Apple's ARDAgent SUID hole

Earlier this week this simple RemoteDesktop Exploit was rather publicly posted to demonstrate a simple privilege escalation hole in Mac OS X:

$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"' 

this of course means that's it's equally easy to strip the SUID bit ..

$ osascript -e 'tell app "ARDAgent" to do shell script "chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"'


then to fix the repair permissions issue - you can leverage pkgutil .. at a cursory glance .. this appears to work - just hacked it up and tested a few times with diskutil verifypermissions .. but of course this uncovers a similar sort of hole for one to be able to modify file permissions on arbitrary files through installdb


  
  
  
  
  
  
  
$ pkgutil --file-info /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
volume: /
path: System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

pkgid: com.apple.pkg.Essentials
pkg-version: 10.5.0.1.1.1192168948
install-time: 1200277772
uid: 0
gid: 0
mode: 104755
sha1: <505820aa a957116c 5b2e15ea 8ffc99f9 edbd16cc>

pkgid: com.apple.pkg.update.os.10.5.2.combo
pkg-version: 1.0.1.1191932192
install-time: 1202398439
uid: 0
gid: 0
mode: 104755
sha1: <3d89f524 1f845336 27b0406d ed0f2251 89164ccf>



here we'd like to change the permissions to 100755 (33261 in decimal) instead of 104755 (35309)
so - it looks like we can dump the plist for the last update

  
  
  
  
  
  
  
$ pkgutil --export-plist com.apple.pkg.update.os.10.5.2.combo > ~/fix.plist


then find the entry for 

  
  
  
System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

modify the mode, change the name of the pkgid, and import the new plist:

  
  
  
  
  
  
  
$ pkgutil --import-plist ~/fix.plist
$ pkgutil --file-info /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
volume: /
path: System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

pkgid: com.apple.pkg.Essentials
pkg-version: 10.5.0.1.1.1192168948
install-time: 1200277772
uid: 0
gid: 0
mode: 104755
sha1: <505820aa a957116c 5b2e15ea 8ffc99f9 edbd16cc>

pkgid: com.apple.pkg.update.os.10.5.2.combo
pkg-version: 1.0.1.1191932192
install-time: 1202398439
uid: 0
gid: 0
mode: 104755
sha1: <3d89f524 1f845336 27b0406d ed0f2251 89164ccf>

pkgid: com.apple.pkg.update.os.10.5.2.combo.fix
pkg-version: 1.0.1.1191932192
install-time: 1213921289
uid: 0
gid: 0
mode: 100755



now - with this technique you could realistically introduce new files and "fix" their permissions with diskutil .. hrm

  
  
  
  
  
  
  

there's also probably a cleaner way to update the pkg database than this .. i guess you could build a new bom file, but /Library/Receipts/boms is owned by _installer:wheel .. so you'd need to escalate permissions (or sudo) to drop something there 

		

	
	

	
Posted on: Jun 20, 2008

	
Posted by: jone

	
Category: Desktop Rantings

	

		Permanent link to this entry
					

	


		




    
        




    
    


            
Comments:

            
    

        


    

    
Post a Comment:

    

    Comments are closed for this entry.

    







This blog copyright 2009 by jone