User Name
Password
AppleNova Forums » Apple Products »

Big OS X security hole through Apple Remote Desktop


Register Members List Calendar Search FAQ Posting Guidelines
Big OS X security hole through Apple Remote Desktop
Thread Tools
Luca
ಠ_ರೃ
 
Join Date: May 2004
Location: Minnesota
 
2008-06-22, 19:48

There was a big discussion of this over at MacNN and I realized some people here might be interested to learn about this. I know, I'm a Windows user, but I'm not doing this to troll Mac users or anything... I shouldn't be one to talk anyway, right? Basically I figure some of the more security-aware people here will want to know about the exploit so they can protect themselves.

http://it.slashdot.org/it/08/06/18/1919224.shtml

It appears as though entering a simple command in Terminal will grant any user root access, and this vulnerability affects fresh OS X installations right out of the box. It's also primarily a local vulnerability, so it's not as bad as it sounds, but there are ways to execute it remotely if the computer's owner has turned on SSH or remote desktop.

Also, according to the guy who posted it at MacNN (link), it's been part of OS X for about four years. He claims to have reported it to Apple several times, and each time they've ignored it. I just hope this isn't something like iChat and Mail never hiding at startup or hard drive capacities under the icons never updating - bugs that have been swept under the rug for years (in some cases, nearly a decade). Unlike those, this one is a real security threat that Apple needs to deal with. Like the guy at MacNN, I hope it going public persuades Apple to fix it, but you never know.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-22, 20:27

Let's put "Big" in context:

First: this hole uses AppleScript. Thus, because of how AppleScript works, it will only grant root access to the current console user (whoever's physically logged in at the computer). If you fast-user-switch to another account, the original user cannot even use ssh to exploit this; AppleScript will fail.

Second: this "hack" is not specific to ARDAgent.app. It will work on any AppleScript-able application that is installed setuid. If you make Adium setuid root and then:

Code:
tell application "Adium" to do shell script "/some/executable"
Adium will then exhibit the same behavior. That is, any setuid application (root or otherwise), will do shell scripts as the user owning the file; perhaps root, perhaps someone else.

Third: There's probably a very good technical reason that ARDAgent.app is setuid root; Apple does not distribute setuid binaries lightly. As such, the proper fix is to restructure ARDAgent.app such that it no longer requires setuid root. This sounds like the kind of change that is impossible to make in a lightweight security update.

As a fun exercise, anyone with a lot of free time should go count the number of setuid binaries (particularly root) on the latest unmodified installations of 10.3, 10.4, and 10.5. My guess is they're decreasing, because anything setuid root can present this kind of hole, and there's nothing to be done about it*.

Fourth: This is a privilege escalation exploit, but put in perspective, it's not as bad as everyone wants. Sure, you don't have to enter a password as with sudo. However, this requires authenticated local access (someone who belongs on the machine). Any local user who's also an admin can get root access through sudo anyway, so it's only at risk of granting non-admin users root access they couldn't otherwise get.

Finally: since AppleScript requires you to own the console (/dev/console), you're looking at a user who already has physical access to your box. This won't even work through SSH if you're not currently logged in at the machine itself. So, if they have physical access, most bets are off already.



EDIT: Yeah, it sucks, but it's not a remote exploit, and frankly it's not exploitable unless you run some schmuck's devious AppleScript from out on the Internet. As I saw mentioned elsewhere, this could be exploited by installer scripts to gain root access sans authentication dialogs, which is indeed ugly. On the other hand, if you're downloading software that (clearly) you shouldn't trust, you'd probably have typed your password into the prompt anyway. Though it makes trojan horses… easier, the main problem is still that you downloaded and installed a trojan horse without thinking twice.

I'd like to see it fixed, sure. But (see below, after enough edits) I'm not sure it's possible to fix it in the short term.

---

*Here are a couple fun scripts for those of you curious enough to check. Yes, you're going to need sudo so that find can scan the entire hierarchy as root, to avoid encountering "Permission denied" errors.

All SetUID binaries on /:
Code:
sudo find -x / -type f -perm +0111 -perm +4000
All SetUID root binaries on /:
Code:
sudo find -x / -type f -perm +0111 -perm +4000 -user root
To count the files listed in the above outputs, just append this to either command:
Code:
| wc -l

Apparently I call the cops when I see people litter.

Last edited by ShadowOfGed : 2008-06-22 at 22:07. Reason: Have fun with shell scripts, kiddies!
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-22, 21:14

Statistics on Leopard.

I find 76 setuid root binaries on the entire system. If I exclude files not installed by Apple (Mac OS X, iLife, iWork, etc), then I get down to… 68 setuid root binaries. Most of these are clearly helper tools to do specific privileged tasks, which means they're designed to securely perform one task and are probably extremely difficult to exploit (if at all).

Now, paring this down to a list of setuid binaries who are also the primary executable in an application bundle, where they're not clearly a simple "helper tool":

Code:
| grep '/\([^/]*\).app/Contents/MacOS/\1$'
I get all of 2 application bundles (which are the only thing AppleScript might be able to target), and they are:

Code:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
So I'm going to go out on a limb and guess check_afp.app doesn't support AppleScript. I could be wrong. Either way, ARDAgent.app is the only application on my ENTIRE SYSTEM that might fall victim to this, and I'm guessing it's setuid root because it Absolutely Needs To Be™.

My guess: ARDAgent.app doesn't launch when I use Screen Sharing, so it must be truly tied to Apple Remote Desktop. ARD has the ability to install packages and applications on managed hosts, as well as doing many other system-level tasks remotely. I'm guessing that it's setuid root so that it can perform these remote activities as root (since that's a requirement), without authenticating via something akin to sudo (since it can't). Thus, it may actually be impossible for ARDAgent.app to fulfill its duties for ARD while blocking this type of exploit.

More technical details!

AppleScript works by parsing your script, compiling it into a set of AppleEvents, which are then packaged up in a standard format and shipped to the target application (which need not reside on the local host; they can be sent remotely). It's possible that ARD may use this feature (see: code reuse) to compile its actions once on the management console, and then blast the AppleEvents to all the managed machines. I'm nearly certain that some of these capabilities require the use of whatever do shell script compiles to, so even the "block shell scripts from AppleScript under root" solution is not acceptable.

So, barring a major overhaul of how the entire Apple Remote Desktop system works (if my speculation is correct), this is an entrenched problem that Apple cannot solve, instead of one they're simply ignoring. And I still maintain that it's not so huge as everyone wants it to be.

The more I think about this, the more sense it makes.

Apparently I call the cops when I see people litter.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-22, 21:29

Quote:
Originally Posted by Luca View Post
It appears as though entering a simple command in Terminal will grant any user root access, and this vulnerability affects fresh OS X installations right out of the box.
I just want to quote this to boil down my other two posts. As written, this is a gross overstatement (simply because of how it reads). It will only grant root access to:

Quote:
The user who is currently logged in at the console (physical machine).
That could be "any user," yes, but you have to meet a fairly stringent set of requirements to take advantage of this (in the scheme of the remote exploit, security-conscious Internet world). And depending on who's got the console, it may not work even if you have ssh access.

EDIT II: also, if the system is sitting at the Login Window, then nobody can exploit this, since no unprivileged user actually has console access. You can see that /dev/console is owned by root until someone logs in, so you'd have need root access to exploit this in that case. In which case it's not much of an exploit.

---

EDIT: Quick steps to verify that I'm not Full Of Crap™:
  1. Make sure "Remote Login" is enabled in the Sharing preference pane.
  2. Make sure "Fast User Switching" is enabled in the Accounts preference pane.
  3. Make sure "Guest Account" is enabled for "Login" in the Accounts preference pane.
  4. Open Terminal.app, and run the offending command:
    Code:
    osascript -e \ 'tell application "ARDAgent" to do shell script "whoami"'
    Which outputs:
    Code:
    root
  5. Open a ssh session:
    Code:
    ssh <user>@localhost
  6. Run the offending command again. It should succeed, as expected.
  7. Now, Fast User Switch to the Guest account (this will take a few seconds).
  8. Open Terminal.app again.
  9. Open a ssh session again:
    Code:
    ssh <user>@localhost
  10. Run the offending command once more. THIS WILL FAIL because Guest now owns the console, not your original user. This will output something akin to:
    Code:
    _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL. 31:55: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)
---

Sorry for posting in such quick succession; it just really irks me when I see stuff like this that seems poorly researched. For example, the original poster probably has no idea under what conditions said exploit would actually work (simply a "works for me" attitude). And s/he has no idea/notion that Apple may not be able to fix the root cause (at least not in a security update). And the articles I've seen on this are more interested in big publicity and "OMG Mac OS X sEcURiTy HoLeZ" than examining the technical minutia involved.



Not your fault Luca, I just thought all of this when it hit Slashdot / elsewhere, but didn't feel like blathering on with technical details to either fanbois or haters that wouldn't care either way. You got the information treasure trove.


Apparently I call the cops when I see people litter.

Last edited by ShadowOfGed : 2008-06-22 at 21:53. Reason: Adding details to verify I'm not insane.
  quote
dfiler
Veteran Member
 
Join Date: May 2004
Location: Pittsburgh
 
2008-06-23, 12:00

Nice investigation ShadowOfGed. Thanks for posting that info here.
  quote
Paranoid666au
Senior Member
 
Join Date: Jul 2004
Location: Sydney, Australia
 
2008-06-27, 00:33

According to Macworld it's something we should be very worried about. They recommend archiving ARDAgent in a zip file and deleting the original to disable it.

http://www.macworld.com/article/1341.../ardagent.html

iPhone - finger licking good.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-06-27, 00:44

Sorry, but that article was basically FUD, for sake of adclick, IMO.

It came to similar conclusions as SoG did (e.g. it can't actually take over your computer without your help, though both describe different methods to do so).

OTOH, that ZDNet article linked from the Macworld looks interesting... I don't know enough to know if he's talking out of wrong end, though he appears to be quite sensible in presenting solutions that Apple can take to fix this, even if it's all in perception.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-27, 00:46

Quote:
Originally Posted by Paranoid666au View Post
According to Macworld it's something we should be very worried about. They recommend archiving ARDAgent in a zip file and deleting the original to disable it.

http://www.macworld.com/article/1341.../ardagent.html
Bah, that's overkill. As I stated above, though it is problematic, it is easily avoidable. Don't download/run software you don't trust; this will avoid 100% of trojans, no matter the specific vector exploited. And just in case you're really worried about something taking advantage of this, the fix can be much simpler:

Code:
sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
That effectively cripples ARDAgent, though, so if you're on a computer that someone else manages with Apple Remote Desktop, this will probably piss them off.

It's easier than archiving, I'd say, and less intrusive. To restore the original functionality, you'd simply have to do this:

Code:
sudo chmod u+s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
And I think a Repair Permissions might catch that, too. So don't run "Repair Permissions," lest it revert the workaround. But I still think this is overblown, especially by the media folks; it's not even a 100% reliable local escalation.

This really doesn't frighten me the way these stories would have you believe. It's up to you, really; obviously my view will differ from a journalist's---my opinion doesn't drum up nearly as much readership.

Apparently I call the cops when I see people litter.
  quote
Paranoid666au
Senior Member
 
Join Date: Jul 2004
Location: Sydney, Australia
 
2008-06-27, 00:52

Well I don't use remote desktop so I just zipped up ARDAgent to be sure. It's easy enough to unzip it when I need to.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-27, 02:30

Yeah; I just dislike moving things around like that. Personal preference, I guess.

Also, I finally saw a reasonable writeup linked through Daring Fireball that seems to line up with how I feel. It's over on ZDNet Blogs.

Time for me to sleep.

Apparently I call the cops when I see people litter.
  quote
Dave
Ninja Editor
 
Join Date: May 2004
Location: DFW, TX
 
2008-06-27, 08:15

Quote:
Originally Posted by ShadowOfGed View Post
As I stated above, though it is problematic, it is easily avoidable. Don't download/run software you don't trust; this will avoid 100% of trojans
Well, unless you're wrong and the software that you trust has a trojan in it.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-06-27, 09:32

Quote:
Originally Posted by ShadowOfGed View Post
lso, I finally saw a reasonable writeup linked through Daring Fireball that seems to line up with how I feel. It's over on ZDNet Blogs.
That's the same blog linked in MacWorld:

Quote:
Originally Posted by Banana View Post
OTOH, that ZDNet article linked from the Macworld looks interesting... I don't know enough to know if he's talking out of wrong end, though he appears to be quite sensible in presenting solutions that Apple can take to fix this, even if it's all in perception.
A bit ironic that both a FUD article and a reputable blogger would link to same blog, no?
  quote
curiousuburb
Antimatter Man
 
Join Date: May 2004
Location: that interweb thing
 
2008-06-27, 09:39

Nothing to see here... move along... only usable with physical access (at which point you're handing over the keys to the box anyway)...

Dimes to donuts the original 'OMGtrojanz!' post probably originated from a company trying to sell AV tools and desperate to play chicken little and scare up a market.

Intego deja vu.

All those who believe in telekinesis, raise my hand.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-29, 00:32

Quote:
Originally Posted by Dave View Post
Well, unless you're wrong and the software that you trust has a trojan in it.
Yes, but how is "software you trust" going to get a trojan in it? There are only a few options:
  1. App writer intentionally inserts trojan. Most unlikely, but you'd enter your password since you trust it anyway.
  2. Man-in-the-middle attack. Someone repackages a trusted App and distributes a compromised copy. For example, maybe someone uploads a compromised package to macupdate.com.
  3. A hacker somehow compromises an App's build system and inserts the trojan payload at the source. Not sure if this more or less likely than the first option, but the chance is very small.

So, in the second case, just make it a policy to download apps directly from their authors. In the third case, you'll legitimately be pwned, but the hope is that reputable vendors take their build / distribution security VERY seriously.

Also, some of this may be aided by Application signing (new in Leopard); you may be able to sign installer packages as well, so a man-in-the-middle attack becomes impossible.

Apparently I call the cops when I see people litter.

Last edited by ShadowOfGed : 2008-06-29 at 23:26. Reason: Needed a question mark.
  quote
Dave
Ninja Editor
 
Join Date: May 2004
Location: DFW, TX
 
2008-06-29, 00:51

Quote:
Originally Posted by ShadowOfGed View Post
Yes, but how is "software you trust" going to get a trojan in it.
By being wrong about whether or not you can trust it.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2008-06-29, 01:41

Social engineering.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-06-29, 02:05

I love it how there's usually unspoken/unwritten implications that if there's malwares, it's *entirely* OS's fault, and never ever the operators' fault.

A perfectly secure system (mind you, that is practically impossible!) only means that hacker resorts to fooling users rather than breaking the security.
  quote
rob05au
Member
 
Join Date: May 2005
Location: Australia
Send a message via ICQ to rob05au Send a message via AIM to rob05au Send a message via Skype™ to rob05au 
2008-06-29, 06:19

The amount that has been written about this is enough to keep mac users alert to the dangers these type of things can bring.

It does how ever show that macs are becoming more popular.

I doubt apple will let this go for to long and a fix will come out soon for it.
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-29, 23:36

Quote:
Originally Posted by Dave View Post
By being wrong about whether or not you can trust it.
Yep; but as mentioned elsewhere, that's not really the fault of the OS. If your trusted developer intentionally inserts malware, your computer is going to get owned pretty quick. Frankly, the types of malware-infested software tend to be the crappy "free" addons you can get---VirtuaGirl or whatever, some of the Windows weather tray icons, that sort of thing. Also, the "free" online poker apps that you must download and that stuff.

I avoid that kind of shady software like the plague; it seems pretty easy to identify (in my eyes). Also, the sketch factor immediately makes me distrustful. Maybe not the case for some folks, but there's no good way to quantify "how to check if you can trust software."

Quote:
Originally Posted by chucker View Post
Social engineering.
Yeah, social engineering is the ultimate in hacking. However, I guess part of "trusting the software" is presuming someone won't socially engineer their way past competent developers. Not much to be done on this count, though.

Both valid points.

Apparently I call the cops when I see people litter.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Apple on the threshold of dominance? Satchmo General Discussion 35 2007-10-10 16:02
Problem installing Apple Remote Desktop 3 markw10 Apple Products 4 2007-01-23 11:07
Press event set for Oct. 12th propheci Speculation and Rumors 1344 2005-10-12 14:35
Apple livid over Toshiba iPod leak curiousuburb Speculation and Rumors 11 2004-06-05 17:49


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 21:57.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2014, AppleNova