Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9553
HistoryAug 22, 2005 - 12:00 a.m.

[Full-disclosure] DMA[2005-0818a] - 'Apple OSX dsidentity privilege abuse'

2005-08-2200:00:00
vulners.com
10

0.0004 Low

EPSS

Percentile

0.4%

JSON

DMA[2005-0818a] - 'Apple OSX dsidentity privilege abuse'
Author: Kevin Finisterre
Vendor: http://www.apple.com/bluetooth/
Product: 'Mac OSX 10.4'
References:
http://www.digitalmunition.com/DMA[2005-0818a].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508
http://www.suresec.org/advisories/adv5.pdf

Description:
After roughly one hour of beating on the freshly released OSX 10.4 I found that
/usr/sbin/dsidentity
allows any user on the system to add accounts to Directory Services. Passwords can easily be
set at
the time of account creation, and the newly created account can be used to login to the OSX
gui. Due
to the lack of shell the account is limited in nature, however once you have logged into the
gui
accessing a shell is trivial.

To add an account simply use the following command line and then you can now login as
RickJames with the
password isapimp.

CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp -v

After logging in as RickJames open Safari and type file:///bin in the address bar. Double
click on bash.
Ignore the warning about not being authorized, and then click cancel when asked to close the
application.
Voila Now you have a working bash shell as RickJames.

To remove an account from Directory Services use the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v

If you rally want to piss off someone's Directory Services try the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a `perl -e 'print "A" x 29000'`
(lather, rinse, repeat)

Work Around:
Install 2005-007 update or just rm -rf /usr/sbin/dsidentity
http://www.apple.com/support/downloads/

Sidenote:
Neil Archibald of Suresec LTD also reported this issue to apple at the same time I did.

http://www.suresec.org/advisories/adv5.pdf outlines extra detail about this issue with
regard to the use of getenv() calls.

Timeline associated with this bug:
05/25/2005 reported to apple.
05/26/2005 followup to auto ticketing system #9116351
08/03/2005 AppleSeeds!
08/17/2005 Security Update 2005-007 v1.1

Related

cve 1
cvelist 1
nvd 1
nessus 1
cve
cve
CVE-2005-2508
2022-10-03 16:22:47
cvelist
cvelist
CVE-2005-2508
2022-10-03 16:22:47
nvd
nvd
CVE-2005-2508
2005-08-19 04:00:00
nessus
nessus
Mac OS X Multiple Vulnerabilities (Security Update 2005-007)
2005-08-18 00:00:00

0.0004 Low

EPSS

Percentile

0.4%

JSON
Related for SECURITYVULNS:DOC:9553
cve1cvelist1nvd1nessus1