Apple recently released security update 2005-007 that fixed many serious vulnerabilities.
Detailed information about some of the vulnerabilities were now released on full-disclosure.
Suresec released a short paper that describes the buffer overflows in ping and traceroute and the tool dsidentity that allows any user to add or delete accounts.
Kevin Finisterre how also reported the issue with dsidentity to apple has some more information on this:
DMA[2005-0818a] – ‘Apple OSX dsidentity privilege abuse’
Author: Kevin Finisterre
Vendor: http://www.apple.com/bluetooth/
Product: ‘Mac OSX 10.4’
References:
http://www.digitalmunition.com/DMA[2005-0818a].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508
http://www.suresec.org/advisories/adv5.pdf
Description:
After roughly one hour of beating on the freshly released OSX 10.4 I found that /usr/sbin/dsidentity allows any user on the system to add accounts to Directory Services. Passwords can easily be set at the time of account creation, and the newly created account can be used to login to the OSX gui. Due to the lack of shell the account is limited in nature, however once you have logged into the gui accessing a shell is trivial.
To add an account simply use the following command line and then you can now login as RickJames with the password isapimp.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp -v
After logging in as RickJames open Safari and type file:///bin in the address bar. Double click on bash. Ignore the warning about not being authorized, and then click cancel when asked to close the application. Voila Now you have a working bash shell as RickJames.
To remove an account from Directory Services use the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v
If you rally want to piss off someone’s Directory Services try the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a `perl -e ‘print “A” x 29000’`
(lather, rinse, repeat)
Work Around:
Install 2005-007 update or just rm -rf /usr/sbin/dsidentity
http://www.apple.com/support/downloads/
Sidenote:
Neil Archibald of Suresec LTD also reported this issue to apple at the same time I did.
http://www.suresec.org/advisories/adv5.pdf outlines extra detail about this issue with
regard to the use of getenv() calls.
Timeline associated with this bug:
05/25/2005 reported to apple.
05/26/2005 followup to auto ticketing system #9116351
08/03/2005 AppleSeeds!
08/17/2005 Security Update 2005-007 v1.1
Further the was a XSS vulnerability in Mac OSX 10.4.0 Weblog Server.
A good comment on Apple’s patch policy can be found a the drunkenblog.
