lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BBE19E34.1633B%timo.schoeler@macfinity.de> From: timo.schoeler at macfinity.de (Timo Schoeler) Subject: Vulnerability in Terminal.app hi, yes, you gotta have physical access. additionally, it must be in an environment the user (who owns/operates the machine) trusts that much, that (s)he leaves the machine _logged in_ *and* put it into sleep mode. don't think it's a big problem. if you don't trust your environment that much (okay, say, you know they won't take away your mac -- even if it's a g5 or so ;), just log off. in this case someone might use the system cd, boot off it and use the 'reset password' function it implements. but after all, if you have _physical access_ to a machine -- you're lost. imho that 'bug' is like complaining that fort knox' does not register every single bill tehy store in their most secure safe ;) -- so long, timo Jesus loves you... but Satan has candy. > In order for someone to exploit this they wouldn?t they need physical > access? And if they had physical access they could simple just boot into > single user mode (enabled by default), or off a cd (enabled by default), or > simply steal the machine. > > On 11/19/03 12:27 PM, "hays@...blio.org" <hays@...blio.org> wrote: > >> >> >> --On Wednesday, November 19, 2003 12:00 PM -0500 >> full-disclosure-request@...ts.netsys.com wrote: >> >>>> There is a work-around for this vulnerability of course - actually >>>> several. >>>> >>>> 1. Never use sudo (not particularly practical). >>>> >>>> 2. Never put your box to sleep after a sudo unless at least 5 minutes >>>> (or whatever your interval is set to) have passed. >>>> >>>> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before >>>> putting your box to sleep - make it a habit no matter if you remember >>>> issuing an ordinary sudo recently or not - 'just in case'.
Powered by blists - more mailing lists