Big Christmas bonus for the person who found the photograph to accompany this article :-)
Pro tip: You can log into macOS High Sierra as root with no password
A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff …
COMMENTS
-
-
-
-
Thursday 30th November 2017 08:58 GMT bombastic bob
"How do you create a really secure password?"
Having forked FBSD's userland, it should be possible to create a random root password with command line tools (like 'pw') assuming those tools exists on a mac...
then you can just do the 'sudo su' trick when you want to do things as 'root' for a while...
-
-
-
Wednesday 29th November 2017 19:16 GMT Hans 1
Big Christmas bonus for the person who found the photograph to accompany this article :-)
Indeed, have an upvote. (I was 100th)
As for the blunder, this is Windows-like security.
Cupertino, stop hiring devs from Redmond, they know jack-shit about coding, have never heard of tests, let alone unit tests .... crikey, this vuln is EPIC.
How Apple get away with this, I dunno !
-
-
-
-
Tuesday 28th November 2017 20:57 GMT Anonymous Coward
How worse than Single User Mode?
I'm no fanboi, but usually physical access is enough to set the root password on *nix. Root passwords get forgotten like other passwords, after all.
Is it exploitable over a remote desktop connection? That would be worse.
It does raise serious questions about basic quality control, nevertheless.
-
-
Tuesday 28th November 2017 23:00 GMT Doctor Syntax
Re: How worse than Single User Mode?
"That's why a lot of distros prefer the "sudo" approach. You never actually log in as root, you just temporarily give the account root permissions...just long enough to run that one command, then you go back to a standard user."
I'm not an Apple user but from the account it seems as if this is how macOS has been supposed to work. It hasn't turned out well here.
I'm old fashioned enough never to have been a fan of sudo. It's always struck me as being an additional attack surface. I suppose it's more convenient than having multiple admin IDs with access to restricted subsets of root functionality such as bin to own system S/W & lpadmin to administer printers & the like but convenience and security don't often mix too well.
-
Thursday 30th November 2017 09:12 GMT bombastic bob
Re: How worse than Single User Mode?
"I'm old fashioned enough never to have been a fan of sudo"
well, if you configure sudo the way a BOFH would, you can lock out anything that's truly "dangerous" and require actually logging in as root for such things.
but most distros that have sudo simply allow any authenticated user to enter his own password to do "whatever he wants" with root credentials. It's convenient, yeah.
-
-
-
Tuesday 28th November 2017 21:07 GMT John H Woods
Re: How worse than Single User Mode?
Physical access to the system is different from "terminal" access. Try getting root access on a well-configured Linux system using just the keyboard and the mouse. If you've got physical access to the box, however, you have everything except the content of encrypted drives.
Although presumably one could splice a wired KB or Mouse to connect a USB storage device and boot from that?
-
Tuesday 28th November 2017 22:53 GMT Wensleydale Cheese
Re: How worse than Single User Mode?
"Is it exploitable over a remote desktop connection? That would be worse."
Yes.
I am running a headless Mac mini here, connected via Screen Sharing using an unprivileged username/password, and logged into a non-privileged account.
I didn't test the main login screen, but the exploit using Preferences > Users and Groups > Unlock worked as described in the article.
-
Tuesday 28th November 2017 23:43 GMT Wensleydale Cheese
Re: How worse than Single User Mode?
"I am running a headless Mac mini here, connected via Screen Sharing using an unprivileged username/password, and logged into a non-privileged account."
Having said the above, when you enable Remore Desktop access, you can restrict the functions available to the remote user. This is done on the target computer via System Preferences > Sharing > Remote Management > Options
-
-
Wednesday 29th November 2017 07:17 GMT bazza
Re: How worse than Single User Mode?
Is it exploitable over a remote desktop connection? That would be worse.
According to the update to the article it can be done on the command line too. So not vulnerable to a remote attack unless the perpetrator can get something run on the computer first (malicious but otherwise innocuous app, etc). Fishing attack might open up the doors for that.
I have to say that between Apple and Intel we're seeing some stinking cock ups in recent times. It's almost funny. All we need now is for Windows or Linux to join in and we may as well throw every single computer in the planet into the bin. Apart from the ones running Solaris.
-
Thursday 30th November 2017 09:07 GMT bombastic bob
Re: How worse than Single User Mode?
"but usually physical access is enough to set the root password on *nix."
not entirely true. On FreeBSD, at least, it is possible to require the root password for single-user mode by specifying that the console is 'insecure'. And, Shirley, you COULD also boot a "live CD" (assuming that hasn't been locked out) or "live USB" image, and then mount the hard drive's root partition and do a password reset THAT way (jumping through necessary hoops to do so via the command line) but you can do this in Windows as well.
Or, if you're really desperate, remove the hard drive and plug it into a different computer that has the correct utilities on it for a password reset.
(I'd much rather make miscreants go through that last step)
-
-
Tuesday 28th November 2017 21:50 GMT Daniel B.
OSX user here, and it's a vulnerability. It's probably somewhat mitigated in the sense that setting a password for root plugs the hole, but it's still an embarassment. Not sure if it's remotely exploitable, which would be bad. If it allows for su - without a password, it's probably bad, but it would still require someone to log in with a valid username/password before exploiting it.
If someone already has physical access to the system, there are larger issues at hand.
-
-
Tuesday 28th November 2017 22:35 GMT handleoclast
Linux root p/w
@kain preacher
Would you have root in linux with no password ?
Every Linux distro I've installed has asked you to set a root p/w. Never checked if you can leave it blank during install. Even if you can't leave it blank at that stage, it's possible to set a null p/w later. Either way, if you end up with a null p/w for root, it's because you deliberately chose to have it that way. You can't have a null root p/w by accident, or simply by doing nothing as you install the system.
And no, I wouldn't set a null root p/w deliberately. That would be crazy. I have a somewhat warped mind but I cannot conceive of any circumstance, no matter how bizarre, in which I would legitimately (no criminal intent) want a null root p/w (feel free to prove your mind is more warped than mine by coming up with one).
I remember the time DEC persuaded me that remote diagnostics were a great idea and that I should have one of those new-fangled modem dooberries. They said I could ensure it would only pick up when I was around to allow them in (which was true). We gave it a try. They told me they couldn't get in with FIELD/SERVICE (those standard superuser accounts had their passwords changed as the very first thing I did on that box) and would I mind changing it back. I gave them a hell of a bollocking over that one. Got a free curry out of it by way of an apology. If they'd suggested I leave the p/w blank on the FIELD account I'd have nuked them from orbit. Null password for superuser accounts? No fucking way.
-
-
-
Wednesday 29th November 2017 14:08 GMT handleoclast
Re: Linux root p/w
Not true, I'm a Linux sysadmin and none of the Ubuntu variants I've installed over the past 10 years have asked. You have to do this manually after install..
From what I've read in other responses, root logins are disabled. So you still have to consciously choose to have a passwordless root login.
-
-
This post has been deleted by its author
-
Wednesday 29th November 2017 12:57 GMT arctic_haze
Re: Linux root p/w
I cannot conceive of any circumstance, no matter how bizarre, in which I would legitimately (no criminal intent) want a null root p/w (feel free to prove your mind is more warped than mine by coming up with one).
The protagonist of the Martian movie could have had a null root password in his abandoned Martian base, at least until he regained some semblance of communication with the Earth.
-
Tuesday 28th November 2017 23:06 GMT Doctor Syntax
"Would you have root in linux with no password ?"
Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days.
-
Tuesday 28th November 2017 23:23 GMT chuckufarley
"Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days."
Is it that it has no password or that the password hash is set to an invalid value? It could be the former but I thought it was the latter.
-
Wednesday 29th November 2017 11:39 GMT Charles 9
"Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days."
Wouldn't they have enough access under similar systems since the group that would include sudo'ers here would likely be the ones with significant group access otherwise? At least with sudo it's like UAC, the high-level access isn't on all the time.
PS. sudo doesn't have to be root. You can sudo as other users, too, with their own access restrictions. Again, this creates a temporary privilege escalation, but one you can control better.
PSS. The sudoers file is also how users can be restricted using sudo, even regarding the root privilege. So instead of it being an all-or-nothing thing like su, it can be turned into a tuned ACL.
-
-
-
Tuesday 28th November 2017 22:48 GMT Anonymous Coward
They are busy setting Root passwords...
BTW a co-worker has just informed me this works on ARD (Apple Remote Desktop) as well, so this is potentially a remote root exploit for anyone with ARD turned on. Might be an issue for other network services, though the SSH default config will probably block that.
-