Mac OS X 10.4 and 10.5 "Local root escalation vulnerability" discovered

ZDNet blog reports, that an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, which works by running a local AppleScript that would set the user ID to root through ARDAgent’s default setuid root state. Here’s how it’s done: “Half the Mac OS X boxes in the world […]

Share online:

ZDNet blog reports, that an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, which works by running a local AppleScript that would set the user ID to root through ARDAgent’s default setuid root state.

Here’s how it’s done:

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”

How to fix it? You’ve got several possible workarounds, you can remove the Apple Remote Desktop located in /System/Library/CoreServices/RemoteManagement/, or you can go through the visual Workaround for the ARDAgent ’setuid root’ problem.

Full Article

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.