Saturday, June 21, 2008

How to properly fix the Mac OS X ARDagent security hole

Slashdot posted about a root privilege escalation bug in Mac OS X a few days ago. It made quite a big fuzz among Apple users because Mac OS X, which is more UNIX than Linux; which is created, coded and certified by the infallible bearded UNIX wizards; must be... eh... infallibly secure! This seems to be not the case now, as any would-be OSX virus writer could just use this hole to gain root privileges in their creations without the user noticing.

Many blogs have posted about temporary fixes to the situation, but many of their fixes brings with problems on their own. Here're some of those half-working fixes I've seen:
  1. Remove the setuid bit in the ARDAgent executable.
    This approach actually makes a lot of sense if all you need to tackle is the security hole itself. But it breaks the Apple Remote Management service so if you try to remotely control your Mac with Apple's Remote Desktop software (you need to buy it from Apple), it will no longer work.
  2. Start up the Apple Remote Management service.
    Amazingly, actually starting up the Apple Remote Management service - the very thing that caused the security hole - seems to close the security hole! Running the dreaded exploit script osascript -e 'tell app "ARDagent" to do shell script "whoami"'after starting up ARM would give you an error message instead of the "root" message. But does this "put out fire with fire" approach make you nervous? What if it goes wrong?

    To see what happens if it goes wrong, just restart the ARM service in System Preferences, and try the exploit script again. You've been rooted! So this method does not actually work.

A better fix to the issue would be one that does not break Apple Remote Desktop, while actually preventing Apple Script from rooting your machine at the same time no matter whether the Apple Remote Management service is on or not. And here's how:
  1. Edit the file /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist as root.
  2. Add the following two lines just before </dict>:
    <key>NSAppleScriptEnabled</key>
    <string>YES</string>

  3. Save it.
  4. Start and stop (or stop and start) Apple Remote Management service.
Now try the exploit script again, you should get:
23:47: execution error: ARDAgent got an error: "whoami" doesn’t understand the do shell script message. (-1708)

No matter whether ARM is started or not.