OSVDB ID: 19710

Title: Apple Mac OS X SecurityAgent "Switch User..." Arbitrary Account Authentication Bypass

Info

Disclosure

Sep 20, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Mac OS X contains a flaw that may allow a malicious user to gain unauthorized access to a locked desktop. The issue is triggered when the "Switch User..." button appears in the screensaver Unlock Dialog, even with Fast User Switching disabled. It is possible that the flaw may allow the currently logged-in user's desktop to be displayed without a password resulting in a loss of confidentiality and/or integrity.

Classification

Location: Local Access Required
Attack Type: Authentication Management, Misconfiguration
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (Security Update 2005-008) to address this vulnerability.

Products

Apple Inc.

Mac OS X

10.4
10.4.1
10.4.2

References

Credit

  • Luke Fowler - Indiana University Global Research Network Operations Center


Direct URL: http://osvdb.org/19710