When I let an apparently
hobgoblin demon-possessed woman borrow my laptop, as described in
SECRET VIDEO | Demons instruct woman borrowing laptop to hack it, it came back with a security hack known as
the ARDAgent exploit.
 |
| ARDAgent allows an AppleScript network administrator to remotely execute scripts and applications on an end-user's Mac; if the associated file has an incorrect GUID, nearly anyone can run malware (or the like) on your Mac via your network connection |
This was made evident by the output of a script that repairs permission settings automatically whenever I log in to my user account:
 |
| A script that attempts to restore default permission settings to files on my laptop (for security purposes) indicates that a SUID file used by Apple Remote Desktop services to define and control user access has been modified |
You can also run the following function from the command line to determine whether you have been exposed to this exploit:
function ARDA() { osascript -e 'tell app "ARDAgent" to do shell script "id"' || (kill $(ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }') ; ARDA ); } ; ARDA
This function outputs the permissions settings for various user accounts, and should look something like this:
uid=0(root) gid=501(jamesbush) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
NOTE | Apple Remote Desktop must be running in order for this function to execute properly.
According to the
MacKnowledge Knowledge Base, the results of the exploit can be repaired by "remov[ing] the setuid bit from the executables permissions" of the modified file by running this command in Terminal:
sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
After doing this, I ran the script that repairs permissions again, and, this time, it was able to repair permissions settings to the hacked file:
 |
| The script that repairs permissions was repaired after applying the fix to the exploit that is prescribed by MacShadows |
The only caveat to this fix is that the command resetting the permissions to the ARDAgent file must be run every time you log on.
