The latest operating system Mac OS X 10.7 Lion is suffering from a serious security bug that allows anyone to be able to change the current user's password without being prompted for authentication. To explain the details of the problem is Defense in Depth, a blog about computer security.
The author, Patrick Dustan, explains how to trace the user password is possible to use a technique already described in the past to force Mac OS X 10.6 and earlier, and which provides, in summary, to extract the password hashes from a specific file Shadow of the user, located in a specific location. The shadow files are files whose access is allowed only to the user with higher privileges, in other words the root user. By Tiger on, each user has their own shadow file, whose data are accessible only by root, or at least it should be.
It seems, however, that in the redesign of the authentication schemes of Lion have gone unnoticed a rather important detail. Although non-root users do not even have the ability to directly access the shadow file, Lion currently allows them to see information on password hashes, extracting them via Directory Services. The most problematic aspect is the fact that this flaw allows to directly changing the password of the user logged in without being prompted for authentication.
This problem, in certain situations, could easily be a way to escalate privileges, especially if the victim of the attack is a user with administrator rights. The limitation of the standard utility dscl is currently a temporary measure that can contain the problem, waiting for that Apple is about to release a corrective patch.
Posted by: Wasim Javed
No comments:
Post a Comment