ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Mac OS X Lion flaw allows unauthorized password changes

By | September 20, 2011, 5:57am PDT

Summary: Apple’s redesign of the Mac OS X leaves passwords vulnerable to attack or change.

A researcher over on the Defence in Depth blog has outlined a flaw with Apple’s Mac OS X 10.7 ‘Lion’ OS that allows passwords to be changed without the user’s consent.

A hacker that has access to a system that is logged in (either physical access or remote via VNC or SSH) can grab the password hash data using Directory Services and then parse this hash to recover both the hash and the salt used to encrypt the password.

It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

But if the password is a hard one to crack, the surely the system is safe, right? Wrong! Directly Services in Lion no longer requests authentication for password changes for the current user. So if you can’t break the password, you could just change it! Previous versions of Mac OS X had required the existing password to authenticate password changes.

Defence in Depth provides a scenario where this attack could be used:

A user with administrative rights is browsing the internet with Safari. The user happens to browse to a website hosting a malicious Java Applet. Unbeknownst to the user, they allow the innocent looking Java Applet to run. The Applet will proceed to make a connection back to the attacker, providing the attacker with full shell access. Whilst the attacker has access to the system, they are provided only with limited user privileges (they still do not have root access). This would limit what an attacker could accomplish. However, with the vulnerabilities described above the attacker now has an advantage: they can change the password of the current user. Now remember, the current user is an administrator. So now all the attacker has to do is sudo -s to become root. If lets say the victim did not have administrative rights, the attacker still has the ability to extract user hashes from the system and attempt to crack them.

So, what can you do to protect your system until Apple patches this? A temporarily solution offered is to limit standard access to the dscl utility as follows:

$ sudo chmod 100 /usr/bin/dscl

This is not the first password bug to plague Lion. Last month a bug surfaced that allowed clients to use any LDAP password for authentication.

Stay safe!

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Apple Macintosh, Password, Researcher, Flaw, Password Change, Apple Mac OS X Lion, Mac OS X Lion Flaw, Apple Mac OS X, Apple Mac OS, Blogging, Operating Systems, Software, Internet, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

50
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Mac OS X Lion flaw allows unauthorized password changes
non-biased 26th Sep
@whatagenda What part of William Farrell's post did you not get. Since that was the post he was replying to I would have thought you would have at least read it.
View in thread
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
xpect 20th Sep
Sorry I had to laugh. So much concern about Windows security flaws and it turns out that Lion is a stitched together mess. It's for sure the Apple's Vista. That's why I will stay with Snow Leopard for the time being (a very long time it seems).
0 Votes
+ -
Ditto on the gaffaws!
kd5auq 20th Sep
@xpect
wink
0 Votes
+ -
No Java by default
wjanoch Updated - 20th Sep
@xpect Currently Windows vs Mac security flaws is night and day different. Windows is getting better, so it's no longer 1,000 to 1, but it's still more than 10 to 1. No system is perfect, but I'll still take a Mac over Windows for security.

The main issue is gaining access to the system. If a Java App can execute this command on the system, that's the real issue, regardless of what the command can do.

That said, most users won't install Java these days IMHO, and Lion doesn't install it by default. Of course there are other third party utilities that might enable the same issues if a user installs them.

I've verified that /usr/bin/dscl does let you change the current user's password without entering the old password. It does require the old password for another user (even non admins) unless you use "sudo dscl . passwd /Users/greg yourNewPassword", so they HAVE TO change the current user's password before doing anything else, and the current user HAS TO BE an admin (default install sets up one user and that's an admin).

To get all users:
dscl localhost -readall /Search/Users > ~/Desktop/allusers.txt

Use a text editor's "Find" feature to find "KerberosKeys". Using that ascii encoded binary data to recover the password is not trivial, but it is possible.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
sjaak327 21st Sep
@wjanoch

You are confused, the market share ratio is in the regions of 10 to 1 or a bit more probably. In terms of security it is pretty damm clear that Microsoft is well ahead of the game. Lion still falls short of Windows 7 and let's not talk about the upcomming Windows 8 where Microsoft yet again raises the bar considerably higher.

When security is concerned Osx and specifically Swiss cheese Safari are a bad choice, this unbelievable flaw is yet another example of Apple's severe shortcommings in the security area.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
windozefreak 20th Sep
@xpect
Yes! Maybe this is why all the FUD about PC's leaving the earth and dying on the vine. Love the propagandaist! LOL!
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
Rob.sharp@... 21st Sep
@xpect

This is the exact reason WHY Apple will never be a player in the corporate world. These guys claim the fame to security but are far from Supremecy. MS is still king and will always be king of the Desktop/server market. With Windows 8 they'll take the tablet and phone market as well.
0 Votes
+ -
Switch to Windows
toddybottom 20th Sep
OS X is terrible.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
Simpsoid 20th Sep
@toddybottom I'm sure we all owe you a debt of gratitude for such a comprehensive insight into this particular issue.

Keep up the good work.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
ScorpioBlue 20th Sep
@toddybottom the NonZealot has spoken... wink
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
AdnanPirota 20th Sep
99% of people I know choose Mac over PC due to security and this is what they get in the end ... shame on Apple charging high fees and stating maximum security
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
Cylon Centurion 20th Sep
@AdnanPirota

We learned a long time ago, that Apple simply doesn't have security. They have Obscurity. Combine that with the smoke and mirrors effect you usually get from Jobs, and there you go. There's your "security".

It took then nearly a month just to admit that Mac Defender was a problem, and some time after that to actually fix it.
0 Votes
+ -
Apple simply has security
wjanoch 20th Sep
@Cylon Centurion, You've bought Microsoft's FUD completely. Security isn't something you "have or dont' have", it's something that you have a certain level of, and it's never perfect.

Apple's claim to Security fame is having almost everything default to inaccessible, requiring users to turn them on, and Apple makes it simple for them to do so.

Microsoft's downfall is that they still default many, many services to accessible by default so users/admins have to figure out how to turn them off to secure their systems.

And a "secure system" is only "as secure as it can be".
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
windozefreak 20th Sep
@AdnanPirota
Hey! You know what they say?? an Apple a day keeps the security away! He-he-he!!
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
Return_of_the_jedi 20th Sep
Now Ed can pick up where he left off a few months ago.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
UrNotPayingAttention 20th Sep
I always hear that OS X is secure because it's 'Unix'

...how come none of the other flavors of Unix I use have this "feature"?
0 Votes
+ -
Give me physical access to your UNIX box and I can
baggins_z 20th Sep
root it in less than a minute.
0 Votes
+ -
Highly, highly doubtful.
UrNotPayingAttention 20th Sep
@baggins_z
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
dev/null 20th Sep
@baggins_z I have an ALTOS 1700 with 24 ports running SysV and Real World - wanna take a stab at it ?
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
jgm@... 20th Sep
@chmod 777 Not doubtful at all, 100% possible with physical access. Look up :"Kon-boot". If it's any consolation, it works on Windows too.
Full disk encryption might be the only way to deter Kon-boot.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
ScorpioBlue 20th Sep
@baggins_z

Sure by getting the domain admin drunk.

lol...
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
browser. 20th Sep
Have physical access or someone has to surf using root / admin previleges.... Nouf said. All these hypothetical scenarios looks fine only on paper [ahem blogs]
0 Votes
+ -
How hard is it to get physical access to a Mac?
William Farrell 20th Sep
@browser.
It's not like every family or business locks them up in a vault at night when they're not using them.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
msalzberg 20th Sep
@William Farrell

I think if someone's broken into my house to use my computer, I have bigger problems than my passwords being changed.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
whatagenda 20th Sep
@msalzberg

I guess you missed the part about a web applet that can be used against a browsing session where the 'user' is browsing after booting up with Admin privledges? And the part where even with merely user permissions a baddy can grab the pword hashes? What part of that senario involves being physically present in your home?
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
non-biased 26th Sep
@whatagenda What part of William Farrell's post did you not get. Since that was the post he was replying to I would have thought you would have at least read it.
0 Votes
+ -
You are wrong
toddybottom 20th Sep
@browser.
Along with all the apologists who are apologizing for this massive security hole.

"A hacker that has access to a system that is logged in (either physical access or remote via VNC or SSH) "

Physical access is not required. Buy a clue, you obviously weren't born with one.
0 Votes
+ -
-10 for reading skills
spdragoo@... 20th Sep
@browser.

Example specifically mentions "user happens to browse to a website hosting a malicious Java Applet." That's *not* talking about requiring physical access... unless you somehow believe that, when you access your webmail, your home PC is physically traveling to where the server is located.

As for the likelihood of running an unknown Java applet...hello! We're talking about the Internet here. Half the websites out there, especially things like online banking/ticket ordering/news sites/etc. *require* Java to run. THe average user gets tired of having to always click to allow Java to run, especially if they use the site constantly. Nor will they necessarily know if the *site* is actually running the Java applet, or if it's one of the banner/side ads from a 3rd-party that's wanting to run the applet.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
arminw 20th Sep
@spdragoo@...
I have removed and turned off Java for years now and have never needed it to login anywhere. Still, I hope that Apple fixes this ASAP.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
spdragoo@... 21st Sep
@arminw

That's good. I try to avoid Java whenever possible, but unfortunately I've run across a few sites that don't work so well if it's not enabled.

Needless to say, I try to avoid those sites unless absolutely necessary...
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
bobiroc 20th Sep
Just goes to show that Apple is no different than any other software maker. Just seems their popularity just finds them more under the microscope these days. Years ago we didn't hear of Apple OS/Software security flaws because no one cared to look.

I am sure they will address this issue accordingly in a future security patch update.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
DreyerSmit 20th Sep
Funny how time goes by and Apple grows how more flaws and security issues creep up...pretty soon it will look like Swiss cheese only bested by IE6
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
sjaak327 20th Sep
Apple is well known for stuff like this, it is not the first and it will not be the last. They really should get some direction from Microsoft, that company has shown that despite years of neglect in matters of security, you can turn it around by changing your coding procedures and habits.

It reakky beats me that this went past Apple's qa procedures !
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
Earthling2 20th Sep
I stopped reading after "A user with administrative rights is browsing the internet with Safari"
0 Votes
+ -
Why?
spdragoo@... 20th Sep
@Earthling2

That's the default browser for Apple, right? I would assume that's the most likely browser for Apple users to be utilizing for browsing purposes.

And I would imagine that, with the majority of their users not being techies, the majority of Apple users *will* have administrator rights.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
johno@... Updated - 20th Sep
quote "the* surely the system is safe, right?"
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
PeterZ1959 20th Sep
I installed Lion on my Macbook Pro and had so many problems with it that I finally reinstalled the not so perfect Snow Leopard. But it is much better than Lion. When you discuss this on the Apple Forum the cool-aid drinkers are in total denial. I agree with the person who said this is Apple's VISTA moment!
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
arminw 20th Sep
@PeterZ1959
The trashing by Lion of hundreds of dollars worth of PPC software that worked perfectly fine in Snow Leopard, is a big reason why I won't be installing in Lion on my Mac in the near future if ever. This issue revealed here only cements further not to install Lion on my main hard drive. I did install it on an external FW800 drive just to see what all the fuss is about.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
dheady@... 21st Sep
@arminw Lion doesn't trash anything. The PPC era ended over half a decade ago, but that doesn't mean you have to abandon it just because Apple is moving into a new era.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
partman1969@... 20th Sep
This article is a fine example of how as stated by several pc zealots yesterday that ZD Net only posts positives of Apple and does its best to make Windows look bad. Gee, don't you feel dumb, ignorant or like a counterproductive fool yet? Like any operating system I realize flaws and hope for solutions as are necessary on both my Apple and Windows computers. I fail to see that anyone will hand over their Unix box as requested by baggins_z so security issues have yet to be realized by most of the Apple using community.
0 Votes
+ -
Logic & clue meters reading zero...
spdragoo@... 20th Sep
@partman1969@...

Unless I'm missing some sarcasm here, wouldn't this article *contradict* any claims that ZDNet was pro-Apple & anti-Microsoft, since it points out a major flaw in an *Apple* product?

And again, this isn't Linux we're talking about here, it's Apple. Their products are geared for the *average* consumer... one who is going to most likely stick with the browser installed with the OS (*cough* Safari *cough*), & will most likely set themselves up as primary *and* administrative user, since it's "their" computer, & who wants to take the time to set up a separate "user account" that will only be used to make administrator-level changes to the OS?
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
partman1969@... 20th Sep
@spdragoo@...
Geeee...what's this sarcasm you speak of?
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
spdragoo@... 21st Sep
@partman1969

"Is there air?!? You don't know!"
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
akarnett 20th Sep
The only secure computer is a dead computer. I have never "trusted" a company to tell me their products are secure. People who design a "secure" systems are looking at it from one perspective. People trying to hack the system are looking at it from a very different perspective.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
akarnett Updated - 20th Sep
I'm sorry, this posted twice. :o)
0 Votes
+ -
Lion IS Apple's Vista
xbjllb 20th Sep
No doubt about it now.
0 Votes
+ -
RE: Lion IS Apple's Vista
rtk 20th Sep
@xbjllb

Of the complaints about Vista, lack of security wasn't one of them.

Maybe Lion is Apple's ME (Millennium Edition)?
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
cwmedia 20th Sep
So, if this is such a major vulnerability then why aren't all Mac OSX Lion users already compromised with computers full of trojans, malware and crud?
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
dheady@... 21st Sep
@cwmedia The sort of 'vulnerabilities' that this is is more of a geek curiosity than any real threat. The history of malware on Windows is epic. On the Mac, not so much. Current w7 is much better than previous versions, but still exceeds *NIX os's like OS X. Respondents here should be eating some of the crow we are hearing, but then it would require a severe beating with a reality stick, something not likely to happen in Mom's basement.
0 Votes
+ -
RE: Mac OS X Lion flaw allows unauthorized password changes
H3llb0und 20th Sep
"Stay safe!"
Don't use Mac OS
0 Votes
+ -
you have to know about the matter
dkaparunakis@... 21st Sep
@wjanoch really knows. sjaak327... this guys knows s... about the subject.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix