Lion + LDAP = Authentication Bypass
Around a month ago, Mac OS X Lion (10.7) was found to have a fairly severe vulnerability when configured to use an LDAP server for authentication. In such a configuration, the system accepts any username or password upon login. This affects both the user interface, but also remote login such as SSH. This issue does not affect normal Lion users who haven’t set up an LDAP server.
Details of the issue aren’t well known, and as much as I’d like to reproduce the issue, I’m too lazy to set up an LDAP server to do it. My guess is that OSX queries the LDAP server, but a bug in the authentication and authorization code makes it so that the user is granted access regardless of whether a login failure is received from the server. I’ve heard reports that it’s possible to login using any non-existent username (with some errors about invalid home directories), but then it begs the question: who do you end up logged in as, and what privileges do you have? If you login with a known username, then you get access in the context of that user. I can’t say for certain, but this vulnerability should not allow a user using an invalid password to gain access to network resources that rely on that user’s authentication credentials, just the local system.
Apple hasn’t yet acknowledged the issue as far as I know, and it’s surprising that no patch was issued with 10.7.1. Perhaps a fix will come in the form of a security update, or the upcoming 10.7.2 update. In the meantime, consider disabling LDAP authentication on Lion systems to prevent unauthorised access.
WWDC 2011 Reaction: Lion, iOS 5 and iCloud
I’ve been following Apple for pretty much my whole life, and I like to think that I have a good feel for how the company is going to behave. Every so often they actually manage to surprise me a little, which is always nice, and WWDC 2011 managed to do that. First off, it was nice to see Steve back in action, particularly as all the stuff he announced is essentially what he had been dreaming about and predicted as the future of technology back in WWDC ’97! Secondly, although it may not seem like it, this WWDC was different, and in my opinion is the starting point for something fairly major, both for Apple and the future of the way we use technology in general.
I don’t want this to be a long protracted post about what was announced, but here is a short recap. Read more
Apple Announces Mac OS X Lion (10.7), Invites Security Researchers, and My First Impressions
On Thursday 24th February (Happy Birthday Steve), Apple released long-awaited updates to their Macbook Pro family, as well as a Developer Preview of Mac OS X 10.7, codenamed “Lion”. Now while new hardware is cool, I tend to be far more excited by Apple’s OS releases. I’ve been lucky enough to play with Lion, and while there are a few bugs (I’ve submitted bug reports), the new features and interface tweaks are already looking pretty good.
The interface is now a lot snappier, with a bit less time spent on ‘fading’ animations. I also get the impression that there have been improvements to the networking framework, as network activity seemed a bit faster than on my 10.6 box. Lion also now runs everything, including the kernel, in 64-bit mode by default. This would explain some of the speed improvements.
Hit the jump for key features, and security details. Read more
Loading ...
