[NEWS] Apple OSX dsidentity Privileges Escalation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Apple OSX dsidentity Privileges Escalation
------------------------------------------------------------------------

SUMMARY

"dsidentity is a setuid tool that allows addition or removal of identity
user accounts in Directory Services."

Lack of proper privileges checking allow attackers to Add and modify users
in Mac OSX using dsidentity.

DETAILS

Vulnerable Systems:
* Mac OSX 10.4

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508>
CAN-2005-2508

/usr/sbin/dsidentity allows any user on the system to add accounts to
Directory Services. Passwords can easily be set at the time of account
creation, and the newly created account can be used to login to the OSX
gui. Due to the lack of shell the account is limited in nature, however
once you have logged into the gui accessing a shell is trivial.

Proof of Concept:
To add an account simply use the following command line and then you can
now login as RickJames with the password isapimp.

CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp
-v

After logging in as RickJames open Safari and type file:///bin in the
address bar. Double click on bash.
Ignore the warning about not being authorized, and then click cancel when
asked to close the application.

To remove an account from Directory Services use the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v

Vendor Status:
The vendor has released a fix : <http://www.apple.com/support/downloads/>
2005-007

Disclosure Timeline:
05/25/2005 reported to apple.
05/26/2005 followup to auto ticketing system #9116351
08/03/2005 AppleSeeds!
08/17/2005 Security Update 2005-007 v1.1

ADDITIONAL INFORMATION

The information has been provided by
<mailto:kf_lists@digitalmunition.com> Kevin Finisterre.
The original article can be found at:
<http://www.digitalmunition.com/DMA[2005-0818a].txt>
http://www.digitalmunition.com/DMA[2005-0818a].txt,
<http://www.suresec.org/advisories/adv5.pdf>
http://www.suresec.org/advisories/adv5.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.