|
|
|
|
|||||||
| Forums | Portal | Register | Forum Rules | FAQ | Contribute | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| OS X (Apple) OS X is a line of Unix-based graphical operating systems developed, marketed, and sold by Apple. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| R-200: Vulnerability in Microsoft Agent | iBot | Security Advisories (RSS) | 0 | 12-24-2007 06:40 AM |
| SNMP agent | linuxbegginer | IP Networking | 0 | 03-30-2006 01:46 AM |
| Solaris agent | Carmen123 | UNIX for Dummies Questions & Answers | 0 | 08-26-2005 08:56 AM |
| about CA agent | buffoon | Linux | 1 | 05-14-2005 12:45 AM |
| Windows98 RSA/Ace agent | kie | IP Networking | 2 | 06-09-2003 08:30 AM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Display Modes |
|
#1
06-19-2008
|
|||
|
|||
|
ARD Agent vulnerability
today an anonymous slashdot user posted this little shell command, that uses the ARDAgent to gain root access, without ever needing to authenticate.
the script is: osascript -e 'tell app "ARDAgent" to do shell script "whoami"' Can be used to things like: osascript -e 'tell app "ARDAgent" to do shell script "scutil --set ComputerName SomeName"' that would normally require authentication. It has been tested by quite a few people, and has been found only to work you are physically at a computer and its logged in. However where I work we use Network Shares as our home folder, and this hack doesnt seem to work. And I just wanted to make sure that there was no way it would work. When I run the command: osascript -e 'tell app "ARDAgent" to do shell script "whoami"' I get: execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708) Anyone thinks its possible? 
|
| Forum Sponsor | ||
|
|
|
#2
06-19-2008
|
|||
|
|||
Quote:
CRIKEY! I was hoping maybe it was only a problem if you were logged in as an admin user, but it isn't. I'll test it at work tomorrow when I can get access to my test machines and try it with network clients. This is really some quite major privilege escalation, it's a built in rootkit. Thank you very much for bringing that to my attention. Last edited by woodgie; 06-20-2008 at 02:18 AM. Reason: Do not use curse words in these forums, no exceptions.
|
|
#3
06-19-2008
|
|||
|
|||
|
OK, I am SSH'd into a server at work and I'm getting the same error you are. That's put my mind at rest enough for me to go to bed and be able to sleep, though I'll probably have nightmares
 I'll also do more testing tomorrow to see what I find. Night all.
|
|
#4
06-23-2008
|
|||
|
|||
|
As I understand it, local GUI login is required by the same user that is issuing the command.
So if Joe is using the machine, and someone either makes Joe run the command (trojan), or someone else is logged into the terminal as Joe then the command will work. Anyway, there are a couple of things you can do to plug this hole (or make it much smaller). You can remove the setuid bit from the executable, tar or remove the ARD product entirely, or if you require ARD for whatever reason (server access...) you can change privileges on the osascript executable to at least restrict who can run the command unchallenged. Some options.
|
|||
| Google The UNIX and Linux Forums |
Linear Mode
