|
LDAP
CVE-ID: CAN-2005-1338
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Passwords could initially be stored into LDAP in plain text when using an LDAP server not running on Mac OS X.
Description: When a system is bound to an LDAP server that has "ldap_extended_operation" disabled or not supported, and new accounts are created using the Workgroup Manager, then the initial password can be stored in the clear. If the password is modified using the Inspector, it will be correctly stored in a hashed form. This issue does not occur when using the Apple supplied Open Directory server. For servers not supporting "ldap_extended_operation," this update now stores new passwords in the hashed form.
Several commenters who claim to know the details of the box that was hacked claim the owner CHANGED many of the current components (including having a bootable LINUX partition) and dropped back to some that had not been patched to fix vulnerabilities. They have stated categorically that the Mac Mini was NOT a standard, default installation. I wonder if this app might have been one he dropped back on. The owner of the box, on his website, states:
"It (his Mac Mini) runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP."
From this, I infer that he has replaced Apple's own selected UNIX software with "decent" versions. "Fink" is an app that allows UNIX programs to run under OS X. Just as obviously, the target Mac Mini WAS NOT a default installation as claimed.
This guy claims to have set up an "LDAP server" and then linked it to the Mac's naming and authentication services... but did he run them through Inspector? Where did he get his LDAP (there are some non-Apple versions available for OS X). Since he has installed (by his own words) a "decent version" of Apache... then it is reasonable to conclude that the LDAP server is the one built into THAT "decent version" of Apache and not the one Apple provided which uses Apple's Workgroup Manager and Apple's Inspector.
There were Kerberos vulnerabilities a couple of years ago that allowed user escalation... and OpenLDAP works with Kerberos... IS this one he dropped back on? Too many questions.
Note the Windows programing books...
People like this just need to be taken out and shot. It's a sick way to get your childish kicks.
