Major Mac OS X security hole uncovered; workaround available
A major flaw in the Apple Remote Desktop Agent (ARDAgent) may allow shell scripts to be run as root.
Tuesday, June 24
Leopard comes with Apple's Remote Desktop Agent installed, so users can run screen sharing on their computers. This is exceptionally convenient for users, but there is a major flaw in the Apple Remote Desktop Agent (ARDAgent) which allows shell scripts to be run as root. This is caused by the Agent's "set-user ID on execution" bit, for which it resolves to root. As such, code can be run as root, which can severely compromise the system.
This problem affects all users, and not just screen sharing or remote desktop users. Luckily there are limits to its execution, and it requires explicit
Workaround Apple is aware of this problem, but until they issue a patch for ARDAgent, running the following command to remove the setting of user/group ID upon execution will prevent the execution of commands as root:
- sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
If this leads to any faulty screen sharing behavior, then users can switch it back to normal by entering the same code with the " s" option instead of "-s", as follows:
- sudo chmod s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Feedback? Late-breakers@macfixit.com.
Resources