[NEWS] Security Issue with Netinfo and Mac OS X
From: support@securiteam.comDate: 09/09/01
- Previous message: support@securiteam.com: "[UNIX] sglMerchant Arbitrary File Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Security Issue with Netinfo and Mac OS X Message-Id: <20010909194257.B3392138C0@mail.der-keiler.de> Date: Sun, 9 Sep 2001 21:42:57 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Security Issue with Netinfo and Mac OS X
------------------------------------------------------------------------
SUMMARY
Mac OS X is based on BSD and by default does not have any services
running, which makes it reasonably secure out of the box. One of the major
differences between Mac OS X and the original BSD is the way Mac OS X
deals with some information - for example, the password file in /etc is
there but not used. Such things are taken care of via netinfo. However,
this application enables local users to gain sensitive information about
other accounts present on the system (usernames, passwords, uids, etc).
DETAILS
Vulnerable systems:
Mac OSX version 10.0.4
The /var/backups directory contains sensitive information about the
operating system. This directory is not protected with adequate security
settings, allowing anyone with local access to read them. Further, the
programs nireport, nidump and netinfo are executable by any local user,
and they provide sensitive information on your security settings and user
accounts.
Example:
The directory contains a file called 'local.nidump' (which is what nidump
program shows upon execution):
"_shadow_passwd" = ( "" );
"_writers_passwd" = ( "test" );
"hint" = ( "" );
"uid" = ( "502" );
"_writers_hint" = ( "test" );
"gid" = ( "20" );
"realname" = ( "test" );
"name" = ( "test" );
"passwd" = ( "Fnh1eLU0U6o12" );
"shell" = ( "/bin/tcsh" );
"home" = ( "/Users/test" );
"sharedDir" = ( "Public" );
ADDITIONAL INFORMATION
The information has been provided by <mailto:cvisors@off-fw.tved.net.au>
Benjamin Gardiner, <mailto:echo8@gh0st.net> Dixie Flatline and
<mailto:matthew.seaman@tornadogroup.com> Matthew Seaman.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] sglMerchant Arbitrary File Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
