Apple Mac OS X AppleScript ARDAgent Shell Local Privilege Escalation Vulnerability

2008-06-19T00:00:00
ID SMNTC-29831
Type symantec
Reporter Symantec Security Response
Modified 2008-06-19T00:00:00

Description

Description

Mac OS X is prone to a local privilege-escalation vulnerability affecting ARDAgent (Apple Remote Desktop). Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer. This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable.

Technologies Affected

  • Apple Mac OS X 10.4.0
  • Apple Mac OS X 10.4.1
  • Apple Mac OS X 10.4.10
  • Apple Mac OS X 10.4.11
  • Apple Mac OS X 10.4.2
  • Apple Mac OS X 10.4.3
  • Apple Mac OS X 10.4.4
  • Apple Mac OS X 10.4.5
  • Apple Mac OS X 10.4.6
  • Apple Mac OS X 10.4.7
  • Apple Mac OS X 10.4.8
  • Apple Mac OS X 10.4.9
  • Apple Mac OS X 10.5
  • Apple Mac OS X 10.5.1
  • Apple Mac OS X 10.5.2
  • Apple Mac OS X 10.5.3
  • Apple Mac OS X 10.5.4
  • Apple Mac OS X Server 10.4.0
  • Apple Mac OS X Server 10.4.1
  • Apple Mac OS X Server 10.4.10
  • Apple Mac OS X Server 10.4.11
  • Apple Mac OS X Server 10.4.2
  • Apple Mac OS X Server 10.4.3
  • Apple Mac OS X Server 10.4.4
  • Apple Mac OS X Server 10.4.5
  • Apple Mac OS X Server 10.4.6
  • Apple Mac OS X Server 10.4.7
  • Apple Mac OS X Server 10.4.8
  • Apple Mac OS X Server 10.4.9
  • Apple Mac OS X Server 10.5
  • Apple Mac OS X Server 10.5.1
  • Apple Mac OS X Server 10.5.2
  • Apple Mac OS X Server 10.5.3
  • Apple Mac OS X Server 10.5.4
  • Apple Remote Desktop 3.2.1

Recommendations

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Ensure that only trusted users have local, interactive access to affected computers.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing network traffic. This may indicate exploit attempts or activity that results from successful exploits.

The vendor has released fixes and an advisory. Please see the references for more information.