ZDNet blog reports, that an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, which works by running a local AppleScript that would set the user ID to root through ARDAgent’s default setuid root state.
Here’s how it’s done:
“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”
How to fix it? You’ve got several possible workarounds, you can remove the Apple Remote Desktop located in /System/Library/CoreServices/RemoteManagement/, or you can go through the visual Workaround for the ARDAgent ’setuid root’ problem.