Comments on: Unpatched Flaw In Apple Remote Desktop Brings About Trojans & Community Fixes

By: Manzzana » Blog Archive » Nuevo troyano en Mac OS X

Manzzana » Blog Archive » Nuevo troyano en Mac OS X — Thu, 26 Jun 2008 13:54:58 +0000

[...] Vía | The Apple Blog [...]

By: Descubierta vulnerabilidad importante en Apple Remote Desktop | macevangelismo.com

Thu, 26 Jun 2008 13:31:49 +0000

[...] | The Apple Blog Imagen | Flickr de The Trojan [...]

By: Descubierta vulnerabilidad importante en Apple Remote Desktop | Desinformado.com en Espanol

Thu, 26 Jun 2008 13:30:17 +0000

[...] | The Apple Blog Imagen | Flickr de The Trojan [...]

By: Descubierta vulnerabilidad importante en Apple Remote Desktop

Descubierta vulnerabilidad importante en Apple Remote Desktop — Thu, 26 Jun 2008 13:22:52 +0000

[...] | The Apple Blog Imagen | Flickr de The Trojan Project trackback ¿Recomendarías este post? Más [...]

By: pete

pete — Wed, 25 Jun 2008 09:36:17 +0000

Hi,

vasya: I think the point in the blog post was to disable the flaw using the flaw, the shell script will be run as root anyways so sudo is not needed.

for some reason this flaw doesn’t exist on my mac, I get:

execution error: ARDAgent got an error: “whoami” doesn’t understand the do shell script message. (-1708)

However even without this flaw in the OS you should always be careful what you run even with just your use rights. All bets are off when you run malicious code, this just makes it easier to do nasty stuff.

pete

By: WinExtra » From the Pipeline – 6.24.08

WinExtra » From the Pipeline – 6.24.08 — Wed, 25 Jun 2008 07:51:27 +0000

[...] Unpatched Flaw In Apple Remote Desktop Brings About Trojans & Community Fixes :: The Apple Blog – as Apple becomes more popular it is only a matter of time before things like this will become more commonplace. [...]

By: GroovyBrent

GroovyBrent — Wed, 25 Jun 2008 05:26:00 +0000

Just a possible warning on this fix; After executing it, Remote Desktop no longer opens for me (“The Remote Desktop Administrator software failed to start due to an unexpected error”).

It’s late, and I’m tired, so I could have possibly done something wrong, or the 2 events (running the command and Remote Desktop failing) may be totally unrelated. Just wanted to get it out there as a possible “gotcha.” Will explore more when I have some time.

By: Mike

Mike — Wed, 25 Jun 2008 00:05:17 +0000

Instead of 0555, just chmod it u-s:

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Which removes the setuid bit from the file.

The setuid (literally set uid, or set user id) bit instructs the system that when the command is executed (here, ARDAgent) it should be run as the owner of the file (in this case root, the administrator) instead of the person executing the command as would be normal.

By: vasya

vasya — Tue, 24 Jun 2008 23:33:29 +0000

Don’t get it, but most people think that regular admin user can change attributes of file which belongs to root. it’s wrong. you need to use sudo command, as Ken suggested. So correct script will be:
osascript -e ‘tell app “ARDAgent” to do shell script “sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent”‘;

But this is wrong anyway. Ken is correct – just do sudo chmod 555 blah-blah-blah

By: Ken

Ken — Tue, 24 Jun 2008 23:00:56 +0000

For a simple command that avoids all the quotes, do the following from an account that is allowed to administer the system:

sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Enter your password when prompted. All that extra stuff in the article example is just using the backdoor to close the backdoor.