ARD Agent vulnerability Post: 302207382

Sponsored Content

Operating Systems OS X (Apple) ARD Agent vulnerability Post 302207382 by woodgie on Thursday 19th of June 2008 06:05:57 PM

06-19-2008

Registered User

Quote:

Originally Posted by afriend

today an anonymous slashdot user posted this little shell command, that uses the ARDAgent to gain root access, without ever needing to authenticate.

the script is:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

Can be used to things like:
osascript -e 'tell app "ARDAgent" to do shell script "scutil --set ComputerName SomeName"'
that would normally require authentication.

It has been tested by quite a few people, and has been found only to work you are physically at a computer and its logged in.

However where I work we use Network Shares as our home folder, and this hack doesnt seem to work. And I just wanted to make sure that there was no way it would work.

When I run the command:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

I get:
execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)

Anyone thinks its possible?

I just tested that on the MacBook Pro I use day to day using an admin account, a normal account and the built in guest account and I have to say...

CRIKEY!

I was hoping maybe it was only a problem if you were logged in as an admin user, but it isn't. I'll test it at work tomorrow when I can get access to my test machines and try it with network clients.

This is really some quite major privilege escalation, it's a built in rootkit.

Thank you very much for bringing that to my attention.

Last edited by woodgie; 06-20-2008 at 06:18 AM.. Reason: Do not use curse words in these forums, no exceptions.

woodgie

View Public Profile for woodgie

Find all posts by woodgie

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Solaris agent

Hello, on Solaris 5.8 I've installed SunMgtCenter to get the time agent; it's under /opt/SUNWsymon/sbin/es-start -a it's in ps -ef | grep agent ...but it doesn't work; the machine is always in alarm cause the time is different of the clock server; is it clear enough ? tks cc

2. IP Networking

SNMP agent

Hi, I am really new in linux and SNMP. I have a SNMP agent in Linux (net-snmp). I have my MIB in the /usr/share/mibs directory, and I didn't manage to understand where and how do I put the values of the fields in the MIB? The values are static, so the agent need to return the same value in...

3. UNIX for Dummies Questions & Answers

perform agent

Hi, Please can someone explain me about the " perform agent " on UNIX . Thanx

4. UNIX for Dummies Questions & Answers

vcs agent

Hi all, I'm new to vcs. I have a doubt. I need to know, what will happen if an agent is stopped while reources being online. Eg.. while the oracle agent is stopped, will all the oracle resources will become offline.. Advanced thanks

5. Solaris

OV Server on 11 - need to install agent?

Client has got a few machines with logical domains on. But I can't see the the ovs-agent service? Quite possibly I guess this has been set up with just logical domains. With no agent. Do you need to use the agent only if planning to manage with OV Manager?

LEARN ABOUT XFREE86

chsh

CHSH(1)                                                            User Commands                                                           CHSH(1)

NAME

       chsh - change login shell

SYNOPSIS

       chsh [options] [LOGIN]

DESCRIPTION

       The chsh command changes the user login shell. This determines the name of the user's initial login command. A normal user may only change
       the login shell for her own account; the superuser may change the login shell for any account.

OPTIONS

       The options which apply to the chsh command are:

       -h, --help
           Display help message and exit.

       -R, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

       -s, --shell SHELL
           The name of the user's new login shell. Setting this field to blank causes the system to select the default login shell.

       If the -s option is not selected, chsh operates in an interactive fashion, prompting the user with the current login shell. Enter the new
       value to change the shell, or leave the line blank to use the current one. The current shell is displayed between a pair of [ ] marks.

NOTE

       The only restriction placed on the login shell is that the command name must be listed in /etc/shells, unless the invoker is the superuser,
       and then any value may be added. An account with a restricted login shell may not change her login shell. For this reason, placing /bin/rsh
       in /etc/shells is discouraged since accidentally changing to a restricted shell would prevent the user from ever changing her login shell
       back to its original value.

FILES

       /etc/passwd
           User account information.

       /etc/shells
           List of valid login shells.

       /etc/login.defs
           Shadow password suite configuration.

SEE ALSO

       chfn(1), login.defs(5), passwd(5).

shadow-utils 4.5                                                    01/25/2018                                                             CHSH(1)