[UNPATCHED] Major Apple security flaw grants admin access on macOS High Sierra without password

[Cheezdoodlez]

Easy way to prevent this seems to be to have filevault turned on. With this guest users can only access Safari. And they cant login to your real account because you have a password on it with automatic locking. (:

 

As I see it this is only a problem if someone gets their hands on my computer turned on and logged in.. And if im logged in someone could access all my stuff anyways.

[FPSwithaWacomTablet]

Or do what Ubuntu is already doing and set the password during installation/setup?

 

Kinda creeps me out that some UNIX-based OSes don't use features Linux takes for granted.

[goodtofufriday]

15 hours ago, sof006 said:

Time to head to my nearest Apple store and cause some mischief  

Omg please do not temp me lol

[goodtofufriday]

2 hours ago, Cheezdoodlez said:

Easy way to prevent this seems to be to have filevault turned on. With this guest users can only access Safari. And they cant login to your real account because you have a password on it with automatic locking. (:

 

As I see it this is only a problem if someone gets their hands on my computer turned on and logged in.. And if im logged in someone could access all my stuff anyways.

Or they could install malicious software like a keylogger and easily get credentials for all you accounts from this forum to your bank. 

And you wouldn't ever know. 

[captain_to_fire]

17 hours ago, SC2Mitch said:

Apple submitted a response to news outlets reporting the problem and issued the following:

You may want to update the OP. Here's a quick fix to the vulnerability as per CNET's article https://www.cnet.com/how-to/how-to-fix-the-macos-high-sierra-password-bug/ 

• Click the Apple logo in the menu bar and select System Preferences (or search for it in Spotlight).
• Click Users & Groups.
• Click the padlock icon in the lower-left corner.
• Enter the password for your username.
• Click Login Options.
• Click Join or Edit next to Network Account Server.
• Click Open Directory Utility…
• Click the padlock icon in the lower-left corner and enter your password once more.
• In the menu bar, click Edit and select Enable Root User. If root user is already enabled, click Change Root Password…
• Enter a secure password and enter it a second time to verify.
• Click OK to finish.

Once you've set a root password, the exploit will no longer work. However, if you disable the root user before Apple issues a patch for High Sierra, it will cause the bug to work again.

Edited November 29, 2017 by hey_yo_

[ItsMitch]

Just now, hey_yo_ said:

Here's a quick fix to the vulnerability as per CNET's article https://www.cnet.com/how-to/how-to-fix-the-macos-high-sierra-password-bug/ 

• Click the Apple logo in the menu bar and select System Preferences (or search for it in Spotlight).
• Click Users & Groups.
• Click the padlock icon in the lower-left corner.
• Enter the password for your username.
• Click Login Options.
• Click Join or Edit next to Network Account Server.
• Click Open Directory Utility…
• Click the padlock icon in the lower-left corner and enter your password once more.
• In the menu bar, click Edit and select Enable Root User. If root user is already enabled, click Change Root Password…
• Enter a secure password and enter it a second time to verify.
• Click OK to finish.

Once you've set a root password, the exploit will no longer work. However, if you disable the root user before Apple issues a patch for High Sierra, it will cause the bug to work again.

Cheers, I'll quote this in the OP. 

[Nicnac]

Oh boy better use my 5 year old backup to revert to maverics!  

[ItsMitch]

Apple has finally released a security patch to resolve this "logic error" at 8 am, this update will be pushed out later today if you didn't get it.

Statement from Apple

Quote

 

Security is a top priority for every Apple product, and regrettably, we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again

 

 

[JoseGuya]

Got it now, installing.

[Commodus]

37 minutes ago, SC2Mitch said:

Apple has finally released a security patch to resolve this "logic error" at 8 am, this update will be pushed out later today if you didn't get it.

Statement from Apple

 

A bit exaggerated to say "finally" -- it's been less than a day since people knew about it.  This flaw shouldn't have existed in the first place, but Apple clearly had a very good turnaround time for a fix.

[vanished]

8 hours ago, Trixanity said:

Stupid vulnerability but it seems kinda familiar. Didn't Linux have something similar some months back? Something with repeating a certain action like 17 times giving full access?

Yeah that sounds familiar... I really don't understand how these things happen.  I can only imagine the code

for (int tries = 0; tries < 3; tries++) {
	ask_password();
	if (password == true_password) {
		break;
	} else {
		entry_denied();
	}
}
entry_granted();

8 hours ago, Trixanity said:

Although it does seem like in Apple's case it was almost intentional.

I wouldn't say that... where's the evidence?

8 hours ago, Trixanity said:

Also, is the root 'account' always enabled? If I recall on Windows you need to enable it yourself and on Linux you're prompted/supposed to change the root password.

Based on my (admittedly limited) knowledge of Linux, I think it would have to be.  You need it to do anything serious like installing applications, running updates, etc.

[vanished]

3 hours ago, hey_yo_ said:

[...]

Once you've set a root password, the exploit will no longer work. However, if you disable the root user before Apple issues a patch for High Sierra, it will cause the bug to work again.

Wait wait wait... Lets get something completely clear here, what is the nature of this exploit?

 

My understanding was that, regardless of the password set, you could login without providing it by clicking the button a few times.

Are you saying that this actually only happens if you don't have a password set?  Because that completely changes things...

If that's the case, the bug isn't that it lets you in after 3 tries, it's that it didn't let you in after the first try   It's fairly obvious that if prompted for a password when there is no password/the password is blank, the correct response to clicking "login" would be to do so.

Granted, there's a separate issue here that it should not allow the root password to be blank, at least not without warning you about the possible consequences thoroughly first, but yeah... what is the real story here?  I never got the impression from OP that this only worked if the password was already left blank.  If that is the case, it would also make the first reply from Apple suddenly make sense.

[DrMacintosh]

Well that was a fast patch. 

[DrMacintosh]

5 hours ago, Nicnac said:

Oh boy better use my 5 year old backup to revert to maverics!  

Lol what? It be patched. 

[Subtle Corruption]

On 11/28/2017 at 9:05 PM, Ryan_Vickers said:

They said insanity was doing the same thing over and over and expecting a different result

They thought wrong

 

[vanished]

2 minutes ago, Subtle Corruption said:

 

 

On 11/28/2017 at 2:12 PM, Ryan_Vickers said:

I'm pretty sure that quote predates Far Cry 3

 

[Nicnac]

2 minutes ago, Subtle Corruption said:

 

feels like yesterday I played through this awesome game. Still one of my favourites

[Trixanity]

3 hours ago, Ryan_Vickers said:

 

for (int tries = 0; tries < 3; tries++) {
	ask_password();
	if (password == true_password) {
		break;
	} else {
		entry_denied();
	}
}
entry_granted();

I wouldn't say that... where's the evidence?

In the video linked previously it seemed like Apple used the exploit on stage to get around the root access prompt. Maybe it was implemented for the stage (to avoid problems with password prompts - a stretch I know) but they forgot to take it out.

 

Of course the most likely answer is it's a very bad bug.

[vanished]

1 minute ago, Trixanity said:

In the video linked previously it seemed like Apple used the exploit on stage to get around the root access prompt. Maybe it was implemented for the stage (to avoid problems with password prompts - a stretch I know) but they forgot to take it out.

 

Of course the most likely answer is it's a very bad bug.

I assumed the video was edited / fake

[ItsMitch]

1 minute ago, Ryan_Vickers said:

I assumed the video was edited / fake

I'm going with they forgot to take it out or didn't realise it could be abused. 

[vanished]

18 minutes ago, SC2Mitch said:

I'm going with they forgot to take it out or didn't realise it could be abused. 

 

22 minutes ago, Trixanity said:

In the video linked previously it seemed like Apple used the exploit on stage to get around the root access prompt. Maybe it was implemented for the stage (to avoid problems with password prompts - a stretch I know) but they forgot to take it out.

 

Of course the most likely answer is it's a very bad bug.

Really guys? c'mon...

 

[captain_to_fire]

5 hours ago, Ryan_Vickers said:

Are you saying that this actually only happens if you don't have a password set?  Because that completely changes things...

Yes

[vanished]

Just now, hey_yo_ said:

Yes

Oh. how is this even news then? 

"Woah, when you don't set a root password, you can login as root without a password!?  WHAAAT!?"

like... am I missing something here?

[captain_to_fire]

Just now, Ryan_Vickers said:

Oh. how is this even news then? 

"Woah, when you don't set a root password, you can login as root without a password!?  WHAAAT!?"

like... am I missing something here?

Most people don't set a root password. Root access is disabled by default on Mac OS X since Snow Leopard (I'm not sure), it appears that root access is enabled by default on macOS High Sierra. Here's Apple's whitepaper for Mac OS X Snow Leopard: https://web.archive.org/web/20110410065128/http://images.apple.com:80/macosx/security/docs/MacOSX_Security_TB.pdf

Quote

User permissions model

 

Mac OS X inherits its permissions model from UNIX. Apple has enhanced this security model by disabling the root account by default. Running code with the minimum necessary level of privileges helps protect the system from inadvertent or deliberate damage.

 

Root. Mac OS X (like most UNIX operating systems) has a superuser, named root, who has full permissions for access to all files on the system. Specifically, root can—with a few limited exceptions—execute any file that has any of its execute permissions turned on and can access, read, modify, or delete any file and any directory. Unlike traditional UNIX systems, Mac OS X disables this powerful account by default. This precaution helps to limit the extent of harmful changes that viruses or unauthorized users could make to the operating system. In addition to user accounts, Mac OS X uses less privileged system accounts for some system services and software that require specialized access to certain system components, but not login access. To prevent unauthorized users from altering the system in an undesirable way, new users do not have administrative privileges unless they are assigned to them by the administrator. As users are added to the system, Mac OS X assigns them nonadministrative user accounts and prompts them to choose a password, providing a means of authentication. Remote access is not allowed for users with no password.

Perhaps Apple accidentally or deliberately enabled root access by default. Good thing Apple just issued a software update today.

[vanished]

Just now, hey_yo_ said:

Most people don't set a root password. Root access is disabled by default on Mac OS X since Snow Leopard (I'm not sure), it appears that root access is enabled by default on macOS High Sierra. Here's Apple's whitepaper for Mac OS X Snow Leopard: https://web.archive.org/web/20110410065128/http://images.apple.com:80/macosx/security/docs/MacOSX_Security_TB.pdf

Perhaps Apple accidentally or deliberately enabled root access by default. Good thing Apple just issued a software update today.

That's really weird that it can even be disabled