Source: cve@mitre.org
The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root.
NeXTSTEP systems versions 2.1 and earlier are vulnerable to a privilege escalation attack. The default configuration grants the 'me' user membership in the 'wheel' group, allowing them to use the su command to gain root access, compromising the entire system's security and potentially leading to complete system takeover and data exfiltration.
Step 1: User Login: The attacker gains access to a NeXTSTEP system as the 'me' user, either through physical access, compromised credentials, or other means.
Step 2: Privilege Escalation: The attacker executes the su command, typically without providing a password, since the 'me' user is a member of the 'wheel' group.
Step 3: Root Access Granted: The su command successfully elevates the attacker's privileges to root, granting them full control over the system.
Step 4: System Compromise: The attacker, now with root privileges, can execute arbitrary commands, modify system files, install malware, and access sensitive data.
The vulnerability stems from a flawed default configuration in NeXTSTEP. The 'me' user, typically created during system installation, is automatically added to the 'wheel' group. The 'wheel' group is a privileged group, often used to grant administrative access. The su (switch user) command, when executed by a user in the 'wheel' group, allows them to elevate their privileges to root without requiring a password in the default configuration. This bypasses standard authentication mechanisms and grants unauthorized access to the system's most sensitive resources. The root cause is a privilege escalation flaw due to the incorrect assignment of the 'me' user to the 'wheel' group and the default configuration of su without password requirements for wheel group members. There is no specific code flaw like a buffer overflow or race condition, but rather a design flaw in the default security configuration.
This vulnerability is not associated with any specific APT groups or known malware campaigns in modern contexts due to the age of the affected system. CISA KEV status: Not Applicable.
Review system logs for su command usage by the 'me' user.
Monitor for any unauthorized modifications to system files or configurations.
Analyze user account configurations to identify 'me' user membership in the 'wheel' group.
Check for any unusual network traffic originating from the system, especially if it involves data exfiltration.
If a NeXTSTEP system is still in use (highly unlikely), remove the 'me' user from the 'wheel' group.
Configure su to require a password for all users, regardless of group membership.
Implement strong password policies for all user accounts.
Regularly audit user account privileges and system configurations.
Isolate the system from the network to prevent remote access.