 |
| ARDAgent allows an AppleScript network administrator to remotely execute scripts and applications on an end-user's Mac; if the associated file has an incorrect GUID, nearly anyone can run malware (or the like) on your Mac via your network connection |
 |
| A script that attempts to restore default permission settings to files on my laptop (for security purposes) indicates that a SUID file used by Apple Remote Desktop services to define and control user access has been modified |
function ARDA() { osascript -e 'tell app "ARDAgent" to do shell script "id"' || (kill $(ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }') ; ARDA ); } ; ARDA
This function outputs the permissions settings for various user accounts, and should look something like this:
uid=0(root) gid=501(jamesbush) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
NOTE | Apple Remote Desktop must be running in order for this function to execute properly.According to the MacKnowledge Knowledge Base, the results of the exploit can be repaired by "remov[ing] the setuid bit from the executables permissions" of the modified file by running this command in Terminal:
sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
After doing this, I ran the script that repairs permissions again, and, this time, it was able to repair permissions settings to the hacked file:
 |
| The script that repairs permissions was repaired after applying the fix to the exploit that is prescribed by MacShadows |
The only caveat to this fix is that the command resetting the permissions to the ARDAgent file must be run every time you log on.
