[NEWS] Apple OSX dsidentity Privileges Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/05

  • Next message: SecuriTeam: "[NEWS] Ventrilo Denial of Service"
    To: list@securiteam.com
    Date: 24 Aug 2005 13:30:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Apple OSX dsidentity Privileges Escalation
    ------------------------------------------------------------------------

    SUMMARY

    "dsidentity is a setuid tool that allows addition or removal of identity
    user accounts in Directory Services."

    Lack of proper privileges checking allow attackers to Add and modify users
    in Mac OSX using dsidentity.

    DETAILS

    Vulnerable Systems:
     * Mac OSX 10.4

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508>
    CAN-2005-2508

    /usr/sbin/dsidentity allows any user on the system to add accounts to
    Directory Services. Passwords can easily be set at the time of account
    creation, and the newly created account can be used to login to the OSX
    gui. Due to the lack of shell the account is limited in nature, however
    once you have logged into the gui accessing a shell is trivial.

    Proof of Concept:
    To add an account simply use the following command line and then you can
    now login as RickJames with the password isapimp.

    CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp
    -v

    After logging in as RickJames open Safari and type file:///bin in the
    address bar. Double click on bash.
    Ignore the warning about not being authorized, and then click cancel when
    asked to close the application.

    To remove an account from Directory Services use the following.
    CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v

    Vendor Status:
    The vendor has released a fix : <http://www.apple.com/support/downloads/>
    2005-007

    Disclosure Timeline:
    05/25/2005 reported to apple.
    05/26/2005 followup to auto ticketing system #9116351
    08/03/2005 AppleSeeds!
    08/17/2005 Security Update 2005-007 v1.1

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:kf_lists@digitalmunition.com> Kevin Finisterre.
    The original article can be found at:
    <http://www.digitalmunition.com/DMA[2005-0818a].txt>
    http://www.digitalmunition.com/DMA[2005-0818a].txt,
     <http://www.suresec.org/advisories/adv5.pdf>
    http://www.suresec.org/advisories/adv5.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Ventrilo Denial of Service"

    Relevant Pages

    • [NT] Blank Administrator Password on OEM Windows XP Installation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Use of this account will allow anyone with physical ... * DELL Laptops with pre installed Microsoft Windows XP Professional SP2 ... is prompted to create a regular user account for general use. ...
      (Securiteam)
    • [UNIX] Benchmark Designs WHM Autopilot Backdoor Allows Plaintext Credential Leakage
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... manages CPanel and WHM accounts, including account creation, maintenance, ... Due to a bug in client login code and the builtin login backdoor it is ...
      (Securiteam)
    • [UNIX] WHM AutoPilot Privileges Escalation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WHM AutoPilot does not validate user account rights, ... cancel any web hosting account, regardless of the web account owner. ... A vulnerability leading to unauthorized cancellation requests has been ...
      (Securiteam)
    • [NEWS] Scottrader Unchecked Password Field
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Scottrade, ... obtain elevated access to a customer's private account. ... realize that Scottrade identifies all customers with an 8 digit number. ...
      (Securiteam)