Mac OS X – Gain Root Privileges Through AppleScript

A serious security hole has been found in Mac OS X – both Leopard and Tiger are affected. The exploit allows someone with physical access to a Mac to run programs as the Root user.

The exploit uses the Apple Remote Desktop, (ARDAgent), application to execute a shell script. When the shell script is executed it is done so as Root. To test this, type the following command in Terminal:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"'

This command works even if Remote Desktop Sharing is disabled and the Root user is disabled in the Directory Utility. However, it will only work if the user is logged into the computer. It will not work if Fast User Switching has been used.

As this is a brand new exploit there is no fix as of yet.