Gtron Solutions, LLC

Another security hole in Apple's OS X operating system has been found or perhaps reintroduced. It can be used by attackers to change key system settings or to take control of vulnerable computers.

In a posting to news-for-nerds site Slashdot.org on Wednesday, an anonymous reader noted that a core component of OS X 10.4 (Tiger) and 10.5 (Leopard) called Apple Remote Desktop Agent could be leveraged by any user on the machine to install new programs or alter important system settings. Generally, these tasks are reserved for only the "root" account (most powerful user account) or at the very least requires the user to enter a password for the changes to take.

The security hole has to do with the fact that ARDAgent accepts commands from Applescript (scripting language built into OS X). The result of a simple one line script can force ARDAgent to load any programs as root regardless of what account is being used. The commands are executed without prompting the user to enter a password.

An example would be: osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
It should return a single word: "root".

It seems Apple may have fixed this flaw in 10.4, only to reintroduce it again in 10.5. Apple has known about this problem since last October, according to some sites

Apple has advised users that this isn't a big deal in a post on its support forum. Apple acknowledged the issue, but said it was "not a cause for concern."

Some interesting comments from: http://blog.washingtonpost.com/securityfix/2008/06/seriousˍsecurityˍvulnerabiltyˍ1.html?nav=rssˍblog

For example, an attacker could bundle one of these malicious Applescripts in an installer program for a downloadable OS X application. Alternatively, the attacker could use this in combination with another exploit -- say a weakness in the Safari Web browser -- to affect lasting and potentially devastating changes on a victim's machine.

"A remote attacker would need to successfully attack your web browser or another program on your computer," said Jay Beale, senior security analyst and co-founder at Intelguardians, and the creator of Bastille UNIX, a script-based approach for securing various operating systems, including OS X. "But attackers find that easier and easier now, either by putting a browser exploit in an advertisement on a Web site you view or just luring you to a hostile Web site."

The good news is that this is fairly easy to fix. I asked our Mac experts here at washingtonpost.com to test this stopgap fix provided by a Slashdot reader. The remedy worked for them, but your mileage my vary depending on how you've set up your system.

Beale offers another -- perhaps more elegant -- approach, one that actually takes advantage of the vulnerability in order to fix itself. He suggests using an Applescript command that tells ARDAgent to change its behavior so that it can no longer be invoked by non-root users. The beauty of this approach is that it only alters settings on systems where this vulnerability exists. To do this, copy and paste the following text into Terminal:

osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';