[18399] in bugtraq
Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability
daemon@ATHENA.MIT.EDU (K. M. Ellis)
Tue Jan 2 18:38:27 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0101021257530.5809-100000@gwyn.tux.org>
Date: Tue, 2 Jan 2001 13:04:25 -0500
Reply-To: "K. M. Ellis" <protozoa@TUX.ORG>
From: "K. M. Ellis" <protozoa@TUX.ORG>
X-To: Todd Kirby <kirbyt@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001229215357.4667.qmail@web9601.mail.yahoo.com>
On Fri, 29 Dec 2000, Todd Kirby wrote:
> Mac OS 9.04 comes with a 'Multiple Users' Control
> Panel that allows an administrator (called 'Owner') to
> create user accounts (called 'Normal' users) with
> limited access to the computer.
I'd like to point out that if your Mac is configured to share out
your system folder with any level of access, you're screwed regardless of
which OS version you're running.
As far back as OS 7.6.1 (and probably earlier) your Users and Groups
preferences file has all user and administrator passwords encoded using
wimpy 40-bit DES encryption. You don't want any users getting into it.
Thanks for taking the time to point this vulnerability out, but I consider
it yet _another_ reason not to share out the system folder.
It should also be stated that this vulnerability probably applies to Mac
9.x systems running Appleshare IP, although I have no way to test this.
Respectfully submitted,
-K
--
Kathleen M. Ellis, P.A.B. -- KB3CWP -- http://www.tux.org/~protozoa
Technology. Politics. Get a clue. http://www.cluebot.com
"Muhammad Ali, one of my very few heroes, once took
the time to explain to me that 'there are no jokes.
The truth is the funniest joke of all.' Ho ho. It
takes a special kind of mindset to believe that and
still have smart people call you Funny. I have never
quite understood it."
Hunter S. Thompson
_Fear and Loathing in America_
