You are here

T-721:Mac OS X Directory Services Lets Local Users View User Password Hashes

September 20, 2011 - 8:45am

Addthis

PROBLEM:

Mac OS X Directory Services Lets Local Users View User Password Hashes.

PLATFORM:

Mac OS X Lion (10.7)

ABSTRACT:

A local user can view user password hashes.

reference LINKS:

SecurityTracker Alert ID: 1026067
Apple Support Downloads
Apple Security Updates
Apple OS X Lion v10.7.1 Update

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability was reported in Mac OS X. A local user can view user password hashes. A local user can invoke the following Directory Services command line command to view the password hash for the target user: dscl localhost -read /Search/Users/[target user] A local user can change their password without entering the current password using the following Directory Services command line command: dscl localhost -passwd /Search/Users/[current user]

Impact:

A local user can view user password hashes.

Solution:

No solution was available at the time of this entry.
Thunderbolt Software Update (OS X Lion)
Mac OS X 10.6.8 Update Combo v1.1

Addthis