Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Two ways to possibly close an ARDAgent security hole System
Yesterday, Mac software developer Intego published a security memo on an exposure that exists with the ARDAgent application on OS X 10.4 and 10.5. ARDAgent runs when you use Screen Sharing in 10.5, and if you've enabled Remote Management in the System Preferences panel, but this exploit actually works when ARDAgent isn't running. As far as I know, this exploit was first published on the Apple page at Slashdot, though it probably appeared elsewhere earlier.

You can read the details of the exploit in the Slashdot entry, but basically, it relies on the fact that ARDAgent runs as root and can send AppleScript commands, such as do shell script, to the system it's running on. Given ARDAgent is running as root, any shell script launched by ARDAgent also runs as root, so such scripts run without prompting the user for their admin password and have full access to every file on the system. Obviously, this opens up a huge world of hacking possibilities. Unlike some other exploits, this one will also work on even a lowly guest account; an admin account is not required to take advantage of the security hole.

The good news is that this exposure needs to be exploited either by someone who already has access to your Mac, or by tricking you into downloading and running a program designed to look like something benevolent (known as a trojan horse) -- you can't be hacked by simply reading an email or visiting a malicious web page.

There are two ways to lessen and/or remove your exposure to this security hole.

The less-severe solution (but one not guaranteed to be 100% effective) is to enable the Remote Management feature (leave all the "All local users can..." features unchecked) in the Sharing System Preferences panel, as explained in the Intego security memo. When ARDAgent is running, it seems that it can't be used to run scripts in this manner. What I don't really know is if all scripts will fail 100% of the time, or if some scripts may still be able to run. I tested a few different things yesterday, and all failed when I had Remote Management enabled, but there aren't any guarantees -- it's quite possible there are methods that I'm not aware of that may still allow the scripts to execute.

A more-severe but guaranteed effective solution is to disable ARDAgent itself, which is located in /System » Library » CoreServices » RemoteManagement. Just take that file and zip it, so that you can unzip it before you install the hopefully-forthcoming Apple update -- if you delete the file, the update will fail if it's just a patch. Note that this solution will also disable screen sharing, so it may not be usable by everyone (myself included).

Until Apple figures out a way to patch this hole, the best way to stay safe is, as always, to not download and run software from untrusted sources. (Patching it may be tricky, because administrators really do need the ability to run root-enabled scripts remotely and non-interactively ... it will be interesting to see what solution Apple comes up with.)
    •    
  • Currently 3.00 / 5
  You rated: 4 / 5 (9 votes cast)
 
[24,995 views]  

Two ways to possibly close an ARDAgent security hole | 24 comments | Create New Account
Click here to return to the 'Two ways to possibly close an ARDAgent security hole' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Yet another fix
Authored by: owsla on Jun 20, '08 08:36:11AM
This is yet another fix, suggested in the Slashdot thread. Open a Terminal as an admin user and do:

$ sudo defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES
$ sudo plutil -convert xml1 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist
$ sudo chmod 644 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist
This seems to restrict ARDAgent to a standard AppleScript dictionary, which does not include the "do shell script" command.

[ Reply to This | # ]
Yet another fix
Authored by: allanmarcus on Jun 23, '08 07:55:34AM

I tried this "fix" on Leopard. No luck. I can still execute the do shell script command.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: leono on Jun 20, '08 08:40:49AM

The first possible fix (turning on Remote Management) doesn't work for me, at least not consistently. I'm using 10.5.3. The first time I enabled Remote Management, I'd get:

Nooch:~ leon$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
23:47: execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)

Indicating that the problem was mitigated. I then disabled Remote Management, and got the same message. So I found and killed a running ARDAgent process, then the exploit worked again. I re-enabled Remote Management, and the exploit continued to work, so I wouldn't trust this fix to solve the problem.



[ Reply to This | # ]
ARDAgent vs Screensharing
Authored by: murat on Jun 20, '08 09:27:20AM

On my two machines, zipping up ARDAgent then deleting it did NOT disable screensharing. It does disable Remote Management.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: mike3k on Jun 20, '08 10:31:20AM
You could simply clear ARDAgent's setuid bit:
sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent


Now I get the result:
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
mike


[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: gxw on Jun 20, '08 06:25:17PM

Did this too.
Get my user id as the result when I run the command now.
Before the change, running the sample script resulted in a hang and a AppleEvent timed out. (-1712) error. Weird.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: Dr. T on Jun 20, '08 10:38:27AM

<blockquote>Patching it may be tricky, because administrators really do need the ability to run root-enabled scripts remotely and non-interactively...</blockquote>

I see no reason why a patch cannot work. An admin name and password should be required before the Mac will run root-enabled scripts (at the computer or remotely). The Trojan Horse software cannot send the password. All Apple has to do is disallow root access to ARDAgent unless admin name and password are entered.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 20, '08 03:34:41PM

How do you propose to transmit the admin user's password to the client machine over the network?

1) plain text. bad idea
2) encrypted: well, it has to be decrypted and it could be intercepted then.
3) ssh keypairs? this is starting to move in the right direction, but think of the vulnerability if the private key were compromised.
4) kerberos? might work, but most organizations don't run a KDC, although many do.
5) Directory Service integration? This is also a good idea. Don't send any password; just have to somehow prove to the client that the person running the script is in an admin group.

Any way you slice it, it is a hard problem. The main issue is that Apple uses a push architecture, not pull. This means that the admin push a script onto the client rather then the client connecting to a server and pulling the script. If the client pulls the script, only the process that does the checking for tasks needs to have root privs. As long as ARD does a push, it will be vulnerable. In places where security matters (like the US government, where I work) push technologies are generally not allowed for configuration management.

Jut my 2 cents.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 20, '08 04:19:05PM

Turning on Remote Management is no defense. Take for example this simple AppleScript:



property theUser : ""
do shell script "kill `ps -acx | grep ARDAgent | awk '{print $1}'`"
tell application "ARDAgent"
set theUser to do shell script "whoami"
end tell
display alert "You are: " & theUser




This can be run as a regular user and you will get root access. Note: you many need to run the script more than once to get the "root" output.

The simplest way to deal with this vulnerability is to remove the setuid bit from the agent:

sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

This line of code needs to be run after any updates to make sure the SetUID bit is still set off.

I received a message from Apple Enterprise Support that essentially said Apple engineering is well aware of this whole ARDAgent issue and is working on a solution. Until then, turning off the SetUID bit and having reduced functionality is the best defense.

-Allan Marcus



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: mbroughtn on Jun 21, '08 07:58:54AM

The one problem with this solution is that Reparing Permissions will change the permissions back to -rwsr-xr-x. The security problem is there again. This will be the case with any solutions that involve changing permissions.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: V.K. on Jun 26, '08 09:28:20PM
you are right but this can be dealt with by locking the file after removing the s-bit: sudo chflags uchg /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: Fairly on Jun 20, '08 07:45:22PM
The most fun way to neutralize this hole was suggested by Jay Beale. It's found at the bottom of this page.

http://rixstep.com/1/20080620,00.shtml

You simply use ARDAgent to neutralize itself.

[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 23, '08 07:57:04AM

a repair permissions will simply set the ARDAgent back :-(



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: Naroon on Jun 21, '08 05:16:24AM

Its not at all that big of a problem. Apple already sends login/passwords encrypted throught ARD.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: mshmgi on Jun 23, '08 05:50:02AM
You have underestimated the impact of this problem.

This is the worst security hole I have ever seen in OS X. Imagine the following scenario ...

Hacker writes an application that you install on your computer. The application contains the following bit of code:

osascript -e 'tell app "ARDAgent" to do shell script "rm -Rf /"';

Your entire hard drive has just been erased.

This security hole allows the script author to do ANYTHING they darn-well please with your machine, including (but not limited to):

  • Installing key loggers
  • Generating spam
  • Using your machine as a proxy server for other illegal activities



[ Reply to This | # ]
Martin Kuo's solution
Authored by: sudogeek on Jun 21, '08 10:24:47AM
As detailed in his blog here.

It works for me.

[ Reply to This | # ]

Martin Kuo's solution
Authored by: Fairly on Jun 21, '08 10:37:05AM

If indeed modifying Info.plist works then it's rather crucial to point out the file must be protected from modification afterwards. Make sure the file's owned by root:wheel and cannot be modified by anyone. This isn't pointed out in Kou's article but it's absolutely essential.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 21, '08 07:51:21PM

Correct! Good point. I hope Apple comes up with a solution soon.



[ Reply to This | # ]
i have these 2 notes
Authored by: fursonice on Jun 22, '08 12:43:09AM

pb from the /. article a few days back.

sorry, don't know if they are true or relevant, but may be of use:

1.
A remote terminal session doesn't get you access to the OS X GUI, which is where AppleScript is found.

2.
Here's a non-destructive way to neutralize it.

cd /System/Library/CoreServices/RemoteManagement/

sudo tar -czf ARDAgent.app.gz ARDAgent.app

sudo chmod 600 ARDAgent.app.gz

This simply hides it in an unreadable tarball.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: jaguarcy on Jun 22, '08 06:34:09PM
Simply prevent ARDAgent from being allowed to run scripts as root...:

% osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
root
% sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
% osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
Constantinos


[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 23, '08 07:58:18AM

until a repair permission is run, then the problem returns.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: hintuser on Jun 27, '08 08:47:55AM

If you don't like to "play" with Terminal command lines, you will appreciate this simple script to defend yourself against this ARDAgent weakness.

Copy this script in Script Editor and run it; it will ask you to enter your admin password, correct the problem and show you that ARDAgent, from now on, can ONLY run scripts with your regular permissions, not as root as before.

The script :

do shell script "sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent" with administrator privileges

tell application "ARDAgent"
set running_as to do shell script "whoami"
end tell
display dialog "Running as " & running_as



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Aug 04, '08 10:35:21AM

The ARDAgent issue seems to be resolved with 2008-005 security update



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: jfurrer on Dec 02, '09 06:50:26AM

Can anyone confirm that this hole is indeed patched?
I still see the ADRAgent.app error during permissions repair.

Have been trying some fixes following having an online game account hacked and unable to trace how they came to gain access... But, using the provided terminal code - all the terminal commands give me:

"whoami" still results in "root"
Ran sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
results in "execution error: ARDAgent got an error: AppleEvent timed out. (-1712)"

Running 10.6.2 w all available apple updates

Thanks to any replies!

Kindest regards,
--J



[ Reply to This | # ]