Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered

Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered

Summary: Yesterday, an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.

SHARE:
TOPICS: Security
16

Yesterday, an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, whichLocal root escalation vulnerability in Mac OS X works by running a local AppleScript that would set the user ID to root through ARDAgent's default setuid root state. Here's how it's done :

"Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not."

Find out how to fix it.

You've got several possible workarounds, you can remove the Apple Remote Desktop located in /System/Library/CoreServices/RemoteManagement/, or you can go through the visual Workaround for the ARDAgent 'setuid root' problem.

Moreover, the AppleInsider speculates on the potential for abuse :

The effects of malicious code run as root may range from deleting all the files on the Mac to more pernicious attacks such as changing system settings, and even setting up periodic tasks to perform them repeatedly. Not all Macs are vulnerable, however. If a user has turned on Remote Management in the Sharing pane of System Preferences under Mac OS X 10.5, or if a user has installed Apple Remote Desktop client under Mac OS X 10.4 or earlier and has activated this setting in the Sharing preferences, the exploit will not function. Mac OS X 10.5’s Screen Sharing function has no effect on this vulnerability.

And even though the vulnerability can also be executed via a remote connection under specific circumstances based on the configuration, physical security to prevent the unauthorized local access is as applicable as it's always been.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Surprise surprise

    So many of these, they are dime a dozen for all the operating system out there. Just do a little digging on the IRC channels if you want to see for yourself.
    voska1
  • RE: Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered

    Im sure this will be fixed in next update.
    exxtraz
  • I'm surprised

    more exploits of this nature haven't turned up involving
    Applescript. It was ported over from an operating system with no
    kind of user privileges at all.
    frgough
    • The problem is not with Applescript but rather...

      ...Apple Remote Desktop. Applescript just appears to be the method to interface with ARD agent. The ARD agent runs as SUID root and therefore a vulnerability in it gains root privileges.

      As this is a problem with ARDAgent I wouldn't be surprised if there were a way to exploit this vulnerability the ARD.
      ye
  • There is a better solution

    Free yourself from the swiss cheese that OS X has become. OS X was built upon a really solid foundation but sadly it seems that with every bit of code that Apple adds to that BSD core, they create another security hole.

    So, to paraphrase what gets posted on every Windows security vulnerability post: Get Windows - It Just Works :)
    NonZealot
    • The Mac is riddled with code flaws

      The Mac was the first computer to have a computer virus and was proud of it! The Mac was not designed for the modern computer world of connected multiple users and still has the same old single user mentality that Windows ME had. Every bit of code that Apple has added to FreeBSD has been shown to have flaws in it. These flaws are from the way Apple pushes style over substance. Windows beat the Mac OS because it focused on being the best workstation software out there and that dominance is continuing.

      Linux also is better than FreeBSD and Linux is just as substantial as Windows. Linux is much better than the Mac OS and is even easier to use if you are a Gnome or KDE user. The Mac is a botched X-windows using the worst Unix clone out there and the worst possible user ideas left over from what Microsoft didn't have patents on.

      The Mac is a poorly implemented X-windows system and Ubuntu is a superb X-windows implementation that has enough variety to meet any kind of user preferences. There are Mac look and work a likes in the Linux world. Vixta, a Vista look a like is based on Fedora but it shows what can be done with X-windows. The Leopard look and feel is ancient when you consider that power bars are quite old. Everything in the Mac front end is borrowed from the X-windows world so it is no surprise that Mac users cry foul when they see a common desktop environment and believe it comes from Apple, when in fact, it comes from Unix and now Linux world.
      progon
      • Huh?

        Are you joking or do you have absolutely no idea what you are talking about? If the latter, check out Wikipedia or something and spend like 15 minutes reading history. History is quite enlightening.

        First, Mac OS X is based on NeXT, a 20+ year old BSD UNIX derivative with a proprietary graphical subsystem (then called NeXTStep), developed from about 1985 until 1995 when Apple bought them (and Steve Jobs) to keep the company from crashing into the ground at mach 5. System 9 is absolutely 100% nothing like OS X, simple as that. You can't compare them in any way. And I'd bet 95% (random number but probably not far off) of the Mac has nothing to do with UNIX at all. The subsystems are source code compatible with UNIX as far as applications are concerned, it uses some kernel and user space code from UNIX, but it really honestly isn't terribly like UNIX in most ways. Its brilliantly designed, don't get me wrong, but UNIX it is not. UNIX compatible, yes.

        Secondly, its called "The X Window System" not X-Windows. Its a trademark and some are picky about people saying the name correctly. Nothing whatsoever from the Mac GUI is borrowed from the X window system. Mac does not natively have any X subsystem whatsoever. Nothing. Nada. Steve Jobs almost certainly hates X as much as Linux but supports them both reluctantly so he can win over UNIX/Linux users. So, they provide on the CD an Apple-developed X window system server for compatibility with _real_ UNIX applications. But you have to install it and its pretty lousy in some respects (and surprisingly well thought out in others).

        Thirdly, Ubuntu has the same X Window System every other (mainstream) operating system uses (Apple and Microsoft excluded). Same GNOME. Charming brown color scheme.

        Fourth, Ubuntu and OpenSolaris are probably my top picks for operating systems. I've run nothing but Ubuntu since Warty released and have to say I'm pleased. And only OpenSolaris on SPARC hardware. (Solaris shines on SPARC but always seems flaky and missing drivers on Intel hardware. Linux tends to suck on SPARC for the same reasons but maybe not so much these days.)

        I'll avoid talking about Vista. I have a strict non-Microsoft policy. ;)
        cabdriverjim
        • And before someone says...

          ...that Ubuntu looks a lot like MacOS X and then surmises that Apple must've copied GNOME. Again, read the history. Certain key parts of the GNOME desktop were originally designed by a team led by Andy Hertzfeld (the architect of the original Mac operating system). GNOME mimics Mac in this case. It used to mimic Mac more but many of those features have been thrown away or improved upon over time.
          cabdriverjim
        • Well not sure what you want to call it...

          But OSX does provide X11 support, it is on the install disk
          mrOSX
      • Finally

        Some intelligent poster!

        to make it short:
        Mac OS is a pathetic clone of BSD who contain no inovation of any kind and even with a closed eco-systems, as more clueless drone start using it, the more bugs will be discovered.

        The only use for a Mac computer is to install XP (or Linux or Vista) on it.

        But most mac users know that because windows XP is the 1st thing they install when they get a shiny new Mac.
        Mectron
        • really?

          I still don't have Windows on my Leopard machine and I seem
          to be doing just fine. Here's a thought: you like Windows,
          fine. Some people like OSX, fine. Not everybody has to be like
          you (thank God).
          russguill
      • right...

        this must all come from the mac-tel users...as with the PPC version the Darwin kernel is based on FreeBSD (and still open but apple Closed the kernel when it went with Intel) and is a much better *nix than any flavor of Linux out in the wild...read up on FreeBSD and the Darwin project people...
        poeticg33k
    • not ALL security vulnerability posts are about windows!!!

      other OS have flaws too, just not as many...

      In Reply To:
      "to paraphrase what gets posted on every Windows security vulnerability post: Get Windows"
      jjarman
  • Market Share

    Just like all else, the more market share the more vulnerabilities will be found.

    Maybe Apple is becoming too successful...joining the ranks of OpenOffice.
    rkuhn040172@...
  • Not Surprised, Still Impressed

    There isn't an OS in existence that is 100% invulnerable to any attack due to their complex nature and the amount of code.

    I am impressed at how well OS X has stood up to serious investigation by security researchers. Much better then some of the alternatives by a large order of magnitude.

    The fact that the various issues being found have been resolved before any real exploits reach the wild and affect customers is something worth considering and appreciating.

    Some consider if an OS has any risk at all that they are all equally at risk, a very flawed premise. In reality, the level of security varies wildly between the various OSs and their pieces. They are not at all equal, each offers its own individual strengths and weaknesses.

    Others look at security exploits in the wild and consider some OSs invulnerable since they don't suffer from regular exploits and attacks, an equally flawed premise. While I'd agree that the lack of wild exploits makes the Mac experience much more secure and stable for the average every day user, I would not even begin to assume that it is 100% secure, or that no issues would ever be found.

    Those still profering the marketshare theory should really look at the numbers again and do some comparative factoring. I'd also recommend looking at all the various OS and the number of exploits that exist in relationship to marketshare. The data makes the marketshare conclusion self defeating. When you factor in all the work being done by the various security researchers, that argument becomes completely moot.
    jjarman
  • RE: Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovere

    It's been a while since anyone with half brain tried to
    (seriously) claim that Apple's OS or related software was
    "bug free". Or even (possibly) exploit free. Fact is, neither
    is true. Yet, there are no examples of replicating malware
    found in the wild for OSX. As for this latest, "in order to
    activate this vulnerability the attacker would either have to
    be at the machine, or logged in remotely with the same
    account that is currently in use... or just convince the user
    to run a malicious downloaded application". And, that only
    works if ARD is configured on the system ... with setuid
    root. Now ... it isn't all that useful without setuid root,
    assuming you WANT to use it.
    Do you? Why? No, seriously, WHY?!?!?
    dlmeyer@...