ಠ_ರೃ
Join Date: May 2004
Location: Minnesota
|
There was a big discussion of this over at MacNN and I realized some people here might be interested to learn about this. I know, I'm a Windows user, but I'm not doing this to troll Mac users or anything... I shouldn't be one to talk anyway, right? Basically I figure some of the more security-aware people here will want to know about the exploit so they can protect themselves.
http://it.slashdot.org/it/08/06/18/1919224.shtml It appears as though entering a simple command in Terminal will grant any user root access, and this vulnerability affects fresh OS X installations right out of the box. It's also primarily a local vulnerability, so it's not as bad as it sounds, but there are ways to execute it remotely if the computer's owner has turned on SSH or remote desktop. Also, according to the guy who posted it at MacNN (link), it's been part of OS X for about four years. He claims to have reported it to Apple several times, and each time they've ignored it. I just hope this isn't something like iChat and Mail never hiding at startup or hard drive capacities under the icons never updating - bugs that have been swept under the rug for years (in some cases, nearly a decade). Unlike those, this one is a real security threat that Apple needs to deal with. Like the guy at MacNN, I hope it going public persuades Apple to fix it, but you never know. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Let's put "Big" in context:
First: this hole uses AppleScript. Thus, because of how AppleScript works, it will only grant root access to the current console user (whoever's physically logged in at the computer). If you fast-user-switch to another account, the original user cannot even use ssh to exploit this; AppleScript will fail. Second: this "hack" is not specific to ARDAgent.app. It will work on any AppleScript-able application that is installed setuid. If you make Adium setuid root and then: Code:
tell application "Adium" to do shell script "/some/executable" Adium will then exhibit the same behavior. That is, any setuid application (root or otherwise), will do shell scripts as the user owning the file; perhaps root, perhaps someone else.Third: There's probably a very good technical reason that ARDAgent.app is setuid root; Apple does not distribute setuid binaries lightly. As such, the proper fix is to restructure ARDAgent.app such that it no longer requires setuid root. This sounds like the kind of change that is impossible to make in a lightweight security update. As a fun exercise, anyone with a lot of free time should go count the number of setuid binaries (particularly root) on the latest unmodified installations of 10.3, 10.4, and 10.5. My guess is they're decreasing, because anything setuid root can present this kind of hole, and there's nothing to be done about it*. Fourth: This is a privilege escalation exploit, but put in perspective, it's not as bad as everyone wants. Sure, you don't have to enter a password as with sudo. However, this requires authenticated local access (someone who belongs on the machine). Any local user who's also an admin can get root access through sudo anyway, so it's only at risk of granting non-admin users root access they couldn't otherwise get. Finally: since AppleScript requires you to own the console (/dev/console), you're looking at a user who already has physical access to your box. This won't even work through SSH if you're not currently logged in at the machine itself. So, if they have physical access, most bets are off already. EDIT: Yeah, it sucks, but it's not a remote exploit, and frankly it's not exploitable unless you run some schmuck's devious AppleScript from out on the Internet. As I saw mentioned elsewhere, this could be exploited by installer scripts to gain root access sans authentication dialogs, which is indeed ugly. On the other hand, if you're downloading software that (clearly) you shouldn't trust, you'd probably have typed your password into the prompt anyway. Though it makes trojan horses… easier, the main problem is still that you downloaded and installed a trojan horse without thinking twice. I'd like to see it fixed, sure. But (see below, after enough edits) I'm not sure it's possible to fix it in the short term. --- *Here are a couple fun scripts for those of you curious enough to check. Yes, you're going to need sudo so that find can scan the entire hierarchy as root, to avoid encountering "Permission denied" errors. All SetUID binaries on /: Code:
sudo find -x / -type f -perm +0111 -perm +4000 All SetUID root binaries on /:Code:
sudo find -x / -type f -perm +0111 -perm +4000 -user root To count the files listed in the above outputs, just append this to either command:Code:
| wc -l Apparently I call the cops when I see people litter. Last edited by ShadowOfGed : 2008-06-22 at 22:07. Reason: Have fun with shell scripts, kiddies! |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Statistics on Leopard.
I find 76 setuid root binaries on the entire system. If I exclude files not installed by Apple (Mac OS X, iLife, iWork, etc), then I get down to… 68 setuid root binaries. Most of these are clearly helper tools to do specific privileged tasks, which means they're designed to securely perform one task and are probably extremely difficult to exploit (if at all). Now, paring this down to a list of setuid binaries who are also the primary executable in an application bundle, where they're not clearly a simple "helper tool": Code:
| grep '/\([^/]*\).app/Contents/MacOS/\1$' I get all of 2 application bundles (which are the only thing AppleScript might be able to target), and they are:Code:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp So I'm going to go out on a limb and guess check_afp.app doesn't support AppleScript. I could be wrong. Either way, ARDAgent.app is the only application on my ENTIRE SYSTEM that might fall victim to this, and I'm guessing it's setuid root because it Absolutely Needs To Be™.My guess: ARDAgent.app doesn't launch when I use Screen Sharing, so it must be truly tied to Apple Remote Desktop. ARD has the ability to install packages and applications on managed hosts, as well as doing many other system-level tasks remotely. I'm guessing that it's setuid root so that it can perform these remote activities as root (since that's a requirement), without authenticating via something akin to sudo (since it can't). Thus, it may actually be impossible for ARDAgent.app to fulfill its duties for ARD while blocking this type of exploit. More technical details! AppleScript works by parsing your script, compiling it into a set of AppleEvents, which are then packaged up in a standard format and shipped to the target application (which need not reside on the local host; they can be sent remotely). It's possible that ARD may use this feature (see: code reuse) to compile its actions once on the management console, and then blast the AppleEvents to all the managed machines. I'm nearly certain that some of these capabilities require the use of whatever do shell script compiles to, so even the "block shell scripts from AppleScript under root" solution is not acceptable. So, barring a major overhaul of how the entire Apple Remote Desktop system works (if my speculation is correct), this is an entrenched problem that Apple cannot solve, instead of one they're simply ignoring. And I still maintain that it's not so huge as everyone wants it to be. The more I think about this, the more sense it makes. Apparently I call the cops when I see people litter. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Quote:
Quote:
EDIT II: also, if the system is sitting at the Login Window, then nobody can exploit this, since no unprivileged user actually has console access. You can see that /dev/console is owned by root until someone logs in, so you'd have need root access to exploit this in that case. In which case it's not much of an exploit. --- EDIT: Quick steps to verify that I'm not Full Of Crap™:
Sorry for posting in such quick succession; it just really irks me when I see stuff like this that seems poorly researched. For example, the original poster probably has no idea under what conditions said exploit would actually work (simply a "works for me" attitude). And s/he has no idea/notion that Apple may not be able to fix the root cause (at least not in a security update). And the articles I've seen on this are more interested in big publicity and "OMG Mac OS X sEcURiTy HoLeZ" than examining the technical minutia involved. Not your fault Luca, I just thought all of this when it hit Slashdot / elsewhere, but didn't feel like blathering on with technical details to either fanbois or haters that wouldn't care either way. You got the information treasure trove. Apparently I call the cops when I see people litter. Last edited by ShadowOfGed : 2008-06-22 at 21:53. Reason: Adding details to verify I'm not insane. |
||
quote |
Veteran Member
Join Date: May 2004
Location: Pittsburgh
|
Nice investigation ShadowOfGed. Thanks for posting that info here.
|
quote |
Senior Member
Join Date: Jul 2004
Location: Sydney, Australia
|
According to Macworld it's something we should be very worried about. They recommend archiving ARDAgent in a zip file and deleting the original to disable it.
http://www.macworld.com/article/1341.../ardagent.html iPhone - finger licking good. |
quote |
is the next Chiquita
Join Date: Feb 2005
|
Sorry, but that article was basically FUD, for sake of adclick, IMO.
It came to similar conclusions as SoG did (e.g. it can't actually take over your computer without your help, though both describe different methods to do so). OTOH, that ZDNet article linked from the Macworld looks interesting... I don't know enough to know if he's talking out of wrong end, though he appears to be quite sensible in presenting solutions that Apple can take to fix this, even if it's all in perception. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Quote:
Code:
sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent That effectively cripples ARDAgent, though, so if you're on a computer that someone else manages with Apple Remote Desktop, this will probably piss them off. It's easier than archiving, I'd say, and less intrusive. To restore the original functionality, you'd simply have to do this: Code:
sudo chmod u+s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent And I think a Repair Permissions might catch that, too. So don't run "Repair Permissions," lest it revert the workaround. But I still think this is overblown, especially by the media folks; it's not even a 100% reliable local escalation.This really doesn't frighten me the way these stories would have you believe. It's up to you, really; obviously my view will differ from a journalist's---my opinion doesn't drum up nearly as much readership. Apparently I call the cops when I see people litter. |
|
quote |
Senior Member
Join Date: Jul 2004
Location: Sydney, Australia
|
Well I don't use remote desktop so I just zipped up ARDAgent to be sure. It's easy enough to unzip it when I need to.
|
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Yeah; I just dislike moving things around like that. Personal preference, I guess.
Also, I finally saw a reasonable writeup linked through Daring Fireball that seems to line up with how I feel. It's over on ZDNet Blogs. Time for me to sleep. Apparently I call the cops when I see people litter. |
quote |
Ninja Editor
Join Date: May 2004
Location: Bay Area, CA
|
|
quote |
is the next Chiquita
Join Date: Feb 2005
|
Quote:
A bit ironic that both a FUD article and a reputable blogger would link to same blog, no? |
|
quote |
Antimatter Man
Join Date: May 2004
Location: that interweb thing
|
Nothing to see here... move along... only usable with physical access (at which point you're handing over the keys to the box anyway)...
Dimes to donuts the original 'OMGtrojanz!' post probably originated from a company trying to sell AV tools and desperate to play chicken little and scare up a market. Intego deja vu. All those who believe in telekinesis, raise my hand. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Quote:
So, in the second case, just make it a policy to download apps directly from their authors. In the third case, you'll legitimately be pwned, but the hope is that reputable vendors take their build / distribution security VERY seriously. Also, some of this may be aided by Application signing (new in Leopard); you may be able to sign installer packages as well, so a man-in-the-middle attack becomes impossible. Apparently I call the cops when I see people litter. Last edited by ShadowOfGed : 2008-06-29 at 23:26. Reason: Needed a question mark. |
|
quote |
Ninja Editor
Join Date: May 2004
Location: Bay Area, CA
|
|
quote |
‽
|
Social engineering.
|
quote |
is the next Chiquita
Join Date: Feb 2005
|
I love it how there's usually unspoken/unwritten implications that if there's malwares, it's *entirely* OS's fault, and never ever the operators' fault.
A perfectly secure system (mind you, that is practically impossible!) only means that hacker resorts to fooling users rather than breaking the security. |
quote |
Member
|
The amount that has been written about this is enough to keep mac users alert to the dangers these type of things can bring.
It does how ever show that macs are becoming more popular. I doubt apple will let this go for to long and a fix will come out soon for it. |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Yep; but as mentioned elsewhere, that's not really the fault of the OS. If your trusted developer intentionally inserts malware, your computer is going to get owned pretty quick. Frankly, the types of malware-infested software tend to be the crappy "free" addons you can get---VirtuaGirl or whatever, some of the Windows weather tray icons, that sort of thing. Also, the "free" online poker apps that you must download and that stuff.
I avoid that kind of shady software like the plague; it seems pretty easy to identify (in my eyes). Also, the sketch factor immediately makes me distrustful. Maybe not the case for some folks, but there's no good way to quantify "how to check if you can trust software." Yeah, social engineering is the ultimate in hacking. However, I guess part of "trusting the software" is presuming someone won't socially engineer their way past competent developers. Not much to be done on this count, though. Both valid points. Apparently I call the cops when I see people litter. |
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Is Apple on the threshold of dominance? | Satchmo | General Discussion | 35 | 2007-10-10 16:02 |
Problem installing Apple Remote Desktop 3 | markw10 | Apple Products | 4 | 2007-01-23 12:07 |
Press event set for Oct. 12th | propheci | Speculation and Rumors | 1344 | 2005-10-12 14:35 |
Apple livid over Toshiba iPod leak | curiousuburb | Speculation and Rumors | 11 | 2004-06-05 17:49 |