MAAS History
Archives

Entries by drStrangeP0rk (171)

Wednesday
Jun252008

Permision UID bit of ARDagent exploit

The ARDAgent, it was discovered by www.macshadows.com that take advantage of the UID setting to allow the file and files ran by it as the file owner. This of course can allow a attacker either by remote process or by acutally going to the keyboard to run a script using applescript. Entering the following command will show you that using Applescript to run a shell script, our example simply the whois command will run as root.

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

The results will be root. (Note: if you installed the latest version of Virus Barrier signatures then you will get an error.) You can solve this many ways, here are two ways which.

One
Enter the following into a terminal:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/
sudo chmod 0555 ARDAgent

or you can do it in one line as follows:
sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

You will have to reboot after if you do any remote access management or screen sharing. If you are a Virus Barrier user the latest update should fix the problem by making it so that Applescript will not run shell scripts.
You can read about that here--->http://www.intego.com/news/ism0802.asp

This is using absolute mode for chmod settings.

Page 1 ... 31 32 33 34 35