PDA

View Full Version : OSX 10.6 exploit?



Deimos
11-03-2011, 11:01 AM
Does anyone know of an exploit in OSX that would allow a non admin user to delete the local accounts on the machine?

Erayd
11-03-2011, 11:21 AM
Yes; a local privilege escalation exploit could easily achieve this.

:pf1mobmini:

Deimos
11-03-2011, 11:43 AM
OK, I'm trying to find out how a student could do this without knowing it, such as a virus or something, I'm scanning his hard drive for viruses...

Erayd
11-03-2011, 02:09 PM
Unlikely that it's a virus - I would be looking at either the student, or a semi-technical friend of that student, or a sysadmin who did something stupid.

Can you provide a bit more context?

:pf1mobmini:

Deimos
11-03-2011, 02:43 PM
I look after a school campus with a lot of macs, I use Apple Remote Desktop to look after them, I noticed that a few machines occasionally came up with "Access denied" I eventually traced it back to one particular student (he was the only person who had logged in to all of the effected computers)

We have an active directory back end, all students have an account in AD which the lab machines authenticate off, student accounts only have user level permissions.

There is no firmware password, so potentially anyone with the appropriate knowledge could reset the admin password but it has not been a problem thus far.

The problem with this particular student is, machines that he has used have had the local user accounts deleted (we have 2 local accounts on the machines, one for just in case the network is down, and the other is the admin account).

I have his hard drive at the moment and I'm scanning it for viruses, I suspect that he is full of crap though (that it is happening without his knowledge).

Deimos
11-03-2011, 04:07 PM
Sophos (for mac) turned up nothing.

8ftmetalhaed
11-03-2011, 04:16 PM
At rutherford there was one student who used to reinstall windows xp on some computers, and also got into the server using linux and changed the school's intranet splashpage to a paint penis, then a smiley face because the server wasn't password protected.

It was hilarious, I watched it happening (f5 f5 f5) and then had a word with him afterwards.
Can't say I condone what he did, but the admin was just such an ass.

But yeah it does happen, students with knowledge either get bored and do it for no reason too, so I'm guessing you're right in that he's being a douche and is either bored or is feeling the restrictions.

Speedy Gonzales
11-03-2011, 05:15 PM
Safari was hacked on 10.6, @ Pwn2Own the other day. So, anything is possible

icow
11-03-2011, 07:53 PM
by deleting a few xml files you can easily get into the accounts pref pane even if it is locked. I'll try to break into an admin account and post the results.

icow
11-03-2011, 08:09 PM
I was able to create a new admin account without touching the original admin account. this would allow you to have full access to the other accounts and then delete your old account/original admin account.

Deimos
11-03-2011, 10:31 PM
Can you PM me how you did it? I would like to try it at work.