updated 06:15 pm EDT, Wed June 25, 2008
A MacNN forum poster reports on a serious flaw in Mac OS X's implementation of AppleScript. Essentially, applications that are running as root can accept AppleScript commands from applications that are not running as root -- and since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a "do shell script" command and run other commands or applications as root. This is compounded by the fact that Apple ships an AppleScript application with its setuid bit set out of the box.
As described by the poster "If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program 'iHook' - and it only takes one such screwup to allow hackers to root your computer. But no, they decided to flag it "Behaves Correctly" and ignore it."
Running the command:
osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
will allow root execution.
The problem can be temporarily fixed by launching the Terminal and using this command:
sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Also, don't repair permissions or it will undo the fix.