toggle

AAPL Stock: 112.01 ( -0.53 )

Printed from http://www.macnn.com

Remote Management exploit found in Mac OS X

updated 03:05 pm EDT, Thu June 19, 2008

Remote Mgmt. exploit

A new vulnerability connected to Mac OS X's Remote Management feature has been discovered, says the security firm Intego. The issue is specifically associated with ARDAgent, a component of the feature, which has a "setuid" bit set. Running an executable of this type gains root control, and so ARDAagent may potentially be used to gain access to base functions without a password.

In theory, an attacker would persuade a user to run malicious code, which would then take advantage of ARDAgent to run one or more AppleScripts. The damage from such scripts could be serious, Intego notes, ranging in impact from altering system settings to deleting all files on a hard drive.

The vulnerability affects both Mac OS X Tiger and Leopard, and any level of user account. It can allegedly be stopped, however, by simply enabling Remote Management in the Sharing pane under Leopard's System Preferences, or Tiger's optional Apple Remote Desktop client. Activating or deactivating Screen Sharing has no effect on security.

For extra security Intego recommends that VirusBarrier X5 owners download today's new virus definitions, which disable ARDAgent's capacity for running AppleScripts.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Marook

    Joined: Dec 1969

    0

    Are people stupid?

    Ok, how is this any different than asking people to download any normal job and ask them to Authenticate?

    And VirusBarrier just disables ARD's capability to run AppleScripts completely? Why not simply turn off ARD if your IT department allows it?

    Anyway, any ARD installation require you to enable user accounts that can run commands on the computer... so you need a login/password for one account that can that first..

  1. dliup

    Joined: Dec 1969

    +1

    Potentially my as$

    If they could, they would demo it. Sure, there is a "potential", as much I have the potential to become the next billionaire by hitting 10 lotteries at once.

  1. Guest

    Joined: Dec 1969

    0

    DUP POST

    deleted

  1. Marook

    Joined: Dec 1969

    +1

    Ok, just read the article

    and Intego state: "If the user has ACTIVATED ARD..." it's not vulnerable to the attack. So that means:

    1: If you've ACTIVATED the ARD service, it will handle security!

    2: How are you able to USE ARD services if it's not activated? Because the exe is still there, and you then have to fool the LOCAL user to run the code?

    So, this is not a treat in my eyes, as ARD has to be turned off, and you then has to fool the user into running your code... plain, normal trojan horse here... move on..

  1. Guest

    Joined: Dec 1969

    +2

    Enabling?

    "It can allegedly be stopped, however, by simply enabling Remote Management in the Sharing pane under Leopard's System Preferences, or Tiger's optional Apple Remote Desktop client."

    Is that right? ENABLING Remote Management fixes this NOT DISABLING? Can you say counter-intuitive?

  1. testudo

    Joined: Dec 1969

    -3

    Re: are people stupid?

    Apparently...

    Ok, how is this any different than asking people to download any normal job and ask them to Authenticate?

    Easy, because you DO NOT GET ASKED TO AUTHENTICATE! The setuid bit means that whoever runs the program, it is owned by the owner of the program, not the person running it. So, if you launch this program, it is owned by root, not you, and, as such, you have all the rights of root.

    And VirusBarrier just disables ARD's capability to run AppleScripts completely? Why not simply turn off ARD if your IT department allows it?

    Actually turning it off causes the problem to appear. You need to turn it on to stop it.

  1. JeffHarris

    Joined: Dec 1969

    +2

    Grain of Salt

    Any "warning" that comes from an anti-virus selling software company I can't take very seriously. Certainly not until some reputable source, like Apple, confirms it.

    MacAfee and Symantec have both pulled this kind of c*** in the past hoping that some wave of panic will drive up their sales.

    Is this a similar "event"?

  1. testudo

    Joined: Dec 1969

    -7

    couple o' things

    Potentially my as$...

    If they could, they would demo it. Sure, there is a "potential", as much I have the potential to become the next billionaire by hitting 10 lotteries at once.


    Oh, give it up. If they did demo it, you'd be all over their a** for showing people how it could be done before giving Apple time to fix it!

    2: How are you able to USE ARD services if it's not activated? Because the exe is still there, and you then have to fool the LOCAL user to run the code?

    Well, when you make it sound so hard, 'fooling' someone into running some code, like it has a big skull and cross bones on it saying "Don't open!", but you still somehow get someone to run it. But what if it's in some new piece of software you just saw on MacNN that looked interesting? h***, you don't know what's in any software you're running. Someone at Adobe could shove a quick line or two into the next update to CS3 for all you know.

    So, this is not a treat in my eyes, as ARD has to be turned off, and you then has to fool the user into running your code... plain, normal trojan horse here... move on..

    Not a plain trojan horse. A plain trojan wouldn't have access to your entire computer (at least not without authenticating). This exploit would allow such a condition (which means someone could install some nice keyboard logging kexts without your knowledge, say).

  1. testudo

    Joined: Dec 1969

    -8

    oh...

    ...bear in mind that another use for such an exploit is for a user on a specific computer to raise their privilege levels to perform unapproved tasks. So, for example, if someone sits down and logs into your computer at work (even in restricted mode), this exploit would allow the user to run a program to access the system they'd otherwise would not be able to do.

    This would be a concern in any business environment. Even more so if there's sensitive data stored 'securely' on said computer.

  1. Guest

    Joined: Dec 1969

    0

    Does everybody tried it?

    May be guys from Intego just don't know, that MacOS completely ignore "suid" flag. In order to enable suid processing, special mount options for root volume is required

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented