ARD Patcher
Your rating: Now say why...

(6) 5

Patches the ARDAgent exploit in 10.4 and 10.5.   Free
Add to my Watch List
Email me when discounted
ARD Patcher is a free utility that patches the infamous ARDAgent exploit in Mac OS X 10.4 and 10.5.

Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.

ARD Patcher is a small application that will patch the exploit,
What's New
Version 1.2: fixes crash-on-start issue on Tiger, added check for partial vulnerability

Version 1.1: added advanced option to disable ARD all together.

Requirements
Intel/PPC, Mac OS X 10.4 or later



MacUpdate - ARD Patcher



    Be the first to recommend a similar software title.
ARD Patcher User Discussion (Write a Review)
ver. 1.x:
(6)
Your rating: Now say why...
Overall:
(6)

sort: smiles | time
burypromote
Logosamorbos commented on 28 Nov 2010
I noticed that this said they'd never encountered this in the wild, so I thought I'd post a quick tale of woe here. I'm not sure which program I downloaded which allowed this issue to show up, and I'm still not quite sure if this is the actual issue. Fingers crossed--the patch seems to have taken care of it for now.

I had my Gmail account linked to the Mail app, once upon a time. One fine day, I turned on my MacBook (10.5.8) and the Mail app logged in all of its own accord. I had never set it to do this and attempted to close it. I failed. As soon as the Mail app opened, messages and appointment reminders began cascading down and across my screen as if I'd stumbled into a porn website with vicious pop-up windows, only less interesting. I noticed that the messages and appointment reminders were old (it was an old Gmail address), and they simply kept repeating.

Eventually I managed to get the Mail app uninstalled so that the flurry of messages stopped, but an annoying pop-up window appeared and asked "Where is Mail.app?" I started investigating the processes and noticed that the ARD Agent was continually running. Upon investigating the possibilities, I downloaded the patch, too. The annoying "Where is Mail.app?" message has gone away, too.

Whether or not this is an instance of the trojan horse in the wild, perhaps you can tell me? I uninstalled the ARD program, too, which required "Cut The Rope" timing skills, because every time I killed the process, it would restart in less than two seconds. If I didn't drag the program to the trashcan in that window of time, the laptop wouldn't let me remove it because it was in use.
[Version 1.2]


burypromote

+14

Wakayama reviewed on 08 Jul 2008
many thanks! Too bad some companies *cough* Apple *cough* can't be as swift with patches.
Mind you, they are running a bit low on funds these days, so maybe manpower resources are an issue.

Cheers!
[Version 1.2]


burypromote

+50
Peter da Silva commented on 06 Jul 2008
I have not been able to reproduce the ARD attack on my machine. If you do not have ARD enabled, then the ARD component required to launch the attack is not running and accepting Applescript messages.
[Version 1.0]

13 Replies

burypromote
Theiphoneproject (developer) replied on 06 Jul 2008
Actually peter, thats not true, the method of exploiting ARDAgent involves giving it a "do shell script" command locally. This means any malicious app can effectively compromise your machine without your knowledge, and without asking for an administrator password. I suggest reading the article on the exploit at macworld.com as it will explain the problem more clearly.
burypromote

+50
Peter da Silva replied on 06 Jul 2008
Friend, I do understand how it works. I've getting on for 30 years experience with UNIX, and 20 years as a network and security administrator, and I have not only read the original report and article, I've tried several variations of the attack.

What I got was an error message, no shell script ran. Unless ARDAgent has run, there is no way for osascript to pass the "do shell script" command (or any other command) to the privileged ARDAgent process... because there is no such process for it to pass it to. Either my copy of Tiger is fundamentally different from every other copy of Tiger out there, or there's something else involved in this attack than simply "do shell script".
burypromote
Theiphoneproject (developer) replied on 06 Jul 2008
ARDAgent does not need to be running, osascript calls the ARDAgent executable, which has root:wheel and S_ISUID, and tells it to execute a command of some sort.

The ARDAgent applescript dictionaries contain the "do shell script" command, and quite simply put, if you take a mac out of the box, and use osascript to tell ARDAgent to run a shell script, it *will* run a shell script with root privelages. If you tell ARDAgent to run whoami and it returns "root", then you are *not* safe, but if you get an error, it means your ARDAgent has been restricted to the default applescript dictionaries via the NSAppleScriptEnabled flag, and you are safe. This could be due to 1 of 2 reasons, either Remote Management is enabled, or you have the NSAppleScriptEnabled flag set to YES in ARDAgent.app's Info.plist. Either way, good for you, but millions of Macs out there *do* return "root", and thats enough to prove that they are vulnerable to a local attack vector.

If you would like to discuss this further with me please email me at yousef AT ifrancis DOT net

Regards,
Youssef Francis
burypromote

+50
Peter da Silva replied on 06 Jul 2008
I suggest you try it on a Mac taken straight out of the box. Seriously.

Until you run ARDAgent, its Applescript dictionaries do not seem to be registered with anything. You don't have to poke around in the .plist and you don't have to start up remote management. I have tested this on my Mac which is, as far as ARD is concerned, taken straight out of the box, and the "do shell script" does NOT run ARDAgent.

If you do not use ARD, then how do you imagine osascript will know how to find ARDAgent?
burypromote

+3
Chadcn replied on 06 Jul 2008
The dev is correct, Peter. ARDAgent does not need to be running for the trojan to work. Every source I have read, including the Macworld source linked above, confirms this.
burypromote

+679
sjk replied on 07 Jul 2008
My experience is similar to Peter's. I've been unable to reproduce this on my 10.4.11 and 10.5.4 systems, even though an ARDAgent process has run and eventually times out:

23:47: execution error: ARDAgent got an error: AppleEvent timed out. (-1712)
burypromote

+50
Peter da Silva replied on 07 Jul 2008
I wish people who insist that "the article is correct" would try it.
burypromote
Theiphoneproject (developer) replied on 07 Jul 2008
Unfortunately, quite a few people have, and when they tell ARDAgent to "do shell script 'whoami'" it returns "root". All the reasoning and arguing in the world will not change the fact that this has happened and will continue to happen until Apple fixes it, let me refer you to a few choice websites explaining this issue, many include user feedback proving that this exploit does indeed exist.

http://blog.washingtonpost.com/securityfix/2008/06/serious_security_vulnerabilty_1.html
http://www.frsirt.com/english/advisories/2008/1905
http://www.macworld.com/article/134165/2008/06/ardagent.html?t=
http://secunia.com/advisories/30776/
http://it.slashdot.org/it/08/06/18/1919224.shtml

I don't understand why you find it necessary to argue that this exploit does not exist. Do you think we would have spent hours during the last few days working on a *free* patch if the exploit didn't exist?

Regardless, if you feel that you have implemented adequate security measures on your end, nobody is forcing you to use this tool.
burypromote

+679
sjk replied on 07 Jul 2008
Peter didn't argue that this exploit doesn't exist; he said he hasn't been able to reproduce it on his machine (nor have I on mine). I think his intention was simply to mention why it may not be as widespread of a vulnerability as many people are claiming and believing it is. And he wasn't critical of your tool; nothing in his post even mentioned it.
burypromote

+14
Wakayama replied on 08 Jul 2008
I've got to say that Peter is spot on here. It so happened that I installed a new tiger system on an old ibook today for someone, and updated it to 10.4.11. Ran the osascript that ifrancisco's link slashdot suggested [osascript -e 'tell app "ARDAgent" to do shell script "whoami"';], and it returned 'Appleevent timed out (-1712)'.
My macbook pro returned 'root'.
This is exactly as Peter suggested: a box that had never turned on ard is not vulnerable.

that said, many thanks for this app, and I WILL be running it on my other macs, which have all had ard switched on
burypromote

+50
Peter da Silva replied on 08 Jul 2008
That's precisely correct: I'm not putting your work down, and if your patch allows people to use ARD safely, that's great. If they don't have a need for ARD, though, don't you think it might be possible to remove the registration of ARDAgent's Applescript dictionary so that osascript doesn't use it?
burypromote
Theiphoneproject (developer) replied on 08 Jul 2008
Actually, we pretty much don't care if people put our work down :P, and I'm not saying you were doing that either, my issue with your comments was that they diverged from reality and may have confused some of the people researching this topic. The fact remains, the ARDAgent exploit exists whether you use ARD or not, and actually, we provide both options to the users, in the form of an advanced option that removes the setuid bit from ARDAgent, effectively disabling the exploit *as well as* disabling Apple Remote Desktop Admin - which will *not* start unless that setuid bit exists.
burypromote

+50
Peter da Silva replied on 09 Jul 2008
I think we have pretty well confirmed that the ARD exploit does NOT exist (at least not in Tiger) if you have not run ARDAgent. That's not "counter to reality", that's just the way osascript works... it doesn't go grovelling through the disk looking for programs that might register with Applescript.
burypromote

+39
velgor242 commented on 06 Jul 2008
Actually, the description for this utility is a bit off. It DOES enable and require Remote Management. After running the tool, Remote Management was enabled on my system. Disabling it causes ARD Patcher to report I'm no longer secure.
[Version 1.0]


burypromote

jdac21 reviewed on 06 Jul 2008
simple yet significant
IT WORKS TO WELL
for something so simple
great app lads
thanks jdac21
[Version 1.0]


burypromote

mswfujowdffyc reviewed on 06 Jul 2008
worked like a charm, in tiger and leopard ppc, thanks for this little tool.
[Version 1.0]


burypromote

dstan reviewed on 06 Jul 2008
Great tool! One click, simple enough! Some antivirus companies are charging hundreds for a simple fix like this.

Many thanks. Cheers.
[Version 1.0]


burypromote

+4

GrooveMachine reviewed on 06 Jul 2008
Awesome. As far as I can tell, it worked great. Now I don't have to worry about this said trojan any more. Thanks Francis, you did great.
[Version 1.0]


burypromote

+21
Turkchgo commented on 05 Jul 2008
Does this "patch" affect the function of Apple Remote Desktop for those who use the program as either a client or admin?

It doesn't say what it actually does, but if the program actually disables ARD in an environment it's being used that wouldn't be a good thing to do without knowing first.
[Version 1.0]

1 Reply

burypromote
Theiphoneproject (developer) replied on 06 Jul 2008
You're absolutely right, sorry about that!

No, this does not disable ARD, nor does it force-enable remote management. It basically tricks ARDAgent into thinking that remote management *is* enabled even when its not, and more importantly, it forces ARDAgent to use the default applescript dictionaries, which don't include the "do shell script" command.
burypromote

+53

Tim.dehring reviewed on 05 Jul 2008
My apologies, I believe it was as far back as 10.3, not 10.4 for the other app I described.

Also, forgot to rate the app.
[Version 1.0]


burypromote

+29
Jobby had trouble on 07 Jul 2008
Runs fine on 10.5 but starts and immediately exits on a 10.4.10 box. Is anyone else having this problem?

(Can't upgrade to 10.4.11 as we need to keep a Safari 2 test machine around, unfortunately)
[Version 1.1]

5 Replies

burypromote

+293
Harv replied on 07 Jul 2008
On my DP 800,10.4.11, I too am unable to get the app to run. Immediately upon launch, it crashes.

I have sent the Crash Report to the developer.

No doubt ARD v1.2 will soon be released (or, so I hope).
burypromote
Theiphoneproject (developer) replied on 07 Jul 2008
We have received your crash reports, and thanks to your feedback, we've fixed the crash-on-start problem on Tiger. Expect an update later today addressing this issue.

Thanks!
burypromote
Theiphoneproject (developer) replied on 07 Jul 2008
Version 1.2 has been released which addresses the crash-on-start issue on Tiger, thanks for all your feedback on this!
burypromote

+293
Harv replied on 07 Jul 2008
ARD v1.2 now installs normally on my Tiger and I got the green confirmation that the exploit has been patched.

Rarely, does a developer respond so promptly, and rarer still when it is freeware.

Five stars from me!
burypromote

+29
Jobby replied on 08 Jul 2008
Thanks for the patch - if only big companies would fix things that fast :)
There are currently no ratings. Write a comment or review now.

Downloads:4,704
Version Downloads:3,041
Type:Utilities : Security
License:Free
Date:07 Jul 2008
Platform:PPC 32 / Intel 32 / OS X
Price:Free0.00
Overall (Version 1.x):
Features:
Ease of Use:
Value:
Stability:
Displaying 1-10 of 11
1 2 >
Displaying 1-1 of 1
-
-
-
Please login or create a new
MacUpdate Member account
to use this feature
Watch Lists are available to
MacUpdate Desktop Members
Upgrade Now
Install with MacUpdate Desktop.
Save time moving files & cleaning
up space wasting archives.
ARD Patcher is a free utility that patches the infamous ARDAgent exploit in Mac OS X 10.4 and 10.5.

Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.

ARD Patcher is a small application that will patch the exploit, free-of-charge, as in reality its a simple patch that Apple will surely fix in an upcoming update. Getting an antivirus program is overkill in this situation, despite what all those companies will tell you. Note: This does *not* disable Apple Remote Desktop, unlike some of the other fixes circulating around the internet, this one will neither require disabling ARD nor enabling remote management.


- -