lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200504291848.j3TImI4D086337@mailserver3.hushmail.com>
Date: Fri, 29 Apr 2005 11:48:15 -0700
From: "sonderling" <sonderling@...hmail.com>
To: <bugtraq@...urityfocus.com>
Subject: Mac OS X Cocktail 3.5.4 admin password disclosure


Application: Mac OS X Cocktail
Version: 3.5.4 and probably below
URL: www.macosxcocktail.com
Vulnerability: admin password disclosure

=======================================================

Vendor's description:

"Cocktail is a general purpose utility for Mac OS X. The
application serves up a scrumptious mix of maintenance tools
and interface tweaks, all accessible via a comprehensive
graphical interface and toolset. It is a smooth and powerful
utility that simplifies the use of advanced UNIX functions."

The problem:

Since Cocktail needs administrative privileges the user is
prompted for the admin password upon startup. The actual
maintenance is done by command line utilities that are executed
in an insecure manner: Cocktail creates a new process and
lets /bin/sh pipe the admin password using echo into sudo,
which then will execute the utility, like this:

sh -c echo 'PASSWORD' | sudo -p "" -S sudo update_prebinding -root /

Exploitation:

Knowing Cocktail is waiting for some Unix utility to have finished
its work, just execute "ps ax" on the terminal and search for
the password.

The vendor has been contacted; the new version 3.6 for
Mac OS X "Tiger" should have been fixed. I haven't tested
this version, though.






Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ