Security issue.
Security issue.
- Subject: Security issue.
- From: "John C. Randolph" <email@hidden>
- Date: Wed, 17 Oct 2001 07:20:19 -0700
On Wednesday, October 17, 2001, at 06:38 AM, MacSuites wrote:
On Wednesday, October 17, 2001, at 08:58 AM, John C. Randolph wrote:
On Wednesday, October 17, 2001, at 05:27 AM, James Bredijk wrote:
Login as a guest user
Launch Terminal
Quit Terminal
Launch NetInfo Manager
Select in the Recent items menu: Terminal
You're root. (I just had a fear while writing this that the account
I used was an admin one, but I just checked and it's not an admin
account)
I have not had the possibility to check what happens if you had not
enabled the root account via NetInfo or sudo passwd root
I can confirm this. I just tried this, from admin & non-admin logins,
with root disabled in NetInfo manager - and it makes me root. D'Oh!
Strange. I'm running 10.1, and when I just tried it this bug didn't
show up.
I'm running 10.1 too. I can recreate it every time.
Holy shit! I just created a new user account, and tried it again. It
would appear that there's a rather serious vulnerability here, if an
unprivileged user can run NetInfo manager in the first place!
Who wants to submit it to bugtraq?
-jcr
"I fear all we have done is to awaken a sleeping giant and fill him with
a terrible resolve." -Admiral Isoroku Yamamoto, Dec 7, 1941.