back to article Pro tip: You can log into macOS High Sierra as root with no password

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Big Christmas bonus for the person who found the photograph to accompany this article :-)

    1. tfewster
      Facepalm

      Appropriate on another level too: She's saying "It's a UNIX system, I know this!"

      1. William Towle
        Pirate

        "How do you create a really secure password?"

        1. bombastic bob Silver badge
          Devil

          "How do you create a really secure password?"

          Having forked FBSD's userland, it should be possible to create a random root password with command line tools (like 'pw') assuming those tools exists on a mac...

          then you can just do the 'sudo su' trick when you want to do things as 'root' for a while...

    2. el kabong

      Siri found it.

    3. Brewster's Angle Grinder Silver badge

      I think you'll find they're the devs writing the relevant code.

      1. AlbertH

        Tee Hee

        There are kiddies in every Apple store getting Admin rights and typing rm - rf just to see what happens!

    4. Hans 1
      FAIL

      Big Christmas bonus for the person who found the photograph to accompany this article :-)

      Indeed, have an upvote. (I was 100th)

      As for the blunder, this is Windows-like security.

      Cupertino, stop hiring devs from Redmond, they know jack-shit about coding, have never heard of tests, let alone unit tests .... crikey, this vuln is EPIC.

      How Apple get away with this, I dunno !

  2. Grease Monkey Silver badge

    Hang on, where are all the fanbois telling us this isn't really a vulnerability?

    1. Michael B.

      They won't, they will point to Windows and engage in Whataboutery.

    2. Anonymous Coward
      Anonymous Coward

      How worse than Single User Mode?

      I'm no fanboi, but usually physical access is enough to set the root password on *nix. Root passwords get forgotten like other passwords, after all.

      Is it exploitable over a remote desktop connection? That would be worse.

      It does raise serious questions about basic quality control, nevertheless.

      1. Anonymous Coward
        Anonymous Coward

        Re: How worse than Single User Mode?

        That's why a lot of distros prefer the "sudo" approach. You never actually log in as root, you just temporarily give the account root permissions...just long enough to run that one command, then you go back to a standard user.

        1. Doctor Syntax Silver badge

          Re: How worse than Single User Mode?

          "That's why a lot of distros prefer the "sudo" approach. You never actually log in as root, you just temporarily give the account root permissions...just long enough to run that one command, then you go back to a standard user."

          I'm not an Apple user but from the account it seems as if this is how macOS has been supposed to work. It hasn't turned out well here.

          I'm old fashioned enough never to have been a fan of sudo. It's always struck me as being an additional attack surface. I suppose it's more convenient than having multiple admin IDs with access to restricted subsets of root functionality such as bin to own system S/W & lpadmin to administer printers & the like but convenience and security don't often mix too well.

          1. bombastic bob Silver badge
            Meh

            Re: How worse than Single User Mode?

            "I'm old fashioned enough never to have been a fan of sudo"

            well, if you configure sudo the way a BOFH would, you can lock out anything that's truly "dangerous" and require actually logging in as root for such things.

            but most distros that have sudo simply allow any authenticated user to enter his own password to do "whatever he wants" with root credentials. It's convenient, yeah.

      2. John H Woods Silver badge

        Re: How worse than Single User Mode?

        Physical access to the system is different from "terminal" access. Try getting root access on a well-configured Linux system using just the keyboard and the mouse. If you've got physical access to the box, however, you have everything except the content of encrypted drives.

        Although presumably one could splice a wired KB or Mouse to connect a USB storage device and boot from that?

      3. Anonymous Coward
        Anonymous Coward

        Re: How worse than Single User Mode?

        Er, because it bypassed FileVault for all users? You don't get access to an encrypted volume in Linux in single-user mode.

      4. Anonymous Coward
        Anonymous Coward

        Re: How worse than Single User Mode?

        "Is it exploitable over a remote desktop connection? That would be worse."

        Check again. It *IS* exploitable over a RDC!

      5. Wensleydale Cheese
        Unhappy

        Re: How worse than Single User Mode?

        "Is it exploitable over a remote desktop connection? That would be worse."

        Yes.

        I am running a headless Mac mini here, connected via Screen Sharing using an unprivileged username/password, and logged into a non-privileged account.

        I didn't test the main login screen, but the exploit using Preferences > Users and Groups > Unlock worked as described in the article.

        1. Wensleydale Cheese

          Re: How worse than Single User Mode?

          "I am running a headless Mac mini here, connected via Screen Sharing using an unprivileged username/password, and logged into a non-privileged account."

          Having said the above, when you enable Remore Desktop access, you can restrict the functions available to the remote user. This is done on the target computer via System Preferences > Sharing > Remote Management > Options

      6. bazza Silver badge

        Re: How worse than Single User Mode?

        Is it exploitable over a remote desktop connection? That would be worse.

        According to the update to the article it can be done on the command line too. So not vulnerable to a remote attack unless the perpetrator can get something run on the computer first (malicious but otherwise innocuous app, etc). Fishing attack might open up the doors for that.

        I have to say that between Apple and Intel we're seeing some stinking cock ups in recent times. It's almost funny. All we need now is for Windows or Linux to join in and we may as well throw every single computer in the planet into the bin. Apart from the ones running Solaris.

        1. 404

          Re: How worse than Single User Mode?

          Don't tempt me, I still have some Solaris x86 install software laying around...

      7. d3vy

        Re: How worse than Single User Mode?

        "Is it exploitable over a remote desktop connection? That would be worse."

        Yes.

        RTFA

      8. dlxMachine

        Re: How worse than Single User Mode?

        Can we login without password on any linux distro from login screen? It is the case here.

        1. Chemist

          Re: How worse than Single User Mode?

          "Can we login without password on any linux distro from login screen? It is the case here."

          Good of you to join to ask that question. !

          The answer ( for all the ones I use) is NO

      9. bombastic bob Silver badge
        Devil

        Re: How worse than Single User Mode?

        "but usually physical access is enough to set the root password on *nix."

        not entirely true. On FreeBSD, at least, it is possible to require the root password for single-user mode by specifying that the console is 'insecure'. And, Shirley, you COULD also boot a "live CD" (assuming that hasn't been locked out) or "live USB" image, and then mount the hard drive's root partition and do a password reset THAT way (jumping through necessary hoops to do so via the command line) but you can do this in Windows as well.

        Or, if you're really desperate, remove the hard drive and plug it into a different computer that has the correct utilities on it for a password reset.

        (I'd much rather make miscreants go through that last step)

    3. Daniel B.
      Boffin

      OSX user here, and it's a vulnerability. It's probably somewhat mitigated in the sense that setting a password for root plugs the hole, but it's still an embarassment. Not sure if it's remotely exploitable, which would be bad. If it allows for su - without a password, it's probably bad, but it would still require someone to log in with a valid username/password before exploiting it.

      If someone already has physical access to the system, there are larger issues at hand.

    4. kain preacher

      Would you have root in linux with no password ? Would you have windows account with admin rights but no passowrd ?

      1. handleoclast

        Linux root p/w

        @kain preacher

        Would you have root in linux with no password ?

        Every Linux distro I've installed has asked you to set a root p/w. Never checked if you can leave it blank during install. Even if you can't leave it blank at that stage, it's possible to set a null p/w later. Either way, if you end up with a null p/w for root, it's because you deliberately chose to have it that way. You can't have a null root p/w by accident, or simply by doing nothing as you install the system.

        And no, I wouldn't set a null root p/w deliberately. That would be crazy. I have a somewhat warped mind but I cannot conceive of any circumstance, no matter how bizarre, in which I would legitimately (no criminal intent) want a null root p/w (feel free to prove your mind is more warped than mine by coming up with one).

        I remember the time DEC persuaded me that remote diagnostics were a great idea and that I should have one of those new-fangled modem dooberries. They said I could ensure it would only pick up when I was around to allow them in (which was true). We gave it a try. They told me they couldn't get in with FIELD/SERVICE (those standard superuser accounts had their passwords changed as the very first thing I did on that box) and would I mind changing it back. I gave them a hell of a bollocking over that one. Got a free curry out of it by way of an apology. If they'd suggested I leave the p/w blank on the FIELD account I'd have nuked them from orbit. Null password for superuser accounts? No fucking way.

        1. chuckufarley Silver badge

          Re: Linux root p/w

          Why not just edit /etc/shadow and expire the root account from there? Sudo will still work and no system processes will fall over, but nobody and nothing will be able to log in as root until the the expiration field is reset in /etc/shadow.

        2. fedoraman

          Re: Linux root p/w

          I used to be an operator on a DEC system (just a MicroVax II), I was amazed when I found out about the FIELD/SERVICE super user login. There was another one, <googles.....> Ah yes, SYYSTEM and MANAGER. Ahh, those days at the Satellite Station!

        3. Anonymous Coward
          Anonymous Coward

          Re: Linux root p/w

          Not true, I'm a Linux sysadmin and none of the Ubuntu variants I've installed over the past 10 years have asked. You have to do this manually after install..

          1. handleoclast

            Re: Linux root p/w

            Not true, I'm a Linux sysadmin and none of the Ubuntu variants I've installed over the past 10 years have asked. You have to do this manually after install..

            From what I've read in other responses, root logins are disabled. So you still have to consciously choose to have a passwordless root login.

        4. Anonymous Coward
          Anonymous Coward

          Re: Linux root p/w

          If every Linux distribution you've installed has asked you for a root password then you've never installed Ubuntu.

        5. unimaginative

          Re: Linux root p/w

          The Debian installer lets you leave the root password blank, but if you do it disables root login and gives sudo to the non-root user you create during installation.

        6. This post has been deleted by its author

        7. arctic_haze

          Re: Linux root p/w

          I cannot conceive of any circumstance, no matter how bizarre, in which I would legitimately (no criminal intent) want a null root p/w (feel free to prove your mind is more warped than mine by coming up with one).

          The protagonist of the Martian movie could have had a null root password in his abandoned Martian base, at least until he regained some semblance of communication with the Earth.

      2. Doctor Syntax Silver badge

        "Would you have root in linux with no password ?"

        Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days.

        1. chuckufarley Silver badge

          "Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days."

          Is it that it has no password or that the password hash is set to an invalid value? It could be the former but I thought it was the latter.

          1. Anonymous Coward
            Anonymous Coward

            The password hash is '!' which is an invalid hash but also means the account is locked (anything starting with '!' means that).

          2. Charles 9

            "Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days."

            Wouldn't they have enough access under similar systems since the group that would include sudo'ers here would likely be the ones with significant group access otherwise? At least with sudo it's like UAC, the high-level access isn't on all the time.

            PS. sudo doesn't have to be root. You can sudo as other users, too, with their own access restrictions. Again, this creates a temporary privilege escalation, but one you can control better.

            PSS. The sudoers file is also how users can be restricted using sudo, even regarding the root privilege. So instead of it being an all-or-nothing thing like su, it can be turned into a tuned ACL.

          3. bombastic bob Silver badge
            Devil

            "Is it that it has no password or that the password hash is set to an invalid value?"

            I think it's assigned a random value, but a truly invalid hash would work the same way.

            'sudo su' works fine in Ubu if you need to log in as 'root'.

        2. Wensleydale Cheese

          "Ubuntu & derivatives."

          With you on that.

          The Debian distro for the Raspberry Pi allows passwordless sudo from the default account.

          1. smot

            "The Debian distro for the Raspberry Pi allows passwordless sudo from the default account."

            But everytime you log in while it's set that way you get a reminder that you should change it. Gets quite annoying too, so you end up changing it just to get rid of the message.

    5. Anonymous Coward
      Anonymous Coward

      They are busy setting Root passwords...

      BTW a co-worker has just informed me this works on ARD (Apple Remote Desktop) as well, so this is potentially a remote root exploit for anyone with ARD turned on. Might be an issue for other network services, though the SSH default config will probably block that.

      1. Hckr

        Re: They are busy setting Root passwords...

        Oh fcuk...

        Apple is going to crapster. First the scam with faulty MBP, then getting rid of the earphone jack. This is the final step to bankrupcy.

        1. mrdalliard
          Headmaster

          Re: They are busy setting Root passwords...

          >>This is the final step to bankrupcy.

          I should very much doubt this is the final step to bankruptcy. You've seen how much money they have in the bank, right?

        2. Captain Scarlet
          Paris Hilton

          Re: They are busy setting Root passwords...

          "Oh fcuk...Apple is going to crapster. First the scam with faulty MBP, then getting rid of the earphone jack. This is the final step to bankrupcy."

          I assume this is missing a troll icon?

        3. This post has been deleted by its author

          1. Wisteela

            Re: They are busy setting Root passwords...

            Yep, with Apple, crap sells.

          2. Joe Gurman

            Re: They are busy setting Root passwords...

            In the long-ago 1970s, I remember several proud Pinto owners (who couldn't afford to replace them) driving around with "Caution: Flammable" stickers on their rear bumpers.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like