Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Bug OS X Operating Systems Desktops (Apple) Portables (Apple) Privacy Security Apple Technology

MacOS High Sierra Bug Allows Login As Root With No Password (theregister.co.uk) 237

An anonymous reader quotes a report from The Register: A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug is triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world -- it's certainly far from a remote hole or a disk decryption technique -- it's just really, really sad to see megabucks Apple drop the ball like this. Developer Lemi Orhan Ergan was the first to alert the world to the flaw. The Register notes: "If you have a root account enabled and a password for it set, the black password trick will not work. So, keep the account enabled and set a root password right now..."
This discussion has been archived. No new comments can be posted.

MacOS High Sierra Bug Allows Login As Root With No Password

Comments Filter:
  • by x0ra ( 1249540 ) on Tuesday November 28, 2017 @05:17PM (#55639589)
    is "courage" to go beyond the heteronormative system of power and privileges. Why would you require privileges in a progressist society where everybody is equal.

    USER LIVES MATTERS !
    • So you're saying this is revolutionary?

    • fwiw, the OS X spell-check was at some point the only major OS-native spell-check which recognized "misandry" as a word. (yeah, i know it's a joke, i just thought it was interesting.)

  • Set the root password to something long and hard to guess (32 chars of mixed-case alphanumeric should do). Do this by running as an administrator:

    sudo passwd -u root

    This should do until Apple releases a real fix.

    Source [twitter.com]

    • ...but make sure you write down that 32 character password since you won't be able to sudo without it!

      Just curious what this will break...

      • sudo uses your user password...
        • by MAXOMENOS ( 9802 )
          Meaning, you can always change the root password if you forget it later. (Or, if you REALLY want, you can keep it in a password manager like KeePass or PasswdSafe.)
          • Well, yes, but I was actually pointing out that you don't need the root password at all. That's the whole point of sudo.
  • Why/how though? (Score:5, Interesting)

    by Xuranova ( 160813 ) on Tuesday November 28, 2017 @05:33PM (#55639727)

    I can understand if it let you in after hitting enter once, because then it's just ignoring something. If it denies entry the first few times and then lets you in, what do the *nix gurus think is happening after the first few denials to have it change its 'mind?

    • My educated guess from 20 years in computer security:

      The graphical UI it gives up after a few tries, which is reasonable. Unit tests tested that you can login that way and maybe tested that it gives up.

      Separately, on the underlying Unix side they may have tested that part well - if you enter a correct password you get in, an incorrect password doesn't get you in.

      In Integration testing UI designers made sure it WORKS - you can log in that way. They didn't test crazy shit like entering a million-character pas

    • by AmiMoJo ( 196126 )

      My guess would be a flaw in the logic that handles several failures in a row. Maybe they tried to put some rate limiting in or something like that, but accidentally proceeded with logging in at that account instead.

      That would be somewhat similar to their GOTO FAIL bug from a while back. I really hope we get the full story because if it's the same thing again it strongly points to interference.

    • I can understand if it let you in after hitting enter once, because then it's just ignoring something. If it denies entry the first few times and then lets you in, what do the *nix gurus think is happening after the first few denials to have it change its 'mind?

      From my understanding, the first time it denies you access because there is no root account on the box. Once it fails to log you in, the OS is actually creating the root user. The second time it lets you log in with that user, which has no password. I've seen people say that if you do it on the login screen it immediately creates the account and lets you in without the failed password attempt.

  • by Anonymous Coward on Tuesday November 28, 2017 @05:35PM (#55639753)

    https://forums.developer.apple.com/thread/79235

    'course, this post may not have been reported directly to security folks. it was something that they should have found while monitoring the beta forums, though.

    • by Ecuador ( 740021 )

      This is very funny, he actually found the biggest user escalation exploit in recent memory and he just nonchalantly posts it as an answer to a thread about someone who had his admin accounts turned to standard, with his only comment being "Solution 2 worked for me. No idea how or why. Hope this helps.".

      Unless he did not stumble upon it, but read it elsewhere and that is why he is so "business as usual"...

    • by mjwx ( 966435 )

      https://forums.developer.apple.com/thread/79235

      'course, this post may not have been reported directly to security folks. it was something that they should have found while monitoring the beta forums, though.

      This is something that should have been found before even going to beta.

      I mean we don't even expect this kind of dimwittery from Microsoft any more.

      Mac... its more secure than PC (unless you try to test it).

  • I submitted this a couple hours before it was posted on the front page. Why does it say an anonymous reader posted it? https://slashdot.org/submissio... [slashdot.org]
  • Tried it on three different machines, both from admin and non-admin accounts. All running 10.13.2 Beta (17C83a).

    -jcr

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday November 28, 2017 @06:36PM (#55640299) Journal
    ... will a rouge password work?

    Seriously, any one who knows a bit about unix will enable the root account and set a fairly strong password.

    It is only the "Its Apple! Its immune to hacks!! Its got the ultimate security!!!" fanbois will be affected.

    • It is only the "Its Apple! Its immune to hacks!! Its got the ultimate security!!!" fanbois will be affected.

      Careful, I recently got into a week long flamewar with phayes by mentioning that such people exist. You don't want to trigger that raving lunitic, trust me.

  • so it's not exactly "far from a remote hole or a disk decryption technique" as the post suggests. If Screen Sharing is turned on, it allows remote login; if you have access physically or via Screen Sharing, you can use it to turn off FileVault. So it's potentially both a remote hole AND a disk decryption technique. "sudo passwd -u root" now if you hadn't already reset the root passsword!

  • did not enable root and set a hard to guess password?

    I mean, come on, a lawyer, designer, doctor, writter or grandma with a mac, I can understand that is actually BETTER for them to have no root account by default. No disrespect, maybe you Lawyer/designer/writter/doctor/gramma are ultra smart in your field (and perhaps many more). And I am sure know you know way more about your field than I'll ever be....

    But Slashdot has a big proportion of programmers, computer scientists, and EETREs (Electrical/Electronic

  • With it not being in the subsequent beta release and no other previous releases, I'm guessing it's a back door intended for Q/A purposes that was accidentally left in the code.

    • Correction?: I see one comment claiming it works in 13.2 and a couple claiming that it only works in 13.1

    • by Lorens ( 597774 )

      It seems as if it's a logic bug when upgrading the password store. The store is upgraded with the password entered. I think the reasoning behind the code may have stemmed from the fact that to upgrade a password hash to a more secure hash, you wait for the user to enter their password so that you can hash it with the new hash function... but that's not a reason to enable accounts that are disabled, or to update the hash if the provided one doesn't match. See https://objective-see.com/blog... [objective-see.com]

  • Who doesn't set a root password on a new computer?

    • by ecbpro ( 919207 )
      I did not and I managed to reproduce the bug. Why should I set a password for an account that does not exist on my machine? That doesn't make any sense. In this case the bug results in the creation of the root user! How is it possible that a normal user on a *NIX machine can create a root user with admin rights? This may actually point to a deeper problem...
    • by nawcom ( 941663 )
      People running OSes that come with the root account disabled. Having the root account disabled is being used as a security feature. Ubuntu follows the similar practice of disabling the root account by default, and there is no password set there either. You can of course enable it if you want but most people don't, as disabling the root account and limiting superuser actions to sudo isn't a bad idea at all. The fact that in 10.13 you're able to re-enable the root account by trying to use it with a blank pass
  • by paulpach ( 798828 ) on Wednesday November 29, 2017 @08:18AM (#55642953)

    I propose we give this bug a name: Superuser Login Absent Password, or SLAP for short.

"I have more information in one place than anybody in the world." -- Jerry Pournelle, an absurd notion, apparently about the BIX BBS

Working...