Blog Post

Unpatched Flaw In Apple Remote Desktop Brings About Trojans & Community Fixes

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Much ado has been made this week regarding the recent Apple Remote Desktop Root Privilege Escalation Vulnerability. The short story is that there is a flaw in a piece of software that Apple ships & installs with every Leopard instance which enables a local user to run scripts with root privileges (meaning they can do anything on the system).

As you may have read, this flaw is not capable of being exploited remotely, but multiple variants of a new Trojan (dubbed “AppleScript-THT”) are floating around the internets which wreak all sorts of havoc on your system once infected. Some install keystroke logging, usurp your iSight camera to take pictures or even capturing screenshots (some do much worse).

The Washington Post has a great blog post which gives a great amount of detail on the problem and even mentions a few solutions. The quickest way (until Apple releases a patch) to protect yourself is to open up a Terminal window and enter the following text:

osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/"';

If that was successful, then you should not see “root” when you paste this into the Terminal window:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

SecureMac has updated MacScan to account for these new beasts and DAT updates from other vendors are forthcoming.

Until Apple releases a patch and you install it be very careful what you download and execute, both from your browser or chat clients.

If you have any questions or concerns, please drop a note in the comments and I will monitor this thread closely over the coming days to try to help as much as possible. Watch for a TAB post when Apple issues a fix.

11 Responses to “Unpatched Flaw In Apple Remote Desktop Brings About Trojans & Community Fixes”

  1. Hi,

    vasya: I think the point in the blog post was to disable the flaw using the flaw, the shell script will be run as root anyways so sudo is not needed.

    for some reason this flaw doesn’t exist on my mac, I get:

    execution error: ARDAgent got an error: “whoami” doesn’t understand the do shell script message. (-1708)

    However even without this flaw in the OS you should always be careful what you run even with just your use rights. All bets are off when you run malicious code, this just makes it easier to do nasty stuff.


  2. Just a possible warning on this fix; After executing it, Remote Desktop no longer opens for me (“The Remote Desktop Administrator software failed to start due to an unexpected error”).

    It’s late, and I’m tired, so I could have possibly done something wrong, or the 2 events (running the command and Remote Desktop failing) may be totally unrelated. Just wanted to get it out there as a possible “gotcha.” Will explore more when I have some time.

  3. Instead of 0555, just chmod it u-s:

    sudo chmod u-s /System/Library/CoreServices/RemoteManagement/

    Which removes the setuid bit from the file.

    The setuid (literally set uid, or set user id) bit instructs the system that when the command is executed (here, ARDAgent) it should be run as the owner of the file (in this case root, the administrator) instead of the person executing the command as would be normal.

  4. Don’t get it, but most people think that regular admin user can change attributes of file which belongs to root. it’s wrong. you need to use sudo command, as Ken suggested. So correct script will be:
    osascript -e ‘tell app “ARDAgent” to do shell script “sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/”‘;

    But this is wrong anyway. Ken is correct – just do sudo chmod 555 blah-blah-blah

  5. For a simple command that avoids all the quotes, do the following from an account that is allowed to administer the system:

    sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/

    Enter your password when prompted. All that extra stuff in the article example is just using the backdoor to close the backdoor.

  6. I copied and pasted the above command into my Terminal and still got “root” as an answer when i asked the whoami command. It worked when I manually entered the entire thing, so maybe there is a problem with quotes or something. Just a tip for anyone else who might have similar problems.