[ SOURCE: http://www.secureroot.com/security/advisories/9786036166.html ]

Mac OS 9.04 comes with a 'Multiple Users' Control

Panel that allows an administrator (called 'Owner') to

create user accounts (called 'Normal' users) with

limited access to the computer.



The problem is that the Owner password can be removed

by a Normal user by moving the 'Users & Groups Data

File and logging back in using the Owner account,

giving full access to the machine.





Exploit:

--------



Log in as a Normal user. Find the file called 'Users &

Groups Data File' in the Preferences Folder and move

it to another location. Log out and back in using the

Owner account.



Result: No password is required to log in as the Owner

user. User now has full access to the computer,

including the ability to make changes in the 'Multiple

Users' control panel.



The previously moved 'Users & Groups Data File' can be

moved back into the Preferences folder to restore the

original Owner password making detection difficult.





Configuration

-------------



Mac G3 and G4 with OS 9.04.





Solution:

---------



Use 'Limited' instead of 'Normal' when setting up user

accounts. This will protect the Preferences folder

from being altered.



I attempted to notify Apple but their bug reporter

form requires joining the Apple Developer Connection.



Todd Kirby

Web Applications Developer

Walt Disney Television Animation





=====

"Blinky lights are the essence of technology. Everything

else is fluff."



__________________________________________________

Do You Yahoo!?

Yahoo! Photos - Share your holiday photos online!

http://photos.yahoo.com/