Thread: Big OS X security hole through Apple Remote Desktop
View Single Post
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-22, 21:29
Quote:
Originally Posted by Luca View Post
It appears as though entering a simple command in Terminal will grant any user root access, and this vulnerability affects fresh OS X installations right out of the box.
I just want to quote this to boil down my other two posts. As written, this is a gross overstatement (simply because of how it reads). It will only grant root access to:

Quote:
The user who is currently logged in at the console (physical machine).
That could be "any user," yes, but you have to meet a fairly stringent set of requirements to take advantage of this (in the scheme of the remote exploit, security-conscious Internet world). And depending on who's got the console, it may not work even if you have ssh access.

EDIT II: also, if the system is sitting at the Login Window, then nobody can exploit this, since no unprivileged user actually has console access. You can see that /dev/console is owned by root until someone logs in, so you'd have need root access to exploit this in that case. In which case it's not much of an exploit.

---

EDIT: Quick steps to verify that I'm not Full Of Crap™:
  1. Make sure "Remote Login" is enabled in the Sharing preference pane.
  2. Make sure "Fast User Switching" is enabled in the Accounts preference pane.
  3. Make sure "Guest Account" is enabled for "Login" in the Accounts preference pane.
  4. Open Terminal.app, and run the offending command:
    Code:
    osascript -e \ 'tell application "ARDAgent" to do shell script "whoami"'
    Which outputs:
    Code:
    root
  5. Open a ssh session:
    Code:
    ssh <user>@localhost
  6. Run the offending command again. It should succeed, as expected.
  7. Now, Fast User Switch to the Guest account (this will take a few seconds).
  8. Open Terminal.app again.
  9. Open a ssh session again:
    Code:
    ssh <user>@localhost
  10. Run the offending command once more. THIS WILL FAIL because Guest now owns the console, not your original user. This will output something akin to:
    Code:
    _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL. 31:55: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)
---

Sorry for posting in such quick succession; it just really irks me when I see stuff like this that seems poorly researched. For example, the original poster probably has no idea under what conditions said exploit would actually work (simply a "works for me" attitude). And s/he has no idea/notion that Apple may not be able to fix the root cause (at least not in a security update). And the articles I've seen on this are more interested in big publicity and "OMG Mac OS X sEcURiTy HoLeZ" than examining the technical minutia involved.



Not your fault Luca, I just thought all of this when it hit Slashdot / elsewhere, but didn't feel like blathering on with technical details to either fanbois or haters that wouldn't care either way. You got the information treasure trove.

Apparently I call the cops when I see people litter.
Last edited by ShadowOfGed : 2008-06-22 at 21:53. Reason: Adding details to verify I'm not insane.
  quote