Friday, August 31, 2012

#383 - TECHNOLOGY | Demon laptop hack identified, repaired

When I let an apparently hobgoblin demon-possessed woman borrow my laptop, as described in SECRET VIDEO | Demons instruct woman borrowing laptop to hack it, it came back with a security hack known as the ARDAgent exploit.
ARDAgent allows an AppleScript network administrator to remotely execute scripts and applications on an end-user's Mac; if the associated file has an incorrect GUID,  nearly anyone can run malware (or the like) on your Mac via your network connection
This was made evident by the output of a script that repairs permission settings automatically whenever I log in to my user account:
A script that attempts to restore default permission settings to files on my laptop (for security purposes) indicates that a SUID file used by Apple Remote Desktop services to define and control user access has been modified
You can also run the following function from the command line to determine whether you have been exposed to this exploit:
function ARDA() { osascript -e 'tell app "ARDAgent" to do shell script "id"' || (kill $(ps -xcu ${USER} | grep ARDAgent | awk '{ print $2 }') ; ARDA ); } ; ARDA
This function outputs the permissions settings for various user accounts, and should look something like this:
uid=0(root) gid=501(jamesbush) egid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
NOTE | Apple Remote Desktop must be running in order for this function to execute properly.
According to the MacKnowledge Knowledge Base, the results of the exploit can be repaired by "remov[ing] the setuid bit from the executables permissions" of the modified file by running this  command in Terminal:
sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/
After doing this, I ran the script that repairs permissions again, and, this time, it was able to repair permissions settings to the hacked file:
The script that repairs permissions was repaired after applying the fix to the exploit that is prescribed by MacShadows
The only caveat to this fix is that the command resetting the permissions to the ARDAgent file must be run every time you log on.

No comments:

Post a Comment