Major Mac exploit is thwarted by turning it on!?

| | Comments (0) | TrackBacks (0)

Slashdot yesterday posted Mac OS X Root Escalation Through AppleScript, which describes a vulnerability in a core component of Mac OS X 10.4 and 10.5. I was not able to reproduce this on my Tiger system at work but that’s just one machine.

The example given in the post is:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

So what does this do? If you copy and paste the above code into the Terminal application found in /Applications/Utilities and then hit return, you’ll receive this in return:

root

What does that mean?

It means root, which is the all-powerful account on a UNIX system, ran the whoami command. The whoami command returns the name of the account executing the command. You told root to execute that command without first identifying yourself as an admin.

Instead of returning root I should either receive an error or I should be prompted for my admin credentials on the Mac. Any user can send this command and do anything on the Mac such as create an admin account, which in turn gives the user access to the root account all the time and full control on the machine.

Intego discovered that enabling the Remote Management feature in Mac OS X actually combats the vulnerability. Now that’s counter-intuitive!

Last night I had emailed my co-workers with the announcement of the exploit plus the fix and this morning we were all testing. Sure enough, our company is safe for now.

 

0 TrackBacks

Listed below are links to blogs that reference this entry: Major Mac exploit is thwarted by turning it on!?.

TrackBack URL for this entry: http://blog.talkingmoose.net/cgi-bin/mt/mt-tb.cgi/12

Leave a comment