[Editor’s note: Apple patched the ARDAgent flaw described in this article on 31-Jul-2008 in Security Update 2008-005. See “Fixes for DNS Flaw, ARDAgent Exploit Released by Apple,” 2008-07-31 for details, or simply run Software Update to ensure you have this fix installed.]
One of the downsides of increased attention to computer security is that whenever a new vulnerability or attack technique appears, we, the humble users, face an onslaught of hyperbole from the press, security vendors, and bad guys themselves. This is especially true with Apple products, where we face the triple threat of security vendors trying to sell products to a disinterested community that usually doesn’t need them, a press always eager to knock Apple down a notch, and bad guys looking to build their reputations at Apple’s expense. In such a maelstrom of information it is often difficult for average users to separate the truth from the hype, evaluate their personal risk, and take defensive actions.
We watched this cycle kick into full gear during the past couple of weeks, starting with the announcement of a new Mac OS X vulnerability on 18-Jun-08 over at Slashdot. Soon after the unpatched vulnerability was disclosed the major Mac antivirus vendors updated their products and issued press releases to draw attention to the problem. It’s an unfortunate truth that fear and bad news are effective sales tools for security products. By the next day, the first reports of this vulnerability being used in exploits appeared, followed by various news stories, additional alerts from security vendors, and new exploits from the bad guys. But what’s the real risk to users?
The good news is, based on the nature of the vulnerability, the risk is low – but the bad news is that this kind of attack could become more serious. As usual, Apple will need to patch this one quickly.
This particular vulnerability is what we call “local privilege escalation.” It enables a user of a system to escalate their rights to “root,” which allows full control over the system. Thus, even if you are running as a regular user or in a guest account, exploiting this vulnerability allows you to escalate your rights to run without restriction. In this case, the Apple Remote Desktop agent (ARDAgent) uses a technique called SUID to run things as root. It’s a common programming technique on Unix systems, but one that often creates security problems. In this case, ARDAgent supports AppleScript, including the command to run other programs, which then run as root. Simply running the AppleScript command
osascript -e 'tell app "ARDAgent" to do shell script "reallybadstuff"'
runs “reallybadstuff” as root, without asking you for your password.
When this first appeared, I wasn’t really worried. The attacker still needs to get you to run something on your system in the first place, and there are some simple things you can do to protect yourself (see Matasano Security’s excellent blog post for more technical information and how to disable the attack). Privilege escalation attacks are typically used in two situations. The first is if someone has physical or remote access to your computer. He uses the attack to become root and install whatever software he wants, or otherwise messes around on your system.
The other scenario is more serious – the attacker exploits a vulnerability that gives them access to your user account, then he uses privilege escalation to take over your system as root, often installing additional malicious software. These combined attacks are common, although we don’t see them often on Macs (in fact, I’ve never seen one on Mac OS X). The attacker will use something like a Web browser vulnerability to get his foot in the door, followed by the privilege escalation to, well, drive an invisible school bus into your house. We call that school bus a “Trojan horse” since, like the Trojan Horse, it conceals nasty stuff within a somewhat innocuous package.
In other words, Trojans aren’t like viruses and worms. They don’t break into your system, but they conceal a nasty payload that does something malicious once you execute them.
The first major Trojan to leverage the ARDAgent vulnerability is called “PokerStealer” (identified by antivirus vendor Intego). Rather than using some sort of attack to get on your system, it pretends to be a poker game. When it’s run, it uses the ARDAgent vulnerability to escalate its rights (without asking for your password) and installs malicious software like a keystroke capture program.
A more serious problem is that, as reported by Brian Krebs at the Washington Post, some bad guys developed a tool to bundle a package of malicious software into any downloadable Mac application. It uses the ARDAgent vulnerability to run these pieces without your interaction, like PokerStealer. The program needs to run only once, then it embeds itself in your system. Interestingly enough, Krebs reports that this tool was in development since May 2008. We can expect the bad guys to use all sorts of social engineering tricks (like writing little games) to get us to run their software on our systems.
To protect yourself, if you don’t use (or plan on using) Apple Remote Desktop (which is different from Screen Sharing), you can go to /System/Library/CoreServices/RemoteManagement/ in the Finder, copy ARDAgent.app to your Desktop, right-click and compress it, and move the file someplace like your Documents folder. Then delete the original file. That way you just need to unzip and reinstall the file if you ever need ARDAgent down the road.
I almost avoided writing this story since I hate to add to the hype of low-risk threats like this. While I don’t doubt for a second that we’ll see serious Mac (and iPhone) security threats in the future, this one is low on the list of things to worry about, especially if you don’t make a practice of downloading random software from unknown developers. But unlike many other Mac vulnerabilities, this one has already been weaponized and is starting to appear in the wild. It’s clear the bad guys are slowly paying more attention to Mac OS X, although we’ve avoided any serious mass attacks so far. With all the hype, it’s worth taking the time to raise our security awareness and understand the risks and how to protect ourselves without having to buy and maintain products that would likely provide only a false sense of security.