toggle

AAPL Stock: 102.49 ( + 0.24 )

Printed from http://www.macnn.com

AppleScript flaw allows root access

updated 06:15 pm EDT, Wed June 25, 2008

AppleScript flaw

A MacNN forum poster reports on a serious flaw in Mac OS X's implementation of AppleScript. Essentially, applications that are running as root can accept AppleScript commands from applications that are not running as root -- and since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a "do shell script" command and run other commands or applications as root. This is compounded by the fact that Apple ships an AppleScript application with its setuid bit set out of the box.

As described by the poster "If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program 'iHook' - and it only takes one such screwup to allow hackers to root your computer. But no, they decided to flag it "Behaves Correctly" and ignore it."

Running the command:

osascript -e 'tell application "ARDAgent" to do shell script "whoami"'

will allow root execution.

The problem can be temporarily fixed by launching the Terminal and using this command:

sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Also, don't repair permissions or it will undo the fix.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. calverson

    Joined: Dec 1969

    +2

    wow

    I hope that this gets fixed soon!

    I can't imagine having Norton pop up on my MAC in LEOPARD asking me

    "Application_Name is trying to run Process as root. Click allow if this is a trusted application..."

    Would feel WAY to much like a M$ OS.

  1. ShadowKatana

    Joined: Dec 1969

    +2

    CharlesS

    With the intention of giving credit where credit is due, the "MacNN forum poster" is CharlesS. Nice catch. :)

  1. jpellino

    Joined: Dec 1969

    -6

    this just in...

    Good to see CharlesS has just started catching up on last week's news. (This has been on Slashdot since the 18th, and all over the place since then...)

  1. jpellino

    Joined: Dec 1969

    +5

    Props...

    CharlesS was on this on the 19th. It's MacNN who's just getting around to noticing what's on their own site.

  1. leamanc

    Joined: Dec 1969

    0

    What happened to MacNN?

    MacNN used to be the among the first to report breaking Mac stories. This one is very old by now.

    About the flaw, it requires either physical access to the machine, or an ssh'ed login. It's hardly exploitable in the wild, unless someone were to craft a social engineering-type application that a really dumb user would fall for.

  1. ViktorCode

    Joined: Dec 1969

    0

    Same problem as before

    I believe this is just a wider use of trick reported before as "remote access vulnerability". Right, CharlleS? First was reported as a method employed by a trojan to gain root access. So leamanc is right - essentially this does require physical access.

  1. dimmer

    Joined: Dec 1969

    0

    Well

    Yes, this is "just" the Apple Remote Desktop agent issue as of now, as only the ARDA app is scriptable and runs as root. The issue is that another hypothetical application running as root and allowing AppleScript access could/would show the same problem.

    So Apple can quick-fix by not running the ARDA client as root, or they can try to make AppleScript "know" when a requesting application is not root and asking for a application which -is- root to do something. The latter shouldn't be too onerous, but the core problem here is that for Apple Remote Desktop to do much of it's goodness it does (as far as I can tell) need root/sudo access.

  1. testudo

    Joined: Dec 1969

    -3

    security

    Again, the same ol c*** from the security naive.

    About the flaw, it requires either physical access to the machine, or an ssh'ed login. It's hardly exploitable in the wild, unless someone were to craft a social engineering-type application that a really dumb user would fall for.

    First, why would one have to be 'really dumb' to fall for a social-engineering type application? These are called 'trojans', and can be in any type of application (even something from a 'trusted' source). And as Windows has shown, there are a lot of dumb users out there, anyway (oh, right, if you're smart enough to use a mac, you'd never fall for this).

    Second, please understand this affects ANY Cocoa app that runs as root. So it isn't a matter of fixing just ARDA, but fixing the security-hole in the framework or the communication. And, of course, fixing such things in 10.4 and possibly 10.3 as well.

    Third, the continued argument that "need physical access" just points to how much Macs are just 'personal' computers and have made no inroads into businesses, schools, internet cafes, etc. Because if they did exist there, people would be A LOT more concerned over some user logging in to a shared computer as a 'restricted' user, running a program, and then installing all sorts of things, like key loggers, file scrubbers, etc.

    But, hey, if the only macs you use are yours, and you're the only one who touches them, and you never run any software not produced by a 'trusted' source (and by trusted I mean basically large corporations) or where the program is Open-Sourced, and you've scanned the entire source tree to make sure someone didn't sneak in an exploit on this (it has happened in the past), then, yes, you can probably ignore this.

  1. fitter

    Joined: Dec 1969

    -1

    iHook is not vulnerable

    iHook is not vulnerable to any such attack. It's also not lab management software. See ihook.org.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul BM211 Bluetooth speaker

Bluetooth speakers aren't only for listening to some music at the park or on a long bus ride, but can also be built with tablets in m ...

Epson PowerLite Home Cinema 2030 projector

With high-definition televisions now the standard, 4K televisions becoming the next big thing, and plasma TVs going the way of the din ...

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

toggle

Most Commented