TidBITS: High Sierra Bug Provides Full Root Access

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

TidBITS: High Sierra Bug Provides Full Root Access

TidBITS Articles
High Sierra Bug Provides Full Root Access

This article was just published by TidBITS and sent to you at your request.

High Sierra Bug Provides Full Root Access

By Adam C. Engst
http://tidbits.com/article/17650

You can expect a macOS 10.13 High Sierra update or security update in the next few days. That’s because developer Lemi Orhan Ergin has revealed a huge security vulnerability in High Sierra that anyone can exploit to gain full admin privileges and access to the root account on your Mac. 10.12 Sierra is not vulnerable to this bug, and I doubt earlier versions of OS X are either.


Many people have confirmed Ergin’s discovery, and if you’re running High Sierra, you can check it yourself. Just open System Preferences > Security & Privacy and click the lock button at the bottom of the window. In the User Name field, enter root and leave the password field blank. Press Return or click the Unlock button a few times — I’ve seen it both accept on the first try and require a couple of additional tries. But it will unlock eventually.


That’s not all. If your Mac displays the name and password fields on the login window, instead of a list of users, you can also log into the entire Mac as root, without a password. If you do that, High Sierra promptly sets up a new account called System Administrator and a home folder located in /private/var/root. That is the full Unix root account, which has superuser privileges that enable it to see and modify any file in any account.

Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world. I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.


The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.

The reason this shouldn’t work is that the root user isn’t supposed to be enabled. The workaround is to change the root password, which requires a few steps:

  1. Activate Spotlight by clicking the magnifying glass in the right corner of the menu bar.

  2. Enter Directory Utility and press Return to launch it. (If you want to navigate to it manually, it’s in /System/Library/CoreServices/Applications.)

  3. Click the lock icon in Directory Utility’s window and authenticate. Yes, using root with no password works here too.


  4. Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first. In another lapse, Directory Utility lets you set the root password to blank — just leave both fields empty and click OK. Apple should at least prompt here to make sure that’s what you want.


  5. If you don’t need remote access, consider disabling Screen Sharing or Remote Management in the Sharing preference pane as well.

Apple has said it’s working on a fix, so setting a root password should be sufficient protection for now.

Post a comment

TidBITS members can unsubscribe from just-published articles at http://tidbits.com/subscriptions. TidBITS Talk readers will need to create a filter to delete these articles.

Article copyright © 2017 By Adam C. Engst . Reuse governed by Creative Commons License.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: High Sierra Bug Provides Full Root Access

Curtis Wilcox
On Nov 28, 2017, at 6:08 PM, TidBITS Articles <[hidden email]> wrote:

Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world.


What about File Sharing, can root mount shares? What about Remote Login (aka ssh)? In Sierra, it looks like the SSH server's default is to permit root login, but not with a password, only with a key; if that's honored, that should prevent Apple's screw-up from being exploited. There's also a "PermitEmptyPasswords no" setting that could stop it.

What about within Terminal? If you enter 'login', can you log in as root? How about 'su', if you don't enter a password, will it make you superuser (aka root) anyway?

I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.


Most people who have the login window set to List of users don't have the "Other" option, it's there on Macs configure to allow logging with with a network account (e.g. an Active Directory account) or as a by-product of having some software installed, like the JAMF management agent.

The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.


With FileVault enabled, does High Sierra protect you at the login window or at the *boot* login window? I would expect it would only offer protection at the login after the Mac is turned on or restarted, because you're not actually in the macOS yet. If you login as a user then log out, won't using the root login work then?

  1. Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first.


Change Root Password should always be grayed out by default unless the user has chosen to Enable Root User first. My impression of the problem is that in High Sierra that is still the case but the OS is not behaving like root is disabled.

Apple has said it’s working on a fix, so setting a root password should be sufficient protection for now.


This is a huge black eye for Apple, not only for the security of their products but the reputation of their software quality overall.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: High Sierra Bug Provides Full Root Access

Al Varnell
On Wed, Nov 29, 2017 at 04:45 AM, Curtis Wilcox wrote:
> On Nov 28, 2017, at 6:08 PM, TidBITS Articles <[hidden email]> wrote:
>
>> Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world.
>>
>
> What about File Sharing, can root mount shares? What about Remote Login (aka ssh)? In Sierra, it looks like the SSH server's default is to permit root login, but not with a password, only with a key; if that's honored, that should prevent Apple's screw-up from being exploited. There's also a "PermitEmptyPasswords no" setting that could stop it.

Others that attempted SSH said they were unable to.

> What about within Terminal? If you enter 'login', can you log in as root? How about 'su', if you don't enter a password, will it make you superuser (aka root) anyway?

Yes, if you know the password and if you are an admin then you can use your admin password with su as you always have been able to.

>> I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.
>>
>
> Most people who have the login window set to List of users don't have the "Other" option, it's there on Macs configure to allow logging with with a network account (e.g. an Active Directory account) or as a by-product of having some software installed, like the JAMF management agent.
>
>> The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.
>
> With FileVault enabled, does High Sierra protect you at the login window or at the *boot* login window? I would expect it would only offer protection at the login after the Mac is turned on or restarted, because you're not actually in the macOS yet. If you login as a user then log out, won't using the root login work then?

With filevault2 enabled, you only get a boot login window. Not sure what happens if you then logout.

>> • Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first.
>
> Change Root Password should always be grayed out by default unless the user has chosen to Enable Root User first. My impression of the problem is that in High Sierra that is still the case but the OS is not behaving like root is disabled.

Once you are able to enter a blank password, root becomes enabled and you are then able to change the password.

>> Apple has said it’s working on a fix, so setting a root password should be sufficient protection for now.
>
> This is a huge black eye for Apple, not only for the security of their products but the reputation of their software quality overall.

=Al-


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: High Sierra Bug Provides Full Root Access

adamengst
Administrator
In reply to this post by Curtis Wilcox
All good questions! I was working too quickly yesterday to test every possibility...

On Wed, Nov 29, 2017 at 7:45 AM, Curtis Wilcox <[hidden email]> wrote:
On Nov 28, 2017, at 6:08 PM, TidBITS Articles <[hidden email]> wrote:

Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world.


What about File Sharing, can root mount shares? What about Remote Login (aka ssh)? In Sierra, it looks like the SSH server's default is to permit root login, but not with a password, only with a key; if that's honored, that should prevent Apple's screw-up from being exploited. There's also a "PermitEmptyPasswords no" setting that could stop it.

Unlike Screen Sharing, File Sharing does not seem to be affected.
 
What about within Terminal? If you enter 'login', can you log in as root? How about 'su', if you don't enter a password, will it make you superuser (aka root) anyway?

SSH and su in Terminal were unaffected. The problem seems to be only from the GUI. 

I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.


Most people who have the login window set to List of users don't have the "Other" option, it's there on Macs configure to allow logging with with a network account (e.g. an Active Directory account) or as a by-product of having some software installed, like the JAMF management agent.

Oh, interesting. I probably installed Jamf Now at some point long ago on my iMac, even though I don’t use it anymore. I really need to do a clean install of High Sierra… :-) But, regardless, if the user had the login fields instead of a list of users, they’d be vulnerable. 

The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.

With FileVault enabled, does High Sierra protect you at the login window or at the *boot* login window? I would expect it would only offer protection at the login after the Mac is turned on or restarted, because you're not actually in the macOS yet. If you login as a user then log out, won't using the root login work then?

I would guess so. I’m not running FileVault on this Mac, so I was relying on reports from Kirk McElhearn and Josh, both of whom weren’t able to get past the boot login. 
  1. Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first.

Change Root Password should always be grayed out by default unless the user has chosen to Enable Root User first. My impression of the problem is that in High Sierra that is still the case but the OS is not behaving like root is disabled.

I’ve not enabled root manually before, so my belief is that using the exploit enables root. So a user reading this who has tested will have root enabled, but someone who hasn’t tested won’t. I think.  

Apple has said it’s working on a fix, so setting a root password should be sufficient protection for now.

This is a huge black eye for Apple, not only for the security of their products but the reputation of their software quality overall.

Yeah, you have to figure it was a pretty awful day at Apple for some group yesterday. I assume we’ll see an update very soon.

cheers... -Adam 



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: High Sierra Bug Provides Full Root Access

Curtis Wilcox
On Nov 29, 2017, at 10:24 AM, Adam Engst <[hidden email]> wrote:

All good questions! I was working too quickly yesterday to test every possibility...

On Wed, Nov 29, 2017 at 7:45 AM, Curtis Wilcox <[hidden email]> wrote:

Most people who have the login window set to List of users don't have the "Other" option, it's there on Macs configure to allow logging with with a network account (e.g. an Active Directory account) or as a by-product of having some software installed, like the JAMF management agent.

Oh, interesting. I probably installed Jamf Now at some point long ago on my iMac, even though I don’t use it anymore. I really need to do a clean install of High Sierra… :-) But, regardless, if the user had the login fields instead of a list of users, they’d be vulnerable. 


Jamf has a command for removing itself (I'm assuming this is true for Jamf Now as well).

I noticed the appearance of "Other" on the login window after using a package from central IT at work used to install the JAMF agent. In Directory Utility, the Directory Editor, by default, shows all the local user accounts on your Mac; most come built-in and can't be used to login. _jamf may be the first one in your list; I don't know if jamf's self-removal also deletes this account, I suspect it doesn't. I don't recall what properties can make a user account hidden from the login window list and the Users & Groups. The _jamf account's properties are very similar to the built-in account _mbsetupuser (aka Setup User), the two properties _jamf has are Picture and dsAttrTypeName:_writers_passwd.

The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.
With FileVault enabled, does High Sierra protect you at the login window or at the *boot* login window? I would expect it would only offer protection at the login after the Mac is turned on or restarted, because you're not actually in the macOS yet. If you login as a user then log out, won't using the root login work then?

I would guess so. I’m not running FileVault on this Mac, so I was relying on reports from Kirk McElhearn and Josh, both of whom weren’t able to get past the boot login. 


Given everything else that's vulnerable, the login windows after the FileVault login are probably vulnerable too. 




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: High Sierra Bug Provides Full Root Access

David Rostenne
… and Apple has issued a security update:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-11-29-1 Security Update 2017-001

Security Update 2017-001 is now available and addresses the
following:

Directory Utility
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator
authentication without supplying the administrator’s password
Description: A logic error existed in the validation  of credentials.
This was addressed with improved credential validation.
CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build
number of macOS will be 17B1002. Learn how to find the macOS version
and build number on your Mac at https://support.apple.com/HT201260.

If you require the root user account on your Mac, see
https://support.apple.com/HT204012 for information on how to enable
the root user and change the root user's password.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAloe2YMpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEYPfxAA
2KkMJQjw1rAbcM+x1dTe/87hwZ2GdtGoqrvOHXj2qwr6irX8i1ZjLDeeTsK9ZPeW
bv/kS/Te9VTA3q/fFrFpaD+/eZD0mitPyxBhdmNgap1nnPN0IKkjbfElqv7QEasR
/n108w12FMI2hdEgLtNEV9WLiam01Re1CgPGmcjJZClLu0gZF+71cpTQPvNok2No
sdVf+Af3Rjk80+HlvDyZW2n7AxgqQww0mJ57wWCwU3i5KixIflTtAzhJi618W9s5
k6a7FESuf680bZ2dNW915NvGY5rfNrK4FJZoTGj0kXrTShZgzD86F9G2+mXuWcvp
xdXvlUta8nhQSSExZQDEPIlXCIzale45DAfIUm1zwAbMM271HW+Bf1OJ7pNgwway
mEnSctf7kyQX++xL+T7c5dcQxmMKXpPcDzAR9ooIu/89u8yCgC70xkqa+M5gFzMn
RClkkgVthJhFQwtZj2EBO0heuu8w0F6ChC8izm/+wtYlwAyI6EL5kb0pvjHMEel6
+AGFfc/+psn+vqkko2wk6yJBmInYh6ErpcZ2E3wGHAf2kXNMVoQCwAYW0Uy7IJl1
O4aKqVNUvc/2GGR3wN8uYnNEOYgmWjM3Btv2iUSGRhOjaxHRgJTu5vjHJlSsnsEK
SPz7csZlaR869LHYQbnKw6AKZhTLkw4nnnnhARS5zMo=
=J50T
-----END PGP SIGNATURE——

Cheers,

Dave

> On 29-November-2017, at 11:16 AM, Curtis Wilcox <[hidden email]> wrote:
>
> On Nov 29, 2017, at 10:24 AM, Adam Engst <[hidden email]> wrote:
>>
>> All good questions! I was working too quickly yesterday to test every possibility...
>>
>> On Wed, Nov 29, 2017 at 7:45 AM, Curtis Wilcox <[hidden email]> wrote:
>
>> Most people who have the login window set to List of users don't have the "Other" option, it's there on Macs configure to allow logging with with a network account (e.g. an Active Directory account) or as a by-product of having some software installed, like the JAMF management agent.
>>
>> Oh, interesting. I probably installed Jamf Now at some point long ago on my iMac, even though I don’t use it anymore. I really need to do a clean install of High Sierra… :-) But, regardless, if the user had the login fields instead of a list of users, they’d be vulnerable.
>
>
> Jamf has a command for removing itself (I'm assuming this is true for Jamf Now as well).
> https://www.jamf.com/jamf-nation/articles/153/removing-jamf-components-from-computers
>
> I noticed the appearance of "Other" on the login window after using a package from central IT at work used to install the JAMF agent. In Directory Utility, the Directory Editor, by default, shows all the local user accounts on your Mac; most come built-in and can't be used to login. _jamf may be the first one in your list; I don't know if jamf's self-removal also deletes this account, I suspect it doesn't. I don't recall what properties can make a user account hidden from the login window list and the Users & Groups. The _jamf account's properties are very similar to the built-in account _mbsetupuser (aka Setup User), the two properties _jamf has are Picture and dsAttrTypeName:_writers_passwd.
>
>>> The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.
>> With FileVault enabled, does High Sierra protect you at the login window or at the *boot* login window? I would expect it would only offer protection at the login after the Mac is turned on or restarted, because you're not actually in the macOS yet. If you login as a user then log out, won't using the root login work then?
>>
>> I would guess so. I’m not running FileVault on this Mac, so I was relying on reports from Kirk McElhearn and Josh, both of whom weren’t able to get past the boot login.
>
>
> Given everything else that's vulnerable, the login windows after the FileVault login are probably vulnerable too.
>
>
>
> ____________TidBITS Talk Participation Guidelines____________
> Post only when you have something substantive to contribute.
> Be polite and constructive, and comment on posts, not people.
> Quote sparingly, if at all. We all read the previous message.
> Start threads with a new message to [hidden email].
> Read archives at: http://tidbits.com/pipermail/tidbits-talk/
> Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
> ____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____