SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Nidump Vendors:   Apple Computer
(Apple Issues Fix) Mac OS X Nidump Network Information Utility Discloses Password File to Any Local User
SecurityTracker Alert ID:  1008047
SecurityTracker URL:  http://securitytracker.com/id/1008047
CVE Reference:   CVE-2001-1412   (Links to External Site)
Date:  Oct 30 2003
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability has been reported in the Nidump network information utility for Max OS X. The security hole allows local users to obtain the contents of the password file.

It is reported that the default installation of the nidump Mac OS X data extraction program allows local users to read the Mac OS X password file with the following command: /usr/bin/nidump passwd .

A local user can reportedly obtain read access to another file that may contain account information (/var/backups/local.nidump).

The nidump vulnerability allows local users that are not authorized to access the password file to access the password file. By itself, this does not give the local user unencrypted passwords, but it does allow the user to attempt to perform password cracking on all user accounts, including the root account.
Impact:   Any local user can obtain the contents of the password file.
Solution:   The vendor has released a fixed version of Mac OS X (10.3). More information on Mac

OS X 10.3 is available at:

http://www.apple.com/macosx/
Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (OS X)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 8 2001 Mac OS X Nidump Network Information Utility Discloses Password File to Any Local User


 Source Message Contents
Date:  Tue, 28 Oct 2003 09:46:35 -0800
Subject:  APPLE-SA-2003-10-28 Mac OS X 10.3 Panther


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-10-28 Mac OS X 10.3 Panther

Mac OS X 10.3 Panther has been released, and it contains the following
security enhancements:

Finder: Fixes CAN-2003-0876 where folder permissions may not be
   preserved when copying a folder from a mounted volume such as a
   disk image.  Credit to Dave G. from @stake, Inc. for finding this
   issue.

Kernel: Fixes CAN-2003-0877 where if a system is running with core
   files enabled, a user with interactive shell access can overwrite
   arbitrary files, and read core files created by root-owned
   processes.  This may result in sensitive information such as
   authentication credentials being compromised. Core file creation is
   disabled by default on Mac OS X. Credit to Dave G. from @stake,
   Inc. for finding this issue.

slpd:  Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
   slpd daemon may create a root-owned file in the /tmp directory.
   This could overwrite an existing file and allow a user to gain
   elevated privileges. Personal File Sharing is off by default in Mac
   OS X.  Credit to Dave G. from @stake, Inc. for finding this issue.

Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
   to cause the Mac OS X kernel to crash by specifying a long command
   line argument. The machine will reboot on its own after several
   minutes. Credit to Dave G. from @stake, Inc. for finding this
   issue.

ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
   enabled through the KTRACE kernel option, a local user might be
   able to obtain sensitive information.  No specific utility is
   currently known to be vulnerable to this particular problem.

nfs: Fixes CVE-2002-0830 for the Network File System where a remote
   user may be able to send RPC messages that cause the system to lock
   up.

zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
   X that used the vulnerable gzprintf() function, the underlying
   issue in zlib has been fixed.

gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
   utility. No setuid root programs relied on gm4 and this fix is a
   preventative measure against a possible future exploit.

OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
   restrictions are potentially spoofable via reverse DNS for
   numerically specified IP addresses. Mac OS X 10.3 also incorporates
   prior fixes released for OpenSSH, and the version of OpenSSH as
   obtained via the "ssh -V" command is:
   OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
   0x0090702f

nidump:  Fixes CAN-2001-1412 where the nidump utility provides access
   to the crypted passwords used to authenticate logins.

System Preferences:  Fixes CAN-2003-0883 where after authenticating
   with an administrator password, the system will continue to allow
   access to secure Preference Panes for a short period of time.  This
   could allow a local user to access Preference Panes that they would
   not normally be able to use.  In Mac OS X 10.3 Security
   preferences, there is now a choice to "Require password to unlock
   each secure system preference". Credit to Anthony Holder for
   reporting this issue.

TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
   initialized with a constant number. This could allow a person to
   discover how long the system has been up based upon the ID in TCP
   packets.  In Mac OS X 10.3, the TCP timestamp is now initialized
   with a random number. Credit to Aaron Linville for reporting this
   issue and submitting a fix via the Darwin open source program.

Mail:  Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
   account is configured to use MD5 Challenge Response, it will
   attempt to login using CRAM-MD5 but will silently fall back to
   plain-text if the hashed login fails. Credit to Chris Adams for
   reporting this issue.

Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
   the Keyboard pane in System Preferences, Dock functions can be
   accessed blindly from behind Screen Effects.
   
Other security features:  Mac OS X 10.3 contains a number of other
   security features which may be found at:
   http://www.apple.com/macosx/features/security/
    
================================================

Further information on Mac OS X 10.3 may be obtained from:
http://www.apple.com/macosx/
    
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP56rFXeI0z6bzFr0AQIvKAgAg781rk+PU4rGZAo4/5z6OCD6f8cdy7ra
cyP9Ojg8u58g4UisHF4cF9gvVq99TT5WXhMEHZHE+/TFetUj08xyY6q5FJa9VtNg
YcO66fwHGKjB7AlXJmux/nwV0r2x8hqyx2Q0PHCgPMo9MWtO3/tUM6Gpc8kA/JeH
Rd0Csw3ejm4zBIP/t5C5QY/20KZJ9i5S48Nw6neLmJf/mBAfjvMkZM1R+pPN/58A
BwSiuILg8qxE2kf4roMJUTSOf8ToFGTD8X5sp/p15YBzjvknVV5ls7XHCwlkz+iF
W04E3CFbeX9ixTtrHPzStPKAtiRwai1oqx0LRd2mApnYTvbl9lMCOw==
=PJi8
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC