|Home » Industry Watch
Huge, Crazy, Ridiculous OS X Security Hole
The ARDAgent hole is a lot bigger than previously believed.
Charles Srstka's pissed. After seeing the ARDAgent story explode on the net he decided to tell people a bit more of the background.
The ARDAgent hole extends to all Cocoa apps and has been known - but summarily dismissed - by Apple for the past four years.
The hole isn't limited to Tiger and Leopard: it goes back at least to Panther and very likely even farther than that.
It's best to let Charles tell the story in his own words.
OS X's implementation of AppleScript has a problem. It's had this problem since Panther at least, and I've reported it to Apple on several occasions since 2004. It always gets flagged 'Behaves Correctly' by Apple's development team. The problem is: Applications that are running as root can accept AppleScript commands from applications that are not running as root. And since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a 'do shell script' command and pretty much run anything they want as root.
You can test this immediately by running the following command.
osascript -e 'tell application "Safari" to do shell script "whoami"'
Where's the Beef?
This is all about how Cocoa apps - with no explicit coding to accept AppleScript in any way shape or form - are coerced to perform AppleScript anyway. And should they be SUID root enabled as ARDAgent then whatever you run through them in this fashion will run as root as well.
Fringe case, you say? If a GUI app runs as root, you've already got a problem, you say? Well, I said yeah, Cocoa and Carbon apps shouldn't be running as root, but this stuff does happen - badly written installers sometimes launch themselves as root, as do some utility programs, along with the popular lab management program 'iHook' - and it only takes one such screwup to allow hackers to root your computer. But no, they decided to flag it 'Behaves Correctly' and ignore it. Well, two days ago I made the mistake of mentioning this bug to someone in #macdev, and then yesterday, it comes out that...
IT TURNS OUT THAT OS X CONTAINS AN APPLESCRIPT-AWARE APPLICATION WITH ITS SETUID BIT SET, OUT OF THE BOX.
So that's the likely origin of the original post at Slashdot.
Pacifist by Nature
Charles Srstka's a Pacifist by nature. He's of course author of the excellent unarchiver Pacifist. [And if you don't have it yet you should get it now - it's indispensable. Ed.] He concludes with the following.
I hope Apple enjoy all the horrible press they're going to get. They've known about this for almost four years.
What You Can (and Should) Do
Admittedly it's creepy seeing something as questionable as AppleScript running through trusted applications. But it gets really bad if any of them are SUID root like ARDAgent.
You need to scour your system for GUI-based apps with SUID root executables. There are several ways to do this.
- Download CLIX (free) and run the 'leakd' script and/or other scripts in the package.
- Run Xscan to scan for SUID files from root. [See the 'Filters' menu - 'Set User ID.] If you don't have Xscan you can download the free Test Drive and it will work wonderfully for this purpose.
- Follow the instructions in the articles linked below to neutralise any files you find [remove their SUID bits].
- Do not run that silly 'repair permissions' unless you're prepared to patch the holes it opens up. [See below.]
- Send a complaint to 'Apple security'. Specify the issue and demand they fix it.
Yes It's Serious
Typically there are a number of naysayers in the thread where Charles posted. Calling Charles 'flabbergasted' that these people try to minimise the danger and/or insult the messenger wouldn't be inapt. This is very serious shit. Very serious. Charles has the word again.
So you don't think any process on the whole system being able to essentially use sudo without an admin password, making OS X's security model pretty much the same as OS 9's, is a big deal?
Any little freeware app you download can use this AppleScript to execute anything as root from a plain, vanilla OS X installation. They could put a malicious startup item or kernel extension in /System, they could mess with the config files in /etc, they could just run rm -rf / and completely erase all attached disks. Basically, they could do anything you'd normally need to enter your admin password for, without requiring your admin password. Also, every user on the system can snoop into other users' home folders, change the admin password, or really do whatever he/she wants.
You don't think that's a big security hole?
A security hole in an isolated executable (ARDAgent) is one thing. That's finite - that can be easily patched.
Finding out this works on all GUI based apps is quite another. This is no longer a clerical error - it's a horrible design flaw and it's compounded by Apple's refusal to take the matter seriously. Finding further Apple have been totally dismissing this issue for four years forces one to arrive at unfortunate conclusions about Apple's ability to 'take security seriously'.
But you can (and should). Follow the above steps and finish things off by writing to Apple.
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide