[Macworld]

Post your comments for The ARDAgent security hole: What you need to know here

[zensunni]

Quote

In summary, the ARDAgent security hole is a bad one, but the good news is that in order to be compromised, action on your part is still required.

That can be said of most malware and phishing--for them to be effective, user action is required. But obviously enough users take the required action, otherwise we wouldn't be seeing these attacks.

How many users keep up on this news (not to mention the number of Macolyte's that dismiss it because Macs are 'invulnerable')? You can't expect the type of user that'll open an attachment in a 'pictures from my holiday' email spoofed to look like it's from a friend to keep up on this news and go through these steps-- yet that's the exact user that will be hit by this.

First, Apple needs to provide a very quick fix.

Second, they need to encourage anti-virus software vendors to provide free packages for non-commercial home use. It's despicable that you can get very good free anti-virus software for Windoze pcs (AVG Free and avast! Home Edition spring to mind), yet you can't get a similar free package that includes on-access scanning (sorry, ClamXav doesn't have it; you're missing the target audience if they have to detect the malware after the fact during a subsequent scan) and email scanning for home use on Macs.

Third, Apple needs to encourage Mac users to install anti-virus software. Perhaps making one of the splash screens when first configuring your OS highlight the need for anti-virus software to raise the issue. Maybe they should partner with a company to provide one free to MobileMe customers (they used to partner with McAffee for .Mac). Whatever, something other than feeding into the 'Macs can't get viruses' lie.

Fourth, we as a community need to stop pretending that malware isn't an issue because we know not to open that attachment in the spoofed email. And the time will come when a vulnerability will come to light that can be tripped simply by visiting a website. Again, don't fool yourself into thinking it can't happen on a Mac; just be thankful it hasn't happened yet.

Be prepared, be protected. Gee, I feel like I'm talking safer sex. Amazing how similar it is.

[garyi]

I was told I could simply enable remote management but select nothing, this led to me not able to use the apple screen sharing feature on my home network.
All in all I am thinking, what is the best Anti Virus for mac?
lets face it, the mac is now on the bad boyz scope, its only a matter of time.

[macguyvr]

You don't need to turn ARDAgent into an archive to avoid this security hole. The easiest way to protect yourself from this vulnerability is to turn on Apple Remote Desktop in the Sharing Preferences (System Preferences > Sharing > Services). It's counter-intuitive, but by turning on Apple Remote Desktop, the system performs additional checks and will not allow any shell scripts to run. Try it, it won't work.

[residentchiphead]

I would also periodically recommend that you bring up your terminal window and type whoami and return.
Make sure it doesn't say 'root.' It should give you the name of your login account. It should NOT say 'root.'
I'm just saying. :)

[macguyvr]

Type this on the Terminal:
osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
If you get 'root' as the response, then you're vulnerable.
Turn on Apple Remote Desktop in the Sharing Preferences (System Preferences > Sharing > Services) by putting a check-mark beside it, run the above script again, and you'll get a message:
31:55: execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)
That means you are no longer vulnerable. Simple solution, but works. Apple should enable Apple Remote Desktop in Sharing Preferences by default since by doing so gives the system more checks to what could be done remotely on your Mac.

[griffman]

The advice about turning on Remote Management -- which I gave in another forum thread -- isn't really good protection. As we dug more, we discovered that it's relatively trivial for a programmer to simply kill the ARDAgent process, then launch it again, executing their malicious code in the process.
For now, the only known way to defend yourself (if you're not using anti-virus software and you download and run untrusted apps) is to zip (or otherwise disable) ARDAgent.
-rob.

[wardoggie]

zensunni, I agree with most of your points, but IMO the free anti-malware software is only going to happen AFTER the problem is widespread on Macs. Consider this: The freeware stuff I use when I boot camp windows rely heavily on opt-in email and continual nagging (albeit, mild and understandable) to upgrade to retail software. Since I rarely use Windows (and I'm a cheapskate), I haven't bothered to upgrade. But because there are so many Windows users, I'm sure they get enough takers to make the freeware worthwhile.


And even if it's not a huge number, they still get bonus points for providing a much-needed community service.


Thanks for the great article, Rob. I'm going to research this a little more.

[n4hhe]

How about simply turning off the SUID bit on the application?
% % osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
root
% cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS
% sudo chmod u-s ARDAgent
% osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
dkelly
Or better yet disable execution also too:
% sudo chmod a-sx ARDAgent
% osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
31:55: execution error: An error of type -10810 has occurred. (-10810)
If Apple's next security update is thorough one would hope it is smart enough to repair the edited file "permissions" above.

[macguyvr]

Rob, so what you're saying is the script executable that kill and re-launch the ARDAgent process gains the root privileges which can then continue on with other malicious commands, right? But wouldn't the kill command got stopped right at the gate the same way 'whoami' command got stopped by turning on Remote Management? If so, how would a script continue to the next level to do its malicious deed(s) when its first lines have been stopped dead on its track?
Isn't that why Intego wrote in their Security alert that:
"There are cases where this exploit does not work. If a user has turned on Remote Management in the Sharing pane of System Preferences under Mac OS X 10.5, or if a user has installed Apple Remote Desktop client under Mac OS X 10.4 or earlier and has activated this setting in the Sharing preferences, the exploit will not function. Most users, however, will not have this service turned on..."
OTOH, I agree that zipping ARDAgent fully protects user against this vulnerability. I'm just not so sure if I agree with you to say that "turning on Remote Management isn't really good protection" :-)

[griffman]

What I was told, by a source I trust but have been asked not to name, was that it is possible to kill the ARDAgent task via a script. While they didn't provide the details, I ran a quick test and "killall ARDAgent" in Terminal killed the ARDAgent task (though it then restarted) without requiring root privileges (ie no password).

Since it's possible to kill it, I imagine it's equally possible to make it not restart -- programmatically, all the evil coder would have to do is disable the Remote Access checkbox in the System Prefs. And since you can do that without providing a password, the coder would probably be able to do so as well. Note that this is all conjecture, though -- I'm mainly going off of what I was told by someone who knows the details, and what they told me was that merely enabling Remote Management wasn't good enough (despite the fact that it's listed as such in Intego's release; it's possible not all the facts were known when that release was written).

-rob.

[zensunni]

wardoggie said:

>Consider this: The freeware stuff I use when I boot camp windows rely heavily on opt-in email and continual nagging (albeit, mild and understandable) to upgrade to retail software.

Really? I've used AVG Free for quite some time and, other than the very occasional splash upgrade notice (usually when going up a full version like from 7.5 to 8.0 and they discontinue 7.5), I never get anything from them. Certainly not email spam. What free software are you using? Are you sure you can't opt-out of the email?

My understanding has been that they provide the free home use software 1) as a PR stunt to get their name around so that you (hopefully) recommend them to your IT team (which would be especially applicable for Macs, since there is plenty of room here for some vendors to make a name with home users) and 2) to provide a free minimum package while selling a premium package that offers additional features. But again, I've used AVG Free for quite some time and don't get any SPAM from them.

[n4hhe]

macguyvr said:

Rob, so what you're saying is the script executable that kill and re-launch the ARDAgent process gains the root privileges which can then continue on with other malicious commands, right? But wouldn't the kill command got stopped right at the gate the same way 'whoami' command got stopped by turning on Remote Management? If so, how would a script continue to the next level to do its malicious deed(s) when its first lines have been stopped dead on its track?

"man kill" says, "Only the super-user may send signals to other users' processes."

As for ARDAgent gaining root this possible only because the Set-User-ID bit is set on the file, and file is owned by root. Clear the bit (as I posted earlier) and ARDAgent will not be able to run as root unless started by root.

Go a bit beyond and remove the execute bits and it will be a bit harder to start the program.

[macguyvr]

n4hhe, yeah, your methods will definitely work to protect against this vulnerability, too, but I'm afraid some Mac users who loathe command lines might have difficulty implementing them. So Rob's method (zipping the ARDAgent) is probably the way to go for most.