatioon came up when I was repairing permissions:

Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent" has been modified and will not be repaired.

I followed Macworld's advice and created a zip file of ARDAgent, then trashed the original. I will hang onto the compressed file until Apple comes up with a patch for this problem, but as I understand it, with no ARDAgent running I've solved my remote access vulnerability. So am I okay now, or should I do other stuff like wip my hard drive, etc, just to be sure?...It sounds like it comes from malware attached to a downloaded application, not from a virus, so theoretically I could reinstall OSX and reinstall just my CD-installable apps....

One glimmer of hope: When I typed "Whoamai" in Teminal, it gave me my admin name and not "root." So maybe I'm not totally screwed just yet....

 

[calderone]

Going against some others who I am sure will post here, the SUID message is expected and according to Apple it can be ignored.

http://support.apple.com/kb/ts1448

The article is talking about a vulnerability that exists in ARD. The Disk Utility message has nothing to do with the malicious software and thus there is no need to wipe your drive, nor in fact do anything.

I am not able to replicate the circumstances under which the bug was found in 10.6.

I think you should carefully read about this bug, I don't think you are understanding how it works or how it can do damage.

"whoami" is supposed to return the user logged into the shell. It was the fact that you can tell ARDAgent to do things without admin privileges. Again, read the article carefully and the original Slashdot article.

 

[GanChan]

Interesting. Well, I can always unzip and reinstall ARDAgent...but the truth is, I never use remote access anyway. If leaving ARDAgent off my Mac closes a potentially troublesome security hole, I'd have no problem with that.

Thanks.

 

[calderone]

What OS are you running?

This issue does not exist in 10.6. The issue existed in 10.4 and 10.5.4, it was fixed in a security update, confirmed by this article from August 2008 http://db.tidbits.com/article/9720, the ARD hole was fixed in Security Update 2008-005.

As noted here in the Apple KB:

Open Scripting Architecture

CVE-ID: CVE-2008-2830

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4

Impact: A local user may execute commands with elevated privileges

Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue.

There is nothing to worry about at this point and the SUID message is expected and safe according to Apple.

If however, Disk Utility reports a permissions problem with ARD outside of the SUID message you should be concerned.

To reiterate: The SUID message given by Disk Utility does not mean your ARDAgent has been hacked nor does it mean you are vulnerable.

 

[ploth]

What OS are you running?

This issue does not exist in 10.6. [/B]

I'm on 10.6.3 and get this message. I am trying to troubleshoot why time machine keeps slowing my machine down to a stop while it is backing up.

 

[calderone]

I'm on 10.6.3 and get this message. I am trying to troubleshoot why time machine keeps slowing my machine down to a stop while it is backing up.

That message has nothing to do with your Time Machine problem.