BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges.
CVE-1999-1198 exposes a critical vulnerability in NeXT systems, allowing local users to escalate privileges to root without authentication. This flaw in the BuildDisk program bypasses the root password prompt, enabling unauthorized modification of system files and complete system compromise. This vulnerability, while old, highlights the importance of proper authentication and privilege separation in operating systems.
Step 1: Local Access: An attacker gains local access to a NeXT system running a vulnerable version of the operating system. This could be through physical access, compromised user accounts, or other local exploits.
Step 2: Program Execution: The attacker executes the BuildDisk program. Because of the vulnerability, the program does not prompt for the root password.
Step 3: Privilege Escalation: The BuildDisk program, running with root privileges, performs actions that modify system files or configurations. This could include creating new accounts with root privileges, modifying system binaries, or installing backdoors.
Step 4: System Compromise: The attacker now has root access and can fully control the compromised system.
The root cause of CVE-1999-1198 lies in the BuildDisk program's failure to properly authenticate users before performing privileged operations. Specifically, the program does not require the root password when invoked, allowing any local user to execute its functions with root privileges. This is a simple privilege escalation vulnerability due to a lack of security checks. The program likely uses system calls or libraries that, when executed without proper authorization, allow for modification of critical system files, ultimately leading to complete system control. The absence of a password prompt is the direct result of a design flaw, not a complex technical issue like a buffer overflow or race condition.