Serious Security Vulnerabilty In Apple OS X Leopard
An unpatched security hole in Apple's OS X operating system could be used by attackers to change key system settings or to take control of vulnerable computers, security researchers warn.
In a posting to news-for-nerds site Slashdot.org on Wednesday, an anonymous reader noted that a core component of OS X 10.4 (Tiger) and 10.5 (Leopard) called Apple Remote Desktop Agent could be leveraged by any user on the machine to install new programs or alter important system settings. Generally, these tasks are reserved for only the "root" account -- the most powerful user account on the system -- or at the very least they require the user to first enter a password for the requested changes to take effect.
The security hole has to do with the fact that ARDAgent accepts commands from Applescript, the scripting language built into OS X. As a result, a simple one line script can force ARDAgent to load any programs as root -- regardless of whether the Applescript command was invoked using an administrator/root account or from a less powerful "standard" user account. The commands are executed without ever prompting the user to enter his/her password.
To see why this is a big deal, open up a Terminal in OS X using a standard account (use Spotlight if you don't know where the Terminal is located), and cut and paste the following command:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
It should return a single word: "root". All we did here was use Applescript to force ARDAgent to tell you which user account ARDAgent was being run under. But we could have just as easily told ARDAgent to do something a lot more dangerous. As one Slashdot poster noted, we could have passed it an Applescript command to silently disable the built-in firewall and open specific pathways into the machine so that anyone nearby or on the same local area network could connect directly to it unchallenged.
While most of the coverage of this vulnerability so far says it exists in both OS X 10.4 and 10.5, I could not get the test script to work on my Tiger installation, and all attempts to exploit this on the systems of other 10.4.11 owners I spoke with generated the same error message: "AppleEvent timed out." It worked flawlessly on numerous 10.5 machines in use at washingtonpost.com, however.
There are signs that Apple may have fixed this flaw in 10.4, only to reintroduce it again in 10.5. In any event, Apple has known about this problem since last October, according this forum discussion posting.
Interestingly, Apple has advised users that this isn't a big deal. In a post to its support forum on June 8, 2008, Apple acknowledged the issue, but said it was "not a cause for concern." I pinged Apple on Thursday to find out if they plan to issue an official fix for this problem, and I will update this blog in the event I receive a response.
While I have seen claims that this can only be exploited by someone who has physical access to a vulnerable 10.5 machine, several experts I spoke with say that's simply not true.
For example, an attacker could bundle one of these malicious Applescripts in an installer program for a downloadable OS X application. Alternatively, the attacker could use this in combination with another exploit -- say a weakness in the Safari Web browser -- to affect lasting and potentially devastating changes on a victim's machine.
"A remote attacker would need to successfully attack your web browser or another program on your computer," said Jay Beale, senior security analyst and co-founder at Intelguardians, and the creator of Bastille UNIX, a script-based approach for securing various operating systems, including OS X. "But attackers find that easier and easier now, either by putting a browser exploit in an advertisement on a Web site you view or just luring you to a hostile Web site."
The good news is that this is fairly easy to fix. I asked our Mac experts here at washingtonpost.com to test this stopgap fix provided by a Slashdot reader. The remedy worked for them, but your mileage my vary depending on how you've set up your system.
Beale offers another -- perhaps more elegant -- approach, one that actually takes advantage of the vulnerability in order to fix itself. He suggests using an Applescript command that tells ARDAgent to change its behavior so that it can no longer be invoked by non-root users. The beauty of this approach is that it only alters settings on systems where this vulnerability exists. To do this, copy and paste the following text into Terminal:
osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';
If you run the test exploit script again, it should then list your user name instead of root.
Even if this vulnerability were limited to exploitation by local users (anyone with physical access to a Mac), it would still be fairly serious. While I do not spend much time writing about local attacks, they are in many senses more difficult to defend against. If a determined attacker has physical access to the system and some time to work, it is pretty much "Game Over" after that.
That goes doubly for Microsoft Windows systems. This vulnerability with Mac OS X reminds me of a stunning video I saw recently of the damage that a novice attacker can inflict on a Windows system merely by booting the computer up straight from a version of Linux burned to a CD, such as "Backtrack," the security tools version used in this clip. Backtrack allows you to boot into Linux from the CD and then view and or even modify core Windows system files stored on the underlying computer hard drive.
In this video, the would-be attacker navigates to the Windows\System32 directory, and renames "Utilman.exe," the program name for the Windows Utility Manager (a simple program that handles text-to-speech applications and other helper programs). You can open the Utility Manager on Windows XP or Vista anytime by pressing the Windows key and the "U" key at the same time.
The important thing to note about the Utility Manager is that regardless of whether you're running Windows from the all-powerful administrator account or a limited user account, Utility Manager always runs using the built-in SYSTEM account on Windows, which is just as powerful (if not more so) than the Administrator account.
In the video, the attacker then simply renames the Windows command prompt -- which can be used to start or stop any program -- changing its name to Utilman.exe. When Vista starts up and presents the attacker with a login screen, the attacker bypasses that by pressing "Windows-U". Sure enough, Windows invokes what it thinks is the Utility Manager. Instead, the command prompt pops up, allowing the attacker to enter "explorer.exe" and access the Windows desktop using the powerful System account.
June 20, 2008; 1:46 PM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Apple Issues Fix for Safari On Windows Security Flaw
Next: New Trojan Leverages Unpatched Mac Flaw
Posted by: appleboooo | June 20, 2008 2:06 PM | Report abuse
Posted by: debianbooooo | June 20, 2008 2:59 PM | Report abuse
Posted by: John | June 20, 2008 3:29 PM | Report abuse
Posted by: Nathan | June 20, 2008 3:33 PM | Report abuse
Posted by: WD | June 20, 2008 3:50 PM | Report abuse
Posted by: rosignol | June 20, 2008 4:10 PM | Report abuse
Posted by: Charles Decker | June 20, 2008 4:19 PM | Report abuse
Posted by: Rick | June 20, 2008 5:34 PM | Report abuse
Posted by: Moike | June 20, 2008 5:44 PM | Report abuse
Posted by: Singing Senator | June 20, 2008 6:20 PM | Report abuse
Posted by: LittleKids | June 20, 2008 6:37 PM | Report abuse
Posted by: Matt | June 20, 2008 7:48 PM | Report abuse
Posted by: Anonymous | June 20, 2008 8:26 PM | Report abuse
Posted by: aeschylus | June 20, 2008 11:15 PM | Report abuse
Posted by: RonC, Austin, Tx | June 21, 2008 2:19 PM | Report abuse
Posted by: Samuel | June 22, 2008 1:16 PM | Report abuse
Posted by: Alun Jones | June 22, 2008 5:51 PM | Report abuse
Posted by: RH | June 22, 2008 10:42 PM | Report abuse
Posted by: Barry K. Nathan | June 23, 2008 1:54 AM | Report abuse
Posted by: BradS, Washington, DC | June 23, 2008 5:18 PM | Report abuse
Posted by: Larry | June 23, 2008 9:02 PM | Report abuse
Posted by: snowbird2 | June 24, 2008 1:04 PM | Report abuse
Posted by: snowbird2 | June 24, 2008 1:21 PM | Report abuse
Posted by: JD | June 24, 2008 3:25 PM | Report abuse
Posted by: Mike | June 24, 2008 10:31 PM | Report abuse
Posted by: N.N. | June 24, 2008 11:20 PM | Report abuse
Posted by: Jeff G. | June 24, 2008 11:30 PM | Report abuse
Posted by: Mario Grgic | June 25, 2008 8:29 AM | Report abuse
Posted by: Neil C. | June 25, 2008 3:40 PM | Report abuse
Posted by: Tom | June 25, 2008 8:45 PM | Report abuse
Posted by: s. | June 26, 2008 2:05 PM | Report abuse
Posted by: jrg | June 26, 2008 6:10 PM | Report abuse
Posted by: Steve | July 2, 2008 1:11 AM | Report abuse
The comments to this entry are closed.