lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44EB7C5B.5020801@digitalmunition.com>
Date: Tue, 22 Aug 2006 17:51:23 -0400
From: "K F (lists)" <kf_lists@...italmunition.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO
	TOAST	7 TITANIUM - LOCAL ROOT COMPROMISE ]

Propaganda Support wrote:
>
> On Aug 22, 2006, at 3:22 PM, K F wrote:
>
>> the admin users on OS X can NOT become root at any time.
>
> Yes, they can.

Um NO they can't. ANY is a pretty strong word.

>
>> The admin user must first know the admin password before becomming root.
>
> Obviously. An admin user who doesn't know the admin password is not an 
> admin user. He/she is a different user using an admin user's account.
You just validated my point... without the admin password an admin user 
can not become root. Thus they can not 'become root at any time'. A 
person who has access to an admin session may not become root until the 
admin password becomes known.

I am physically sitting on a mac that I do not know the admin password 
to right now... when I typed 'id' it says I am in the admin group... 
there for I am an admin period regardless of if I know the password my 
gid=admin. If you want to get trivial over wording that is fine... 
bottom lines while sitting at someone elses terminal that is logged in 
as admin you too are an admin as far as the OS is concerned.
>
>> Based on the info below ANYONE that sits down at your pc while it is 
>> logged in can take advantage of the fact that you can take root 
>> WITHOUT a password using the technique outlined below.
>
> Not true. They must provide an admin password to use the Deja Vu pref 
> pane, unless the admin user chose to leave it unlocked. (It's locked 
> by default.)
Well guess what... when you go to add a user account in System 
Preferences it asks you to unlock the panel. When you are done it locks 
it back for you. The next time you open System Preferences it is again 
locked and it wants a password... guess what Deja Vu does not do that. 
You unlock DejaVu it stays unlocked...

Guess what that means.... the first time you sat down to use Dejavu and 
you clicked the little lock to make your changes... unless you 
explicitly locked it back (which being accustomed to OSX locking items 
back for you why would you?) you are now sitting with an unlocked Deja 
Vu panel.

Thanks for helping isolate some of the actual issue.
DejaVu does not re-lock control panel items unless explicitly told to do so

>
>> Don't act like you have never let someone use a web browser or log 
>> into instant messenger on your computer before...
>
> I don't have to act like it, because I don't unless I trust the person 
> completely. I have a guest account for anyone else.
>
> If you let people that you don't trust use your logged in admin 
> account, you're asking for all kinds of trouble, whether or not you 
> have Deja Vu installed. They could delete any/all folders within your 
> Home folder, for example.
Does it make a difference if it is someone that I DO trust? I trust my 
girlfriend... that does not mean I want her taking root on my Mac.

I am also currious to know if anyone knows how to spoof the presence of 
the System Preferences window...

I can run the binaries just fine as a normal user however there is some 
sort of check for the Preference Pane to actually be running. I wonder 
if a spoof could be used to bypass the need to actually unlock DejaVu.

k-fs-computer-2:/Library/PreferencePanes/DejaVu.prefPane/Contents/Resources 
kf$ ./install_scripts

This tool can only be run from within the Deja Vu preference pane.


-KF


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ