(Apple Issues Fix) Mac OS X Nidump Network Information Utility Discloses Password File to Any Local User
SecurityTracker Alert ID: 1008047|
SecurityTracker URL: http://securitytracker.com/id/1008047
(Links to External Site)
Date: Oct 30 2003
Disclosure of system information|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability has been reported in the Nidump network information utility for Max OS X. The security hole allows local users to obtain the contents of the password file.|
It is reported that the default installation of the nidump Mac OS X data extraction program allows local users to read the Mac OS X password file with the following command: /usr/bin/nidump passwd .
A local user can reportedly obtain read access to another file that may contain account information (/var/backups/local.nidump).
The nidump vulnerability allows local users that are not authorized to access the password file to access the password file. By itself, this does not give the local user unencrypted passwords, but it does allow the user to attempt to perform password cracking on all user accounts, including the root account.
Any local user can obtain the contents of the password file.|
The vendor has released a fixed version of Mac OS X (10.3). More information on Mac|
OS X 10.3 is available at:
Vendor URL: www.apple.com/ (Links to External Site)
Access control error|
UNIX (OS X)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Tue, 28 Oct 2003 09:46:35 -0800|
Subject: APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
-----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
Mac OS X 10.3 Panther has been released, and it contains the following
Finder: Fixes CAN-2003-0876 where folder permissions may not be
preserved when copying a folder from a mounted volume such as a
disk image. Credit to Dave G. from @stake, Inc. for finding this
Kernel: Fixes CAN-2003-0877 where if a system is running with core
files enabled, a user with interactive shell access can overwrite
arbitrary files, and read core files created by root-owned
processes. This may result in sensitive information such as
authentication credentials being compromised. Core file creation is
disabled by default on Mac OS X. Credit to Dave G. from @stake,
Inc. for finding this issue.
slpd: Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
slpd daemon may create a root-owned file in the /tmp directory.
This could overwrite an existing file and allow a user to gain
elevated privileges. Personal File Sharing is off by default in Mac
OS X. Credit to Dave G. from @stake, Inc. for finding this issue.
Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
to cause the Mac OS X kernel to crash by specifying a long command
line argument. The machine will reboot on its own after several
minutes. Credit to Dave G. from @stake, Inc. for finding this
ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
enabled through the KTRACE kernel option, a local user might be
able to obtain sensitive information. No specific utility is
currently known to be vulnerable to this particular problem.
nfs: Fixes CVE-2002-0830 for the Network File System where a remote
user may be able to send RPC messages that cause the system to lock
zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed.
gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventative measure against a possible future exploit.
OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
restrictions are potentially spoofable via reverse DNS for
numerically specified IP addresses. Mac OS X 10.3 also incorporates
prior fixes released for OpenSSH, and the version of OpenSSH as
obtained via the "ssh -V" command is:
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
nidump: Fixes CAN-2001-1412 where the nidump utility provides access
to the crypted passwords used to authenticate logins.
System Preferences: Fixes CAN-2003-0883 where after authenticating
with an administrator password, the system will continue to allow
access to secure Preference Panes for a short period of time. This
could allow a local user to access Preference Panes that they would
not normally be able to use. In Mac OS X 10.3 Security
preferences, there is now a choice to "Require password to unlock
each secure system preference". Credit to Anthony Holder for
reporting this issue.
TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
initialized with a constant number. This could allow a person to
discover how long the system has been up based upon the ID in TCP
packets. In Mac OS X 10.3, the TCP timestamp is now initialized
with a random number. Credit to Aaron Linville for reporting this
issue and submitting a fix via the Darwin open source program.
Mail: Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
account is configured to use MD5 Challenge Response, it will
attempt to login using CRAM-MD5 but will silently fall back to
plain-text if the hashed login fails. Credit to Chris Adams for
reporting this issue.
Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
the Keyboard pane in System Preferences, Dock functions can be
accessed blindly from behind Screen Effects.
Other security features: Mac OS X 10.3 contains a number of other
security features which may be found at:
Further information on Mac OS X 10.3 may be obtained from:
This message is signed with Apple's Product Security PGP key, and
details are available at:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
-----END PGP SIGNATURE-----
security-announce mailing list | email@example.com
Do not post admin requests to the list. They will be ignored.