Mac OS X Root Escalation Through AppleScript 359
An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.
Physical access? (Score:3, Insightful)
Physical access? Have you heard of malware? (Score:5, Insightful)
It seems perfectly serious since one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy.
Physical access? (Score:1, Insightful)
Comment removed (Score:5, Insightful)
Re:Physical access? (Score:3, Insightful)
Re:Physical access? (Score:4, Insightful)
This is a serious privilege escalation bug, but... (Score:5, Insightful)
It's also easy to fix.
And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.
THe thing is, it's not true that "one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy". It's not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista's jail around IE, and whatever APple does along those lines.
Security is like sex. Once you're penetrated you're ****ed.
The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has. ActiveX and all its kin. It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered.
Re:Physical access? Have you heard of malware? (Score:1, Insightful)
Re:Physical access? Have you heard of malware? (Score:4, Insightful)
Proof of Concept Possibilities (Score:5, Insightful)
Re:It's the same marketing mistake as Microsoft. (Score:2, Insightful)
Re:Physical access? (Score:1, Insightful)
MacOS has a serious security issue here, basically for-free privilege escaltion. This means running this OS with this vulnerability unpatched is equivalent to running as 'Administrator' on Windows, or root on *nix. This is always considered a 'bad thing'. Being loged into the MacOS as a regular user is now a 'bad thing', just like default accounts for WindowsXP.
Re:This is a serious privilege escalation bug, but (Score:3, Insightful)
Unfortunately KDE, Qt, X11, Gtk, Gnome, and the whole "let's make Linux into Windows" desktop hodgepodge that's layered on top of UNIX[1] is incredibly complex, has many components running with elevated privileges, and while it has fewer exploitation vectors than Windows it's conceptually more complex than the NeXTstep-derived equivalents in OS X.
And on top of that, many linux distros have resurrected the absolutely insane concept of Autorun CDs, something Apple was smart enough to abandon back in the dark ages of floppy distribution.
So, all in all, "do not be so proud of this technological terror". I'd go on, but I've got work to do.
[1] No, X11 is not really a UNIX API, it was designed to be platform independent, ran on UNIX and VMS from the start, and completely ignores many of the fundamental design goals of UNIX as well as many of the most useful *results* of those design goals.
Re:It's easier than that.. (Score:3, Insightful)
Re:It's easier than that.. (Score:3, Insightful)
Bore me with something else (Score:2, Insightful)
If you have physical access to a machine and the disk isn't encrypted, you can get root. How dense do you have to be to find this surprising, or even mildly interesting?
Physical Access Excuse? (Score:5, Insightful)
What about non personal deployments?
Like corporate installations?
Kiosk installations?
Any small business that wants to secure a machine?
How about a class room that you want kiddies to run games but not wipe the OS?
Physical access MEANS if they can access the hardware (inside the case). It DOES NOT mean typing something on the freaking keyboard, when logged in as a low level user.
In the IT world you password lock boot media, lock cases,etc. If an IT person can't secure a machine without removing the keyboard, there MIGHT be a security problem.
(SlashDot Editors? WTF?)
Re:Can we get some sources? (Score:3, Insightful)
Are you really so lazy that you need a source for something so trivially replicated?
Re:Local exploit, snuh! (Score:2, Insightful)
#2 - We are in the midst of standardizing the Macs to corporate standards. They are around 10% - 20% of each site, but they never really had any centralized management until I came on board. Getting a standard build and removing admin rights was one of the first things I got corporate to agree to. The users really love installing their own stuff (like p2p clients, DVD ripping apps, different versions of apps) or changing things in order to 'fix' things like a down server. They complain that they don't have the ability to break their own machines anymore, but the calls for service have gone waaaay down, and their ability to interact with the corporate network, services, and their PC peers have gone waaay up. Just in numbers we have about 600 Mac users in the US, and maybe another 100 in Europe and Asia.
Most of the companies that have been acquired that had Macs, had an outside contractor come in about once a month to do maintenance, bug fixes, etc. Now they complain that it takes a couple of hours to install their scanner driver. I also had another group that used to install their own software complain to me that they all had different versions of the applications. So I removed their admin rights and put them all on the same version. Now they complain that they can't install software one at a time - which would get them back to different versions of the programs.....
The biggest secret to managing Macs is that it's really an easier job than managing PC's (IMHO), but the PC techs think it is harder. The trick is to take away admin rights and use a standard, tested build that is set up by someone who knows what they are doing. Pretty much the same rule as on the PC.
That said - and to get back on topic - ARD (http://www.apple.com/remotedesktop/ [apple.com]Apple Remote Desktop) is an invaluable tool and one of the requirements for me taking the job. Looks like the latest version of the ARD client may fix this problem. But if users are turning off the ARD client - how can I push the new, fixed client out to them?
Re:ARDAgent is Apple Remote Desktop (Score:3, Insightful)
Also, who says Apple wasn't notified of this problem in advance? I'm not saying they were or weren't, but I don't have data either way. This is the same community that loves to lambast Microsoft for their security issues (rightly so, in most cases), but fully supports immediate disclosure of exploits before patches are released by Microsoft (although MS has taken forever to fix many problems). As a network admin, I'm a fan of full disclosure, which gives the ability to do something about the issue until a patch is released. Others see things differently.
Re:Can we get some sources? (Score:3, Insightful)
1) If you don't have a mac, why do you care about the exploit?
2) If you care that much, but don't have access to Apple hardware, run OS X in virtual machine.
Re:ARDAgent is Apple Remote Desktop (Score:2, Insightful)
Black hats read security mailing lists. Keeping it off Slashdot only hinders innocent users from taking precautions against the defect.
Re:This is a serious privilege escalation bug, but (Score:3, Insightful)
Your average optical drive is rather expensive to use as a CD case you know.
Even better question (Score:3, Insightful)
Yes, maybe a home computer doesn't have more people logging in. But:
- Workstations at work have lots of people who can log into them. If I come really early or stay late, I can go to any workstation (and a few laptops) in the building and log in with my own account. If it's possible to escalate your rights from there, I could get access to everyone's local and temporary files. Go see what the department boss is doing. Go see with which suppliers do the purchasing guys deal. I'm sure their competitors will love knowing what kind of discount they could negotiate and still steal that contract. Walk to the other building and get the CAD guys' designs.
Plus there are a lot of people who can physically get near any computer, up to CEO level. Like, say, the janitors.
- Servers even more so. There are servers where hundreds of people can log in. If you can escalate your rights to root, you can get to their files. Or you can install some rootkit on the bloody server. Or even one disgruntled L1 support guy about to quit can escalate his rights, reconfigure the backups, and do a "rm -rf
So basically not arguing with your point, but even _if_ the answer were "OMG, you need to be physically at that computer" or "OMG you'd need to be logged in anyway", it still wouldn't be much of a saving grace. There _are_ more uses for computers than as someone's email and surfing rig at home.
Re:Apple's Knowledge Base reports this is 'safe' (Score:2, Insightful)
The claim "Apple's built-in file system permissions verifier really wanted to delete the ARDAgent program" is just nonsense.
Re:Even better question (Score:4, Insightful)
The reason that requiring physical access is seen as no big deal is because all that stuff you're worried about is something I can do without the need of any exploits.
Got a machine with literally any operating system? All I need is to reboot the computer with a linux live cd (or usb thumb drive) and I get read / write access to everywhere. From there I can plant trojans, read your files, do whatever.
Got a Linux machine? I can reboot and use grub to boot into single-user mode. There you go, I'm root. I can do all the of the above again.
The only way to have any security at the physical level is with encryption. And when we see encryption exploits, we do get hyped up about it. Even with encryption, more security measures still need to be taken at the physical level. A physical keylogger between the keyboard and computer could be installed to discover typed passwords, etc.
That said, an exploit is an exploit, and it should be treated as such. Physical-access only just means there's less to worry about.