Tuesday, July 01, 2008

Best review of the OS X ARDA root escalation vulnerability

I might follow the advice outlined here, though I may simply avoid installing software until Apple provides a fix. It is a bigger problem than I'd assumed when I first saw the Slashdot story:
TidBITS Safe Computing: How to Protect Yourself from the New Mac OS X Trojans

... Simply running the AppleScript command

osascript -e 'tell app "ARDAgent" to do shell script "reallybadstuff"'

runs "reallybadstuff" as root, without asking you for your password....

... the attacker exploits a vulnerability that gives them access to your user account, then he uses privilege escalation to take over your system as root, often installing additional malicious software. These combined attacks are common, although we don't see them often on Macs (in fact, I've never seen one on Mac OS X). The attacker will use something like a Web browser vulnerability to get his foot in the door, followed by the privilege escalation...

... The first major Trojan to leverage the ARDAgent vulnerability is called "PokerStealer" (identified by antivirus vendor Intego). Rather than using some sort of attack to get on your system, it pretends to be a poker game. When it's run, it uses the ARDAgent vulnerability to escalate its rights (without asking for your password) and installs malicious software like a keystroke capture program.

A more serious problem is that, as reported by Brian Krebs at the Washington Post, some bad guys developed a tool to bundle a package of malicious software into any downloadable Mac application. It uses the ARDAgent vulnerability to run these pieces without your interaction, like PokerStealer. The program needs to run only once, then it embeds itself in your system. Interestingly enough, Krebs reports that this tool was in development since May 2008. We can expect the bad guys to use all sorts of social engineering tricks (like writing little games) to get us to run their software on our systems.

To protect yourself, if you don't use (or plan on using) Apple Remote Desktop (which is different from Screen Sharing), you can go to /System/Library/CoreServices/RemoteManagement/ in the Finder, copy ARDAgent.app to your Desktop, right-click and compress it, and move the file someplace like your Documents folder. Then delete the original file. That way you just need to unzip and reinstall the file if you ever need ARDAgent down the road...
Following these preventive measures may mess up future Apple updates however.

The most important security measure for most OS X users is not to run as an admin user -- save the admin account for admin tasks. This security defect bypasses that protection.

No comments: