Mac OS X DS Tools Discloses Passwords to Local Users
SecurityTracker Alert ID: 1021722|
SecurityTracker URL: http://securitytracker.com/id/1021722
(Links to External Site)
Date: Feb 13 2009
Disclosure of authentication information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 10.4.11, 10.5.6|
A vulnerability was reported in Mac OS X DS Tools. A local user can obtain passwords.|
The dscl command-line tool requires passwords as arguments. As a result, a local user can view the process list to obtain passwords, including administrator passwords.
A local user can obtain passwords.|
The vendor has issued a fix as part of Security Update 2009-001, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:|
For Mac OS X v10.5.6
The download file is named: "SecUpd2009-001.dmg"
Its SHA-1 digest is: 08d8e962e2687f01b3cdc4cb386ef4e44992a1e0
For Mac OS X Server 10.5.6
The download file is named: "SecUpdSrvr2009-001.dmg"
Its SHA-1 digest is: b44344f918cbf15266cde2c989c443e455ccd88f
For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2009-001Intel.dmg"
Its SHA-1 digest is: e1e1a09d9543fe1a1acc759c5ed11dde58f84e0e
For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2009-001PPC.dmg"
Its SHA-1 digest is: a9158bed12fa6650634bc8f972a7990cddb765d9
For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2009-001Univ.dmg"
Its SHA-1 digest is: 6b056d47bbf2566cda7908590fc2ccd0ab4b889f
For Mac OS X Server v10.4.11 (PPC)
The download file is named: "SecUpdSrvr2009-001PPC.dmg"
Its SHA-1 digest is: a9f97ba89b8acc6927779859bbec3787d1fb3b2a
The vendor's advisory is available at:
Vendor URL: support.apple.com/kb/HT1222 (Links to External Site)
Access control error|
Source Message Contents
Date: Thu, 12 Feb 2009 23:01:57 -0500|
Subject: Mac OS X
APPLE-SA-2009-02-12 Security Update 2009-001
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact: Passwords supplied to dscl are exposed to other local users
Description: The dscl command-line tool required that passwords be
passed to it in its arguments, potentially exposing the passwords to
other local users. Passwords exposed include those for users and
administrators. This update makes the password parameter optional,
and dscl will prompt for the password if needed. Credit: Apple.