A researcher over on the Defence in Depth blog has outlined a flaw with Apple's Mac OS X 10.7 'Lion' OS that allows passwords to be changed without the user's consent.
A hacker that has access to a system that is logged in (either physical access or remote via VNC or SSH) can grab the password hash data using Directory Services and then parse this hash to recover both the hash and the salt used to encrypt the password.
It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.
But if the password is a hard one to crack, the surely the system is safe, right? Wrong! Directly Services in Lion no longer requests authentication for password changes for the current user. So if you can't break the password, you could just change it! Previous versions of Mac OS X had required the existing password to authenticate password changes.
Defence in Depth provides a scenario where this attack could be used:
A user with administrative rights is browsing the internet with Safari. The user happens to browse to a website hosting a malicious Java Applet. Unbeknownst to the user, they allow the innocent looking Java Applet to run. The Applet will proceed to make a connection back to the attacker, providing the attacker with full shell access. Whilst the attacker has access to the system, they are provided only with limited user privileges (they still do not have root access). This would limit what an attacker could accomplish. However, with the vulnerabilities described above the attacker now has an advantage: they can change the password of the current user. Now remember, the current user is an administrator. So now all the attacker has to do is sudo -s to become root. If lets say the victim did not have administrative rights, the attacker still has the ability to extract user hashes from the system and attempt to crack them.
So, what can you do to protect your system until Apple patches this? A temporarily solution offered is to limit standard access to the dscl utility as follows:
$ sudo chmod 100 /usr/bin/dscl
This is not the first password bug to plague Lion. Last month a bug surfaced that allowed clients to use any LDAP password for authentication.