ARD Agent vulnerability Post: 302207382

Sponsored Content

Operating Systems OS X (Apple) ARD Agent vulnerability Post 302207382 by woodgie on Thursday 19th of June 2008 06:05:57 PM

06-19-2008

Registered User

Quote:

Originally Posted by afriend

today an anonymous slashdot user posted this little shell command, that uses the ARDAgent to gain root access, without ever needing to authenticate.

the script is:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

Can be used to things like:
osascript -e 'tell app "ARDAgent" to do shell script "scutil --set ComputerName SomeName"'
that would normally require authentication.

It has been tested by quite a few people, and has been found only to work you are physically at a computer and its logged in.

However where I work we use Network Shares as our home folder, and this hack doesnt seem to work. And I just wanted to make sure that there was no way it would work.

When I run the command:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

I get:
execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)

Anyone thinks its possible?

I just tested that on the MacBook Pro I use day to day using an admin account, a normal account and the built in guest account and I have to say...

CRIKEY!

I was hoping maybe it was only a problem if you were logged in as an admin user, but it isn't. I'll test it at work tomorrow when I can get access to my test machines and try it with network clients.

This is really some quite major privilege escalation, it's a built in rootkit.

Thank you very much for bringing that to my attention.

Last edited by woodgie; 06-20-2008 at 06:18 AM.. Reason: Do not use curse words in these forums, no exceptions.

woodgie

View Public Profile for woodgie

Find all posts by woodgie

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Solaris agent

Hello, on Solaris 5.8 I've installed SunMgtCenter to get the time agent; it's under /opt/SUNWsymon/sbin/es-start -a it's in ps -ef | grep agent ...but it doesn't work; the machine is always in alarm cause the time is different of the clock server; is it clear enough ? tks cc

2. IP Networking

SNMP agent

Hi, I am really new in linux and SNMP. I have a SNMP agent in Linux (net-snmp). I have my MIB in the /usr/share/mibs directory, and I didn't manage to understand where and how do I put the values of the fields in the MIB? The values are static, so the agent need to return the same value in...

3. UNIX for Dummies Questions & Answers

perform agent

Hi, Please can someone explain me about the " perform agent " on UNIX . Thanx

4. UNIX for Dummies Questions & Answers

vcs agent

Hi all, I'm new to vcs. I have a doubt. I need to know, what will happen if an agent is stopped while reources being online. Eg.. while the oracle agent is stopped, will all the oracle resources will become offline.. Advanced thanks

5. Solaris

OV Server on 11 - need to install agent?

Client has got a few machines with logical domains on. But I can't see the the ovs-agent service? Quite possibly I guess this has been set up with just logical domains. With no agent. Do you need to use the agent only if planning to manage with OV Manager?

LEARN ABOUT CENTOS

shell-quote

SHELL-QUOTE(1)						User Contributed Perl Documentation					    SHELL-QUOTE(1)

NAME

       shell-quote - quote arguments for safe use, unmodified in a shell command

SYNOPSIS

       shell-quote [switch]... arg...

DESCRIPTION

       shell-quote lets you pass arbitrary strings through the shell so that they won't be changed by the shell.  This lets you process commands
       or files with embedded white space or shell globbing characters safely.	Here are a few examples.

EXAMPLES

       ssh preserving args
	   When running a remote command with ssh, ssh doesn't preserve the separate arguments it receives.  It just joins them with spaces and
	   passes them to "$SHELL -c".	This doesn't work as intended:

	       ssh host touch 'hi there'	   # fails

	   It creates 2 files, hi and there.  Instead, do this:

	       cmd=`shell-quote touch 'hi there'`
	       ssh host "$cmd"

	   This gives you just 1 file, hi there.

       process find output
	   It's not ordinarily possible to process an arbitrary list of files output by find with a shell script.  Anything you put in $IFS to
	   split up the output could legitimately be in a file's name.	Here's how you can do it using shell-quote:

	       eval set -- `find -type f -print0 | xargs -0 shell-quote --`

       debug shell scripts
	   shell-quote is better than echo for debugging shell scripts.

	       debug() {
		   [ -z "$debug" ] || shell-quote "debug:" "$@"
	       }

	   With echo you can't tell the difference between "debug 'foo bar'" and "debug foo bar", but with shell-quote you can.

       save a command for later
	   shell-quote can be used to build up a shell command to run later.  Say you want the user to be able to give you switches for a command
	   you're going to run.  If you don't want the switches to be re-evaluated by the shell (which is usually a good idea, else there are
	   things the user can't pass through), you can do something like this:

	       user_switches=
	       while [ $# != 0 ]
	       do
		   case x$1 in
		       x--pass-through)
			   [ $# -gt 1 ] || die "need an argument for $1"
			   user_switches="$user_switches "`shell-quote -- "$2"`
			   shift;;
		       # process other switches
		   esac
		   shift
	       done
	       # later
	       eval "shell-quote some-command $user_switches my args"

OPTIONS

       --debug
	   Turn debugging on.

       --help
	   Show the usage message and die.

       --version
	   Show the version number and exit.

AVAILABILITY

       The code is licensed under the GNU GPL.	Check http://www.argon.org/~roderick/ or CPAN for updated versions.

AUTHOR

       Roderick Schertler <roderick@argon.org>

perl v5.16.3							    2010-06-11							    SHELL-QUOTE(1)