(Apple Issues Fix) Mac OS X Trust of DHCP-Provided Directory Servers Lets Remote Users Login With Root Privileges
|
|
SecurityTracker Alert ID: 1008534 |
|
SecurityTracker URL: http://securitytracker.com/id/1008534
|
|
CVE Reference:
CAN-2003-1009
(Links to External Site)
|
Date: Dec 20 2003
|
Impact:
Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): OS X 10.2, 10.3, 10.3.1
|
Description:
A vulnerability was reported in the default configuration of Mac OS X DHCP-related authentication services. A remote user can gain root access on the target system.
William Carrel reported that, by default, Mac OS X is configured with DHCP enabled and will attempt to connect to any LDAP or NetInfo servers specified by a DHCP response. The report indicates that the operating system will explicitly trust the LDAP or NetInfo server and will permit a remote user that is defined in the LDAP or NetInfo server as having uid 0 permissions to access the target system with an arbitrary user name.
If the target system is rebooted (restarting the 'netinfod' process), the remote directory server will reportedly be added to the authentication source list on the target system and then trusted by the target system. A remote user can then login to any authentication-enabled service (e.g., ssh) that is running on the target server.
The vendor was reportedly notified on October 9, 2003.
The original advisory is available at:
http://www.carrel.org/dhcp-vuln.html
|
Impact:
A remote user can access the system with root privileges.
|
Solution:
Apple has released a fix for Panther and Jaguar.
Security Update 2003-12-19 for Panther is available at:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120292
The download file is named: "SecurityUpd2003-12-19.dmg"
Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8
Security Update 2003-12-19 for Jaguar is available at:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120291
The download file is named: "SecurityUpd2003-12-19Jag.dmg"
Its SHA-1 digest is: b0c5d1ef54020db7580798fddd7a1e132e653896
|
Vendor URL: www.apple.com/ (Links to External Site)
|
Cause:
Authentication error, Configuration error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sat, 20 Dec 2003 07:50:25 -0800
Subject: APPLE-SA-2003-12-19 Security Update for Panther
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-12-19 Security Update 2003-12-19 for Panther
Security Update 2003-12-19 for Panther is available for
Mac OS X 10.3.2 and Mac OS X Server 10.3.2.
It contains security enhancements for the following:
AppleFileServer: Fixes CAN-2003-1007 to improve the handling of
malformed requests.
ASN.1 Decoding for PKI: Fixes CAN-2003-1005 which could cause a
potential denial of service when receiving malformed ASN.1
sequences. This is related but separate from CAN-2003-0851.
cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in
the filesystem utility cd9660.util.
Credit to KF of Secure Network Operations for reporting this issue.
Directory Services: Fixes CAN-2003-1009. The default settings are
changed to prevent an inadvertent connection in the event of a
malicious DHCP server on the computer's local subnet. Further
information is provided in Apple's Knowledge Base article:
http://docs.info.apple.com/article.html?artnum=32478
Credit to William A. Carrel for reporting this issue.
fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that
improve its stability when receiving malformed messages.
fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to
prevent a local privilege escalation vulnerability. This tool is
used to collect system performance information and requires admin
privileges to run.
Credit to Dave G. of @stake for reporting this issue.
rsync: Fixes CAN-2003-0962 by improving the security of the rsync
server.
Screen Saver: Fixes CAN-2003-1008. When the Screen Saver login
window is present, it is no longer possible to write a text
clipping to the desktop or an application.
Credit to Benjamin Kelly for reporting this issue.
System initialization: Fixes CAN-2003-1011. The system initialization
process has been improved to restrict root access on a system that
uses a USB keyboard.
================================================
Security Update 2003-12-19 for Panther may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120292
The download file is named: "SecurityUpd2003-12-19.dmg"
Its SHA-1 digest is: 112674677572232f640d03122b25527d84fbbbf8
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP+Rsp3eI0z6bzFr0AQI/MwgAqqUXmeRPg2xLQlbGiK15uDhgrcOuE27V
5fi8IvkiAWMN/qjJofG3y+crtmZwTea0Z8qvcw8EcbMRtuhqzyCu43HFTE8wFJ4w
FqmwihZQANu8IHye9tgl36CiPJvY3bYWPxd3GobAQKZp81/OIhY3H2aB79Oa3N3o
6lBPHInyLmRswlOa9s7v6wSJAK/9MXa7dwSLtaaFsVg7R8kfe4atZ0tAlc8rHAnS
k0sZq1z6hPeiXHRxFIeozwTr6P5QLZB/3YuRYLtgYudojOauV1/X4/ltsOb5Kdk/
HUdrNSZfoECPI78BecWblnsGG91Tgd20GIcTke06o0zWvZa2vXWJDg==
=3ZBF
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
