Mac OS X Root Escalation Through AppleScript

An anonymous reader writes "Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

Physical access?

[Menkhaf]

Could somebody explain how running a script requires physical access?

Physical access? Have you heard of malware?

[jeffmeden]

On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

Malware arguably (one of the greatest scourges of modern computing) spreads by just that, local root vulnerabilities (also known as 'standard procedure' in the Windows community). What makes this exploit so useless, given that all the perpetrator has to do is send it out to enough people hoping just a few will run it?

It seems perfectly serious since one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy.

Physical access?

[fyleow]

I'm not familiar with AppleScript but that doesn't sound like it requires physical access to me. Can't you SSH or remote desktop into an OS X server and run that command to get root access? That seems like a serious vulnerability to me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Physical access?

[Medieval_Gnome]

Try sshing into a machine where your user isn't currently logged in, or running the exploit as a different user. As best I can tell, it doesn't work in the case where the user running the command isn't the user who is graphically logged in.

Re:Physical access?

[Anonymous Coward]

You don't need any sort of remote login, all you need is a client (web browser, Quicktime, Flash, etc.) buffer overflow that you can use to start a shell...

This is a serious privilege escalation bug, but...

[argent]

First, yes, this is a serious bug. It's a classic blunder, like getting into a land war in Asia, and is similar to the in NT3.51's scheduler to get LOCALSYSTEM rights, or the one in /bin/write in 2BSD to get a root shell.

It's also easy to fix.

And I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name.

THe thing is, it's not true that "one of the main security aspects of OS X is that root access is held sacred (as it should be) and malware is assumed to be 'stopped at the gate' by that policy". It's not. You can protect the OS from the malware, but the malware can still hide, still restart itself after a reboot, and still destroy everything you actually CARE about without root access. And malware can similarly break out of Vista's jail around IE, and whatever APple does along those lines.

Security is like sex. Once you're penetrated you're ****ed.

The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has. ActiveX and all its kin. It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered.

Re:Physical access? Have you heard of malware?

[Anonymous Coward]

You do realize that the comment you linked is dead wrong and it does in fact work on OSX out-of-the-box, right? I just tried it on my macbook pro which has Leopard and I have made no modifications to it. It works.

Re:Physical access? Have you heard of malware?

[Goaway]

Malware arguably (one of the greatest scourges of modern computing) spreads by just that, local root vulnerabilities

No, it does not. Most malware doesn't need root to do most of the things it wants to do. Having root opens up some more possibilities, but it is by now means required.

Proof of Concept Possibilities

[AgentOJ]

This code could easily be wrapped into the preflight scripts for an Installer package in OS X, or integrated into any piece of malware to escalate itself to root without any user interaction beyond downloading it and launching it. In this sense, the arguments against the DNSChanger Trojan Horse of "it requires an admin password to be installed" becomes null and void. This is fairly serious, folks. One-click privilege escalation is way too easy for script-kiddies and professional malware distributers alike to integrate into their nasty programs.

Re:It's the same marketing mistake as Microsoft.

[Colonel Fahlt]

(Not to mention we might not be talking about "poor unwitting users", we might be talking about a user in a business context who's not supposed to have root privileges but can suddenly grant themselves the ability to do things they're not supposed to. What's that statistic about security breaches from the inside of a company?)

Re:Physical access?

[Anonymous Coward]

This is so obviously true I can't believe there are people in this discussion suggesting this isn't a serious problem, or a real and actual problem with the OS security model. These sorts of problems happen all the time with all sorts of OSs so the problem is not unique--this does not obviate it's severity however.

MacOS has a serious security issue here, basically for-free privilege escaltion. This means running this OS with this vulnerability unpatched is equivalent to running as 'Administrator' on Windows, or root on *nix. This is always considered a 'bad thing'. Being loged into the MacOS as a regular user is now a 'bad thing', just like default accounts for WindowsXP.

Re:This is a serious privilege escalation bug, but

[argent]

No, what's good about Linux, and to a slightly lesser extend OSX, is that Unix is an incredibly simple system at it's core, so there are relatively few possible exploitation vectors and they are all well understood.

Unfortunately KDE, Qt, X11, Gtk, Gnome, and the whole "let's make Linux into Windows" desktop hodgepodge that's layered on top of UNIX[1] is incredibly complex, has many components running with elevated privileges, and while it has fewer exploitation vectors than Windows it's conceptually more complex than the NeXTstep-derived equivalents in OS X.

And on top of that, many linux distros have resurrected the absolutely insane concept of Autorun CDs, something Apple was smart enough to abandon back in the dark ages of floppy distribution.

So, all in all, "do not be so proud of this technological terror". I'd go on, but I've got work to do. :)

[1] No, X11 is not really a UNIX API, it was designed to be platform independent, ran on UNIX and VMS from the start, and completely ignores many of the fundamental design goals of UNIX as well as many of the most useful *results* of those design goals.

Re:It's easier than that..

[pudge]

Just embed the script in an applescript *.app executable, which many clueless users (I know, I am a Mac sysadmin to some of them) will click on, despite the warnings from the system on trying to start an executable from Mail and on first launching the app.

Right. It is yet another possible Trojan Horse vector. Most of us here are hard to trick into this, but most users at large are not.

Re:It's easier than that..

[theolein]

The real hole is not so much this script, since you need to get something running on a target machine, but the fact that Apple Mail will execute Mac friendly *.app attachments at all just by clicking on them.

Bore me with something else

[thethibs]

If you have physical access to a machine and the disk isn't encrypted, you can get root. How dense do you have to be to find this surprising, or even mildly interesting?

Physical Access Excuse?

[TheNetAvenger]

On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

What about non personal deployments?

Like corporate installations?
Kiosk installations?
Any small business that wants to secure a machine?
How about a class room that you want kiddies to run games but not wipe the OS?

Physical access MEANS if they can access the hardware (inside the case). It DOES NOT mean typing something on the freaking keyboard, when logged in as a low level user.

In the IT world you password lock boot media, lock cases,etc. If an IT person can't secure a machine without removing the keyboard, there MIGHT be a security problem.

(SlashDot Editors? WTF?)

Re:Can we get some sources?

[Whiney Mac Fanboy]

It's a submission from an anonymous user that doesn't cite any sources. That's pretty shoddy, even by Slashdot standards.

Are you really so lazy that you need a source for something so trivially replicated?

Re:Local exploit, snuh!

[JustCallMeRich]

#1 - We probably have 5-6 Apple XServes and will grow that to around 12-15. But there are hundreds of WinTel servers corporate wide.

#2 - We are in the midst of standardizing the Macs to corporate standards. They are around 10% - 20% of each site, but they never really had any centralized management until I came on board. Getting a standard build and removing admin rights was one of the first things I got corporate to agree to. The users really love installing their own stuff (like p2p clients, DVD ripping apps, different versions of apps) or changing things in order to 'fix' things like a down server. They complain that they don't have the ability to break their own machines anymore, but the calls for service have gone waaaay down, and their ability to interact with the corporate network, services, and their PC peers have gone waaay up. Just in numbers we have about 600 Mac users in the US, and maybe another 100 in Europe and Asia.

Most of the companies that have been acquired that had Macs, had an outside contractor come in about once a month to do maintenance, bug fixes, etc. Now they complain that it takes a couple of hours to install their scanner driver. I also had another group that used to install their own software complain to me that they all had different versions of the applications. So I removed their admin rights and put them all on the same version. Now they complain that they can't install software one at a time - which would get them back to different versions of the programs.....

The biggest secret to managing Macs is that it's really an easier job than managing PC's (IMHO), but the PC techs think it is harder. The trick is to take away admin rights and use a standard, tested build that is set up by someone who knows what they are doing. Pretty much the same rule as on the PC.

That said - and to get back on topic - ARD (http://www.apple.com/remotedesktop/ [apple.com]Apple Remote Desktop) is an invaluable tool and one of the requirements for me taking the job. Looks like the latest version of the ARD client may fix this problem. But if users are turning off the ARD client - how can I push the new, fixed client out to them?

Re:ARDAgent is Apple Remote Desktop

[palegray.net]

BTW, let's all thank Timothy, Pudge, and the rest of the /. gang for ensuring a fresh crop of zombie spambots, shall we? What happened to common courtesy? I thought etiquette dictated giving the manufacturer a heads up and a little time to fix their shit. I guess the ad dollars and attention whoring was just too much too resist. Enjoy your blood money fellas, the internet will suck just a little bit more thanks to you guys.

Seeing as how your username is "MacDork" I've just gotta ask: would you feel the same way if this article described a Windows exploit?

Also, who says Apple wasn't notified of this problem in advance? I'm not saying they were or weren't, but I don't have data either way. This is the same community that loves to lambast Microsoft for their security issues (rightly so, in most cases), but fully supports immediate disclosure of exploits before patches are released by Microsoft (although MS has taken forever to fix many problems). As a network admin, I'm a fan of full disclosure, which gives the ability to do something about the issue until a patch is released. Others see things differently.

Re:Can we get some sources?

[Whiney Mac Fanboy]

It's only trivially replicated if you have access to a mac. Most of us here probably don't.

1) If you don't have a mac, why do you care about the exploit?

2) If you care that much, but don't have access to Apple hardware, run OS X in virtual machine.

Re:ARDAgent is Apple Remote Desktop

[Anonymous Coward]

huge difference between being notified on a security mailing list and having the information plastered on the front page of slashdot

Black hats read security mailing lists. Keeping it off Slashdot only hinders innocent users from taking precautions against the defect.

Re:This is a serious privilege escalation bug, but

[mabinogi]

KDE opens a dialog and asks you if you want the CD to be mounted

I call those "Should I do something stupid" dialogs.

Just out of interest, under which circumstances do you _not_ want a data CD to be mounted when you insert it in your drive?

Your average optical drive is rather expensive to use as a CD case you know.

Even better question

[Moraelin]

My even better question is: why is "bah, it requires physical access" seen as an automatic "don't worry about it" around these parts?

Yes, maybe a home computer doesn't have more people logging in. But:

- Workstations at work have lots of people who can log into them. If I come really early or stay late, I can go to any workstation (and a few laptops) in the building and log in with my own account. If it's possible to escalate your rights from there, I could get access to everyone's local and temporary files. Go see what the department boss is doing. Go see with which suppliers do the purchasing guys deal. I'm sure their competitors will love knowing what kind of discount they could negotiate and still steal that contract. Walk to the other building and get the CAD guys' designs.

Plus there are a lot of people who can physically get near any computer, up to CEO level. Like, say, the janitors.

- Servers even more so. There are servers where hundreds of people can log in. If you can escalate your rights to root, you can get to their files. Or you can install some rootkit on the bloody server. Or even one disgruntled L1 support guy about to quit can escalate his rights, reconfigure the backups, and do a "rm -rf /". Etc.

So basically not arguing with your point, but even _if_ the answer were "OMG, you need to be physically at that computer" or "OMG you'd need to be logged in anyway", it still wouldn't be much of a saving grace. There _are_ more uses for computers than as someone's email and surfing rig at home.

Re:Apple's Knowledge Base reports this is 'safe'

[minimis]

That forum thread and knowledge base article aren't connected to this issue at all, except that both involve ARDAgent.

The claim "Apple's built-in file system permissions verifier really wanted to delete the ARDAgent program" is just nonsense.

Re:Even better question

[TrekkieGod]

My even better question is: why is "bah, it requires physical access" seen as an automatic "don't worry about it" around these parts?...Workstations at work have lots of people who can log into them...Plus there are a lot of people who can physically get near any computer, up to CEO level. Like, say, the janitors.

The reason that requiring physical access is seen as no big deal is because all that stuff you're worried about is something I can do without the need of any exploits.

Got a machine with literally any operating system? All I need is to reboot the computer with a linux live cd (or usb thumb drive) and I get read / write access to everywhere. From there I can plant trojans, read your files, do whatever.

Got a Linux machine? I can reboot and use grub to boot into single-user mode. There you go, I'm root. I can do all the of the above again.

The only way to have any security at the physical level is with encryption. And when we see encryption exploits, we do get hyped up about it. Even with encryption, more security measures still need to be taken at the physical level. A physical keylogger between the keyboard and computer could be installed to discover typed passwords, etc.

That said, an exploit is an exploit, and it should be treated as such. Physical-access only just means there's less to worry about.