| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Aug 2006 17:51:23 -0400 From: "K F (lists)" <kf_lists@...italmunition.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ] Propaganda Support wrote: > > On Aug 22, 2006, at 3:22 PM, K F wrote: > >> the admin users on OS X can NOT become root at any time. > > Yes, they can. Um NO they can't. ANY is a pretty strong word. > >> The admin user must first know the admin password before becomming root. > > Obviously. An admin user who doesn't know the admin password is not an > admin user. He/she is a different user using an admin user's account. You just validated my point... without the admin password an admin user can not become root. Thus they can not 'become root at any time'. A person who has access to an admin session may not become root until the admin password becomes known. I am physically sitting on a mac that I do not know the admin password to right now... when I typed 'id' it says I am in the admin group... there for I am an admin period regardless of if I know the password my gid=admin. If you want to get trivial over wording that is fine... bottom lines while sitting at someone elses terminal that is logged in as admin you too are an admin as far as the OS is concerned. > >> Based on the info below ANYONE that sits down at your pc while it is >> logged in can take advantage of the fact that you can take root >> WITHOUT a password using the technique outlined below. > > Not true. They must provide an admin password to use the Deja Vu pref > pane, unless the admin user chose to leave it unlocked. (It's locked > by default.) Well guess what... when you go to add a user account in System Preferences it asks you to unlock the panel. When you are done it locks it back for you. The next time you open System Preferences it is again locked and it wants a password... guess what Deja Vu does not do that. You unlock DejaVu it stays unlocked... Guess what that means.... the first time you sat down to use Dejavu and you clicked the little lock to make your changes... unless you explicitly locked it back (which being accustomed to OSX locking items back for you why would you?) you are now sitting with an unlocked Deja Vu panel. Thanks for helping isolate some of the actual issue. DejaVu does not re-lock control panel items unless explicitly told to do so > >> Don't act like you have never let someone use a web browser or log >> into instant messenger on your computer before... > > I don't have to act like it, because I don't unless I trust the person > completely. I have a guest account for anyone else. > > If you let people that you don't trust use your logged in admin > account, you're asking for all kinds of trouble, whether or not you > have Deja Vu installed. They could delete any/all folders within your > Home folder, for example. Does it make a difference if it is someone that I DO trust? I trust my girlfriend... that does not mean I want her taking root on my Mac. I am also currious to know if anyone knows how to spoof the presence of the System Preferences window... I can run the binaries just fine as a normal user however there is some sort of check for the Preference Pane to actually be running. I wonder if a spoof could be used to bypass the need to actually unlock DejaVu. k-fs-computer-2:/Library/PreferencePanes/DejaVu.prefPane/Contents/Resources kf$ ./install_scripts This tool can only be run from within the Deja Vu preference pane. -KF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists