Many blogs have posted about temporary fixes to the situation, but many of their fixes brings with problems on their own. Here're some of those half-working fixes I've seen:
- Remove the setuid bit in the ARDAgent executable.
This approach actually makes a lot of sense if all you need to tackle is the security hole itself. But it breaks the Apple Remote Management service so if you try to remotely control your Mac with Apple's Remote Desktop software (you need to buy it from Apple), it will no longer work.
- Start up the Apple Remote Management service.
Amazingly, actually starting up the Apple Remote Management service - the very thing that caused the security hole - seems to close the security hole! Running the dreaded exploit script
osascript -e 'tell app "ARDagent" to do shell script "whoami"'after starting up ARM would give you an error message instead of the "root" message. But does this "put out fire with fire" approach make you nervous? What if it goes wrong?
To see what happens if it goes wrong, just restart the ARM service in System Preferences, and try the exploit script again. You've been rooted! So this method does not actually work.
- Edit the file /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist as root.
- Add the following two lines just before </dict>:
- Save it.
- Start and stop (or stop and start) Apple Remote Management service.
23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)
No matter whether ARM is started or not.