More technical details can be found at this excellent piece at Matasano Chargen.

Tiger and Leopard shipped with the Apple Remote Desktop agent (ARDAgent) is set UID as root. To make it worse, it supports AppleScript, and one of the actions it supports is “do shell script”. You can see where this is leading. This type of vulnerability (root access through a SUID root program) is one that I would classify as ancient. Most SUID root programs really look at the code and make sure they’re not doing something this stupid.

The solution is easy: if you’re not using Apple Remote Desktop, remove it, or chmod u-s it (removes the SUID bit).

However, this vulnerability does need local access, so it’s somewhat difficult to exploit unless you regularly leave your mac logged in at a coffee shop while you use the facilities.

What it does bring up is how much Apple is investing in secure development and security? If this (quite old style) vulnerability got through, what else would. Of course, Apple may not have any security employees old enough to remember these types of vulnerabilities. History, even of old systems and old vulnerabilities, is still useful for teaching students.

This entry was posted on Friday, June 20th, 2008 at 4:59 pm by Laura Raderman and is filed under hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.