Slashdot is reporting a new escalation of privilege vulnerability in Mac OS X 10.4 and 10.5. The details are a little sparse, but it appears that calling the Apple Remote Desktop Agent (ARDAgent) from AppleScript allows execution of arbitrary code with root privilege. Bad, for sure.
The mitigation is that it requires execution as the currently logged in user from the UI session, and apparently can’t be initiated over an SSH or other remote connection unless the attacker can log in as an account that is currently physically logged in on the machine. However, at a minimum it allows brute-forcing root access on any kiosk or other restricted machine that can be physically accessed. And one intelligent poster points out that all it takes is a phishing exploit that gets the user to execute the code on their own machine to open things wide up for a remote assailant–or a buffer overflow in (Safari, QuickTime, Flash, Firefox) that allows starting a shell.
Incidentally, simply disabling remote access is insufficient to prevent the attack. The ARDAgent.app must physically be removed from the machine. (For those interested, it’s usually found in /System/Library/CoreServices/RemoteManagement/.)
Apple needs to close this pronto.
TUAW has a suggested fix that actually involves turning Remote Management on:
http://www.tuaw.com/ardfix/
Can’t say I know enough to know whether this fix would be as effective as, say, removing the ARDAgent.app, but I thought I’d point it out.
If you just remove the SUID bit from the executeable, the root-access prompt will open.
The system will still operate as designed by apple, but at least ask the user for root access. (An d##ba## user will still provide the password – but at least the smart one will notice the problem).
This should be enough intervention until apple releases a better fix for this problem.