OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Mac OS 9 Multiple Users Control Panel Password Vulnerability
From: Todd Kirby (kirbytYAHOO.COM)
Date: Fri Dec 29 2000 - 15:53:57 CST


Mac OS 9.04 comes with a 'Multiple Users' Control
Panel that allows an administrator (called 'Owner') to
create user accounts (called 'Normal' users) with
limited access to the computer.

The problem is that the Owner password can be removed
by a Normal user by moving the 'Users & Groups Data
File and logging back in using the Owner account,
giving full access to the machine.

Exploit:
--------

Log in as a Normal user. Find the file called 'Users &
Groups Data File' in the Preferences Folder and move
it to another location. Log out and back in using the
Owner account.

Result: No password is required to log in as the Owner
user. User now has full access to the computer,
including the ability to make changes in the 'Multiple
Users' control panel.

The previously moved 'Users & Groups Data File' can be
moved back into the Preferences folder to restore the
original Owner password making detection difficult.

Configuration
-------------

Mac G3 and G4 with OS 9.04.

Solution:
---------

Use ‘Limited’ instead of ‘Normal’ when setting up user
accounts. This will protect the Preferences folder
from being altered.

I attempted to notify Apple but their bug reporter
form requires joining the Apple Developer Connection.

Todd Kirby
Web Applications Developer
Walt Disney Television Animation

=====
"Blinky lights are the essence of technology. Everything
else is fluff."

__________________________________________________
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/