Mac OS X 10.4 and 10.5 "Local root escalation vulnerability" discovered

ZDNet blog reports, that an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, which works by running a local AppleScript that would set the user ID to root through ARDAgent’s default setuid root state. Here’s how it’s done: “Half the Mac OS X boxes in the world […]

ZDNet blog reports, that an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, which works by running a local AppleScript that would set the user ID to root through ARDAgent’s default setuid root state.

Here’s how it’s done:

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”

How to fix it? You’ve got several possible workarounds, you can remove the Apple Remote Desktop located in /System/Library/CoreServices/RemoteManagement/, or you can go through the visual Workaround for the ARDAgent ’setuid root’ problem.

Full Article