Over the weekend, news concerning a discovered security flaw in Apple's Remote Desktop Agent got slightly worse. While at first most of those who commented on the vulnerability dismissed it because of lack of remote abilities, they were silent when a Trojan appeared online, lending remote exploitation to the issue.
Apple logo or screen cap of Apple Remote Desktop Agent. (IMG:J.Anderson)
SecureMac and Intego are both reporting, separately mind you, that several variants of a Trojan targeting OS X 10.4 and 10.5. The Washington Post, thanks to Brian Krebs, was able to get the exploit working on 10.5, though not on 10.4.
SecureMac reports the original issue as follows: "Due to an insecurity in the root-owned Apple Remote Desktop Agent binary, local users, as well as those with SSH access while the local user was logged into the graphic user interface, can execute commands with root privileges via Applescript. This vulnerability exists under both admin and regular user accounts under the latest version of OS X (10.5.3), and works regardless of whether Apple Remote Desktop sharing is turned on."
Not even a day after the local vulnerability was disclosed, and subsequently dismissed by fanboys and some security people as less than serious because it was local, a Trojan was seen spreading online and via Limewire and iChat.
"The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire," commented SecureMac.
"The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging.
"Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root." – SecureMac advisory
Intego reported the same Trojan, and offers a screen capture via its Web site.
On Slashdot, Foo4thought posted a rather quick, if dirty, fix for the issue, noting that: "This may have come too late in the comments for anyone to see it, but if the exploit is active on your system, adding a key to ARDAgent's Info.plist makes the problem go away without disabling ARDAgent altogether."
NSAppleScriptEnabled
YES
Other Slashdot readers have said that the fix works, but is not persistent. The Washington Post has another fix, which is comical as it takes advantage of the exploit itself.
This fix, which comes from Jay Beale, is simple to execute as you run it from the terminal:
osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';
One of the two fixes will work until Apple patches the flaw. Krebs speculates that the issue was fixed in a recent patch in 10.4, but might have found its way into the code for 10.5. Be that as it may, the sad fact is that Apple dismissed the flaw before it became widespread public knowledge.
The lesson to see in this issue is not that there is security problem in OS X, everyone knows no operating system is 100% secure. No, the lesson here is not to dismiss a security issue simply because it is only a local exploit.
"Most people may discount this as not that notable due to the lack of remote exploitation. However, I would like to remind our readers that local exploits like this can be leveraged into the second phase of a remote exploit through a web browser, or other user level application vulnerability," outlines Scott Fendley of SANS ISC.
"Additionally, in a multi-user/server based environment (and especially those of us in university or library environment where we check out laptops or manage computer labs), a dishonest student or insider could use this exploit to gain elevated access and wreck all types of havoc."
Comment on this Story