[NEWS] Apple OSX dsidentity Privileges Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/05

  • Next message: SecuriTeam: "[NEWS] Ventrilo Denial of Service"
    To: list@securiteam.com
    Date: 24 Aug 2005 13:30:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Apple OSX dsidentity Privileges Escalation
    ------------------------------------------------------------------------

    SUMMARY

    "dsidentity is a setuid tool that allows addition or removal of identity
    user accounts in Directory Services."

    Lack of proper privileges checking allow attackers to Add and modify users
    in Mac OSX using dsidentity.

    DETAILS

    Vulnerable Systems:
     * Mac OSX 10.4

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508>
    CAN-2005-2508

    /usr/sbin/dsidentity allows any user on the system to add accounts to
    Directory Services. Passwords can easily be set at the time of account
    creation, and the newly created account can be used to login to the OSX
    gui. Due to the lack of shell the account is limited in nature, however
    once you have logged into the gui accessing a shell is trivial.

    Proof of Concept:
    To add an account simply use the following command line and then you can
    now login as RickJames with the password isapimp.

    CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp
    -v

    After logging in as RickJames open Safari and type file:///bin in the
    address bar. Double click on bash.
    Ignore the warning about not being authorized, and then click cancel when
    asked to close the application.

    To remove an account from Directory Services use the following.
    CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v

    Vendor Status:
    The vendor has released a fix : <http://www.apple.com/support/downloads/>
    2005-007

    Disclosure Timeline:
    05/25/2005 reported to apple.
    05/26/2005 followup to auto ticketing system #9116351
    08/03/2005 AppleSeeds!
    08/17/2005 Security Update 2005-007 v1.1

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:kf_lists@digitalmunition.com> Kevin Finisterre.
    The original article can be found at:
    <http://www.digitalmunition.com/DMA[2005-0818a].txt>
    http://www.digitalmunition.com/DMA[2005-0818a].txt,
     <http://www.suresec.org/advisories/adv5.pdf>
    http://www.suresec.org/advisories/adv5.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Ventrilo Denial of Service"