Many blogs have posted about temporary fixes to the situation, but many of their fixes brings with problems on their own. Here're some of those half-working fixes I've seen:
- Remove the setuid bit in the ARDAgent executable.
This approach actually makes a lot of sense if all you need to tackle is the security hole itself. But it breaks the Apple Remote Management service so if you try to remotely control your Mac with Apple's Remote Desktop software (you need to buy it from Apple), it will no longer work. - Start up the Apple Remote Management service.
Amazingly, actually starting up the Apple Remote Management service - the very thing that caused the security hole - seems to close the security hole! Running the dreaded exploit scriptosascript -e 'tell app "ARDagent" to do shell script "whoami"'after starting up ARM would give you an error message instead of the "root" message. But does this "put out fire with fire" approach make you nervous? What if it goes wrong?
To see what happens if it goes wrong, just restart the ARM service in System Preferences, and try the exploit script again. You've been rooted! So this method does not actually work.
- Edit the file /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist as root.
- Add the following two lines just before </dict>:
<key>NSAppleScriptEnabled</key>
<string>YES</string> - Save it.
- Start and stop (or stop and start) Apple Remote Management service.
23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)No matter whether ARM is started or not.
3 comments:
This is easily the best tip that I have seen for the ARDAgent hole. For some reason it has received no publicity though. Exactly what does this directive do?
This doesn't really work. It is vulnerable to the same killall script as is just turning on Remote Management.
do shell script "killall ARDAgent;sleep 2"
tell application "ARDAgent" to do shell script "whoami"
The only safe thing to do that I've found is to change the owner to something safer like yourself.
sudo chown user /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Can someone help me with this.
I first found info on this trojan and tried running a few terminal commands to fix it.
I would get the 18:19:Syntax Error:No User interaction allowed. (-1713)
when i would run the osascript -e 'tell app "ARDAgent" to do shell script "Whoami"'
and i run the other suggestions on the coreservices/remotemanagement folder
$ sudo defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES
$ sudo plutil -convert xml1 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist
$ sudo chmod 644 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist
so now i used just the standard finder to go to the coreservices folder.
and i see a red negative symbol on the remotemanagement folder. And I do not have privileges to view this folder contents.
I am logged in as root. I am using OSX 10.3.9
can anyone tell me how to regain access to that remote management folder.
I fear i am being exploited by this botnet setup. As I run a simple webserver using my old mac. And when i capture my TCPIP TCPDump packets, i see a message always stating in one of the packets, repeatedly. Saying my registry is corrupt and i should visit windowsregistryfix dot com to download a registry patch. So i am assuming my mac is sending out botneted popups to other computers.
I have otherwise locked down my mac in every other possible way.
I am fairly mac savvy but really only a long term newby. MacOS7 to now, using.
any help with this would be greatly appreciated.
Post a Comment