SecurityTracker: (Vendor Describes Workaround) Mac OS X Trust of DHCP-Provided Directory Servers Lets Remote Users Login With Root Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (UNIX) > Mac OS X

Vendors: Apple Computer

(Vendor Describes Workaround) Mac OS X Trust of DHCP-Provided Directory Servers Lets Remote Users Login With Root Privileges

SecurityTracker Alert ID: 1008353

SecurityTracker URL: http://securitytracker.com/id/1008353

CVE Reference: CAN-2003-1009 (Links to External Site)

Updated: Dec 20 2003

Original Entry Date: Dec 2 2003

Impact: Root access via network

Vendor Confirmed: Yes

Version(s): OS X 10.2, 10.3, 10.3.1

Description: A vulnerability was reported in the default configuration of Mac OS X DHCP-related authentication services. A remote user can gain root access on the target system.

William Carrel reported that, by default, Mac OS X is configured with DHCP enabled and will attempt to connect to any LDAP or NetInfo servers specified by a DHCP response. The report indicates that the operating system will explicitly trust the LDAP or NetInfo server and will permit a remote user that is defined in the LDAP or NetInfo server as having uid 0 permissions to access the target system with an arbitrary user name.

If the target system is rebooted (restarting the 'netinfod' process), the remote directory server will reportedly be added to the authentication source list on the target system and then trusted by the target system. A remote user can then login to any authentication-enabled service (e.g., ssh) that is running on the target server.

The vendor was reportedly notified on October 9, 2003.

The original advisory is available at:

http://www.carrel.org/dhcp-vuln.html

Impact: A remote user can access the system with root privileges.

Solution: Apple has described how to disable DHCP as a workaround:

http://docs.info.apple.com/article.html?artnum=32478

Vendor URL: docs.info.apple.com/article.html?artnum=32478 (Links to External Site)

Cause: Authentication error, Configuration error

Underlying OS:

Message History: This archive entry is a follow-up to the message listed below.

Mac OS X Trust of DHCP-Provided Directory Servers Lets Remote Users Login With Root Privileges

Source Message Contents

Date: Mon, 01 Dec 2003 07:20:23 -0500
Subject: http://docs.info.apple.com/article.html?artnum=32478


http://docs.info.apple.com/article.html?artnum=32478

 > Mac OS X: Directory Access Configuration In the Presence of a Malicious DHCP Response

Apple has described a workaround of disabling DHCP on the target system.

Thanks to UgmNetworks for reporting this Apple support document to us.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC