MacUpdate Weekend Sale :This weekend MacUpdate has slashed prices on Painter 12 and Painter Lite. Painter 12 retails for $429, but has been reduced by 54% to $199. Painter Lite has seen a 58% price cut from $69 to $29. Hurry, because these deals are only available until May 19th 2013.      
toggle

AAPL Stock: 433.26 ( -1.32 )

http://www.macnn.com/articles/08/06/19/remote.mgmt.exploit/

Remote Management exploit found in Mac OS X

updated 03:05 pm EDT, Thu June 19, 2008

 

Remote Mgmt. exploit


A new vulnerability connected to Mac OS X's Remote Management feature has been discovered, says the security firm Intego. The issue is specifically associated with ARDAgent, a component of the feature, which has a "setuid" bit set. Running an executable of this type gains root control, and so ARDAagent may potentially be used to gain access to base functions without a password.

In theory, an attacker would persuade a user to run malicious code, which would then take advantage of ARDAgent to run one or more AppleScripts. The damage from such scripts could be serious, Intego notes, ranging in impact from altering system settings to deleting all files on a hard drive.

The vulnerability affects both Mac OS X Tiger and Leopard, and any level of user account. It can allegedly be stopped, however, by simply enabling Remote Management in the Sharing pane under Leopard's System Preferences, or Tiger's optional Apple Remote Desktop client. Activating or deactivating Screen Sharing has no effect on security.

For extra security Intego recommends that VirusBarrier X5 owners download today's new virus definitions, which disable ARDAgent's capacity for running AppleScripts.


by MacNN Staff

Post tools:

TAGS :

 security, Leopard, Tiger, networking, Mac OS X

Related Articles

Recent Articles

toggle

Comments

  1. Marook

    Forum Regular

    Joined: May 1999

    0
    06/19, 03:36pm | report spam | Reply |

    Are people stupid?

    Ok, how is this any different than asking people to download any normal job and ask them to Authenticate?

    And VirusBarrier just disables ARD's capability to run AppleScripts completely? Why not simply turn off ARD if your IT department allows it?

    Anyway, any ARD installation require you to enable user accounts that can run commands on the computer... so you need a login/password for one account that can that first..

  1. dliup

    Fresh-Faced Recruit

    Joined: Jan 2006

    +1
    06/19, 03:43pm | report spam | Reply |

    Potentially my as$

    If they could, they would demo it. Sure, there is a "potential", as much I have the potential to become the next billionaire by hitting 10 lotteries at once.

  1. Guest

    Fresh-Faced Recruit

    Joined: Nov 1999

    0
    06/19, 03:43pm | report spam | Reply |

    DUP POST

    deleted

  1. Marook

    Forum Regular

    Joined: May 1999

    +1
    06/19, 03:44pm | report spam | Reply |

    Ok, just read the article

    and Intego state: "If the user has ACTIVATED ARD..." it's not vulnerable to the attack. So that means:

    1: If you've ACTIVATED the ARD service, it will handle security!

    2: How are you able to USE ARD services if it's not activated? Because the exe is still there, and you then have to fool the LOCAL user to run the code?

    So, this is not a treat in my eyes, as ARD has to be turned off, and you then has to fool the user into running your code... plain, normal trojan horse here... move on..

  1. Guest

    Fresh-Faced Recruit

    Joined: Nov 1999

    +2
    06/19, 03:46pm | report spam | Reply |

    Enabling?

    "It can allegedly be stopped, however, by simply enabling Remote Management in the Sharing pane under Leopard's System Preferences, or Tiger's optional Apple Remote Desktop client."

    Is that right? ENABLING Remote Management fixes this NOT DISABLING? Can you say counter-intuitive?

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -3
    06/19, 04:24pm | report spam | Reply |

    Re: are people stupid?

    Apparently...

    Ok, how is this any different than asking people to download any normal job and ask them to Authenticate?

    Easy, because you DO NOT GET ASKED TO AUTHENTICATE! The setuid bit means that whoever runs the program, it is owned by the owner of the program, not the person running it. So, if you launch this program, it is owned by root, not you, and, as such, you have all the rights of root.

    And VirusBarrier just disables ARD's capability to run AppleScripts completely? Why not simply turn off ARD if your IT department allows it?

    Actually turning it off causes the problem to appear. You need to turn it on to stop it.

  1. JeffHarris

    Fresh-Faced Recruit

    Joined: Oct 1999

    +2
    06/19, 04:28pm | report spam | (1 reply) Reply |

    Grain of Salt

    Any "warning" that comes from an anti-virus selling software company I can't take very seriously. Certainly not until some reputable source, like Apple, confirms it.

    MacAfee and Symantec have both pulled this kind of c*** in the past hoping that some wave of panic will drive up their sales.

    Is this a similar "event"?

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -7
    06/19, 04:30pm | report spam | Reply |

    couple o' things

    Potentially my as$...

    If they could, they would demo it. Sure, there is a "potential", as much I have the potential to become the next billionaire by hitting 10 lotteries at once.


    Oh, give it up. If they did demo it, you'd be all over their a** for showing people how it could be done before giving Apple time to fix it!

    2: How are you able to USE ARD services if it's not activated? Because the exe is still there, and you then have to fool the LOCAL user to run the code?

    Well, when you make it sound so hard, 'fooling' someone into running some code, like it has a big skull and cross bones on it saying "Don't open!", but you still somehow get someone to run it. But what if it's in some new piece of software you just saw on MacNN that looked interesting? h***, you don't know what's in any software you're running. Someone at Adobe could shove a quick line or two into the next update to CS3 for all you know.

    So, this is not a treat in my eyes, as ARD has to be turned off, and you then has to fool the user into running your code... plain, normal trojan horse here... move on..

    Not a plain trojan horse. A plain trojan wouldn't have access to your entire computer (at least not without authenticating). This exploit would allow such a condition (which means someone could install some nice keyboard logging kexts without your knowledge, say).

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -8
    06/19, 04:35pm | report spam | Reply |

    oh...

    ...bear in mind that another use for such an exploit is for a user on a specific computer to raise their privilege levels to perform unapproved tasks. So, for example, if someone sits down and logs into your computer at work (even in restricted mode), this exploit would allow the user to run a program to access the system they'd otherwise would not be able to do.

    This would be a concern in any business environment. Even more so if there's sensitive data stored 'securely' on said computer.

  1. Guest

    Fresh-Faced Recruit

    Joined: Nov 1999

    0
    06/23, 05:10pm | report spam | Reply |

    Does everybody tried it?

    May be guys from Intego just don't know, that MacOS completely ignore "suid" flag. In order to enable suid processing, special mount options for root volume is required

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

Samsung Galaxy S 4

Samsung's new flagship Android smartphone, the Galaxy S 4, faces even stiffer competition than its popular predecessor. With a five-in ...

toggle

Most Commented

 

Popular News