Mac OS X Root Escalation with AppleScript

Read this story on Slashdot.

"Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not." On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

In the comment section it has been confirmed that

  1. It only works if the user is logged into the Mac, but not via fast user switching.
  2. Disable Apple Remote Desktop does not work.
  3. It works over ssh if the same user also happens to be logged in.

Saying "physical access is required" is simply irresponsible. People might click on strange attachments or weird files downloaded from the net, which might run commands to get root privilege. Or maybe there are other exploits in Mac OS X that can get remote hackers local user privilege, and then use this to gain root.

Actually it is not hard to get physical access either. Sydney Apple Store opens tonight. Watch out for those pimple-faced teens typing vigorously in from the Terminal.app tonight!