Major Mac exploit is thwarted by turning it on!?

Slashdot yesterday posted [Mac OS X Root Escalation Through AppleScript](, which describes a vulnerability in a core component of Mac OS X 10.4 and 10.5. I was not able to reproduce this on my Tiger system at work but that’s just one machine.
The example given in the post is:
> osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
So what does this do? If you copy and paste the above code into the Terminal application found in /Applications/Utilities and then hit return, you’ll receive this in return:
> root

What does that mean?
It means *root*, which is the all-powerful account on a UNIX system, ran the *whoami* command. The *whoami* command returns the name of the account executing the command. You told *root* to execute that command without first identifying yourself as an admin.
Instead of returning *root* I should either receive an error or I should be prompted for my admin credentials on the Mac. Any user can send this command and do anything on the Mac such as create an admin account, which in turn gives the user access to the *root* account all the time and full control on the machine.
[Intego discovered]( that *enabling* the Remote Management feature in Mac OS X actually combats the vulnerability. Now *that’s* counter-intuitive!
Last night I had emailed my co-workers with the announcement of the exploit plus the fix and this morning we were all testing. Sure enough, our company is safe for now.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s