Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Two ways to possibly close an ARDAgent security hole' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 20, '08 04:19:05PM

Turning on Remote Management is no defense. Take for example this simple AppleScript:



property theUser : ""
do shell script "kill `ps -acx | grep ARDAgent | awk '{print $1}'`"
tell application "ARDAgent"
set theUser to do shell script "whoami"
end tell
display alert "You are: " & theUser




This can be run as a regular user and you will get root access. Note: you many need to run the script more than once to get the "root" output.

The simplest way to deal with this vulnerability is to remove the setuid bit from the agent:

sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

This line of code needs to be run after any updates to make sure the SetUID bit is still set off.

I received a message from Apple Enterprise Support that essentially said Apple engineering is well aware of this whole ARDAgent issue and is working on a solution. Until then, turning off the SetUID bit and having reduced functionality is the best defense.

-Allan Marcus



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: mbroughtn on Jun 21, '08 07:58:54AM

The one problem with this solution is that Reparing Permissions will change the permissions back to -rwsr-xr-x. The security problem is there again. This will be the case with any solutions that involve changing permissions.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: V.K. on Jun 26, '08 09:28:20PM
you are right but this can be dealt with by locking the file after removing the s-bit: sudo chflags uchg /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

[ Reply to This | # ]