Security holes can just sit there for ages until someone has the bright idea of playing around with them. So it is for the Apple Remote Desktop (ARD) agent hole.
If you've got a Mac running 10.4 (Tiger) or 10.5 (Leopard) to hand, you can see it for yourself by going to the Terminal (in the Utilities folder) and entering the following line:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"' Edit: added trailing ' character - without it, the command just leaves >, which is the machine's way of saying "Would you please close the quote so I can carry out the command?"
The answer it'll give back: root.
That should scare you. Does me. It means that someone can get access to everywhere on your machine via this program. Which was always sort of true about ARD, but the idea was that you would give your permission. Read on: it's not always going to ask your permission.
The Slashdot thread Mac OS X Root Escalation Through Applescript does point (almost immediately) to instructions for removing it.
The weakness is that ARD has an Applescript dictionary (Applescript is a sort-of corollary of Microsoft Visual Basic), and via that dictionary you can execute Terminal instructions such as "rm -rf /" (this instruction will wipe your machine, so don't type it. Remember, you were warned.)
Matasano Chargen points out that this points to weaknesses in the way that Apple's programmers, likely brought up on the previous non-Unix form of Mac programming, will cope with the modern Unix-y world they find themselves in. Says Chargen:
There's a crack team of security people at Apple doing an excellent job locking down an extremely complex operating system. But if you're lining them up against every Apple developer and giving the developer side the "SUID" bit, it's not a fair fight. It's whack-a-mole.
You can see some kids figuring it out here, about a week ago.
And wouldn't you know it, SecureMac has now identified a trojan that uses this trick, either as a downloadable script or a pre-compiled application, which likely sends back all sorts of yummy information. Keylogger, anyone?
The Unofficial Apple Weblog notes that
Users must download and run the scripts in order for their computer to become infected. The trojan will install itself in the /Library/Caches folder, and will set itself to run at startup.
To protect yourself, use extreme caution when running AppleScript files or applications sent to you in an email, or downloaded from the internet.
Which always made sense, but even more now. It will be interesting to see if Apple has a quick fix for this, because it's serious - one of the truck-driving-est holes in the OS found since it was introduced, I think. Perhaps the simplest way to fix it would be to eliminate the capability to run shell scripts by ARD. But one wonders if that will break any corporate systems.
Update: and for those who like p*ker and use a Mac, there's a warning from Intego about a trojan that disguises itself as a p*ker-playing program:
The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator's password after displaying a dialog saying, "A corrupt preference file has been detected and must be repaired." Entering the administrator's password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Oh, the fun just never ends.
Update: you can at least protect quite easily against the ARD exploit, without having to play in the Terminal.
Go to System Preferences -> Sharing. There you'll find a list that includes "Remote Management". Click this on. You'll get a long list of possible things to be configured. Don't fill any of them in. Just click OK. -Below is a panel saying "Allow access for All users/only these users" (radio button). -Choose "Only these users". Leave blank. -Remote Management should now be ticked on. If not, tick it on (again).
Now go to the Terminal and type osascript -e 'tell app "ARDAgent" to do shell script "whoami"' [fixed spelling of osascript - thanks fred2] (this time I've got the trailing slash right). I got execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. . It means that this isn't now a hole. One hopes Apple will sort this out soon..
