SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Timbuktu Vendors:   Netopia
Netopia's Timbuktu for Mac OS X Allows Local Users to Access the Host Without Logging In
SecurityTracker Alert ID:  1001362
SecurityTracker URL:  http://securitytracker.com/id/1001362
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2001
Impact:   User access via local system
Exploit Included:  Yes  

Description:   It is reported that Netopia's preview of Timbuktu Pro for Mac OS X, a remote administration software package, contains a vulnerability that allows local users to access Mac OS X without authentication.

The login screen of the Mac OS X with the preview version of Timbuktu for Mac OS X installed reportedly presents a Timbuktu icon in the upper right hand portion of the screen. The menu item "About Timbuktu" will reportedly give the local user full access to the apple menu and system preferences without requiring that the user log in to OS X.

With access to the System Preferences, a user could change passwords or system settings.

This was reported on http://securemac.com

Impact:   A local user can gain full access to the apple menu and system preferences without logging in.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.netopia.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Apple (Legacy "classic" Mac)

Message History:   None.


 Source Message Contents

Subject:  Timbuktu vulnerability


Netopia has released Timbuktu Preview for Mac OS X. There
is a 29.95 charge for this software. Timbuktu is remote
administration software which runs on Windows and
Macintosh platforms. We received a E-Mail from Ed noting of
a security hole with this product that lets a user @ the
console have access without even having to log in to Mac
OS X. The problem was reported to Netopia and because
this is only a preview version we will look for a fix in the next
release.

Author: ed@hintz.org
Tested: G4 DP 450/Mac OS X w/ update
Software: Netopia Timbuktu Preview for Mac OS X
Method: Console
Risk: 

At the login screen of the freshly updated Mac OS X with
preview version of Timbuktu for Mac OS X we have found a
Timbuktu icon in the upper right hand portion of the screen.
The menu contains all of the goodies (open timbuktu, turn
tcp on/off, about, etc) Timbuktu users have known and loved
from the classic OS. The menu About Timbuktu when
clicked on gives you full control to the apple menu and
system preferences without even being logged into OS X.

Having access to the System Preferences without being
logged in can allow access to the users panel where
someone could change passwords or any system setting. 

Essentially, you've got admin access to the entire system
prefs window and the users panel even shows the hidden
admin/root user. Some say this is something not that large
because you can gain full access through single user mode
also, SM feels that the problem should be addressed by
Netopia ASAP.


Netopia - "Although we welcome your feedback, the
software is sold without warrantee" 

Reported on http://securemac.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC