OSVDB ID: 19710

Title: Apple Mac OS X SecurityAgent "Switch User..." Arbitrary Account Authentication Bypass

Info

Disclosure

Sep 20, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Mac OS X contains a flaw that may allow a malicious user to gain unauthorized access to a locked desktop. The issue is triggered when the "Switch User..." button appears in the screensaver Unlock Dialog, even with Fast User Switching disabled. It is possible that the flaw may allow the currently logged-in user's desktop to be displayed without a password resulting in a loss of confidentiality and/or integrity.

Classification

Location: Local Access Required
Attack Type: Authentication Management, Misconfiguration
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (Security Update 2005-008) to address this vulnerability.

Products

Apple Inc.	Mac OS X	10.4
		10.4.1
		10.4.2

References

Security Tracker: 1014963
Bugtraq ID: 14914
Secunia Advisory ID: 16920
Related OSVDB ID: 19703 19704 19705 19706 19707 19708 19709 19711
CVE ID: 2005-2742 (see also: NVD)
Keyword: Apple Security Update 2005-008
Vendor Specific Advisory URL: http://docs.info.apple.com/article.html?artnum=302413
CIAC Advisory: p-312

Credit

Luke Fowler - Indiana University Global Research Network Operations Center

Direct URL: http://osvdb.org/19710

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Apple Inc.

Mac OS X

References

Credit