Mac OS X Lion flaw allows unauthorized password changes
Summary: Apple's redesign of the Mac OS X leaves passwords vulnerable to attack or change.
A researcher over on the Defence in Depth blog has outlined a flaw with Apple's Mac OS X 10.7 'Lion' OS that allows passwords to be changed without the user's consent.
A hacker that has access to a system that is logged in (either physical access or remote via VNC or SSH) can grab the password hash data using Directory Services and then parse this hash to recover both the hash and the salt used to encrypt the password.
It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.
But if the password is a hard one to crack, the surely the system is safe, right? Wrong! Directly Services in Lion no longer requests authentication for password changes for the current user. So if you can't break the password, you could just change it! Previous versions of Mac OS X had required the existing password to authenticate password changes.
Defence in Depth provides a scenario where this attack could be used:
A user with administrative rights is browsing the internet with Safari. The user happens to browse to a website hosting a malicious Java Applet. Unbeknownst to the user, they allow the innocent looking Java Applet to run. The Applet will proceed to make a connection back to the attacker, providing the attacker with full shell access. Whilst the attacker has access to the system, they are provided only with limited user privileges (they still do not have root access). This would limit what an attacker could accomplish. However, with the vulnerabilities described above the attacker now has an advantage: they can change the password of the current user. Now remember, the current user is an administrator. So now all the attacker has to do is sudo -s to become root. If lets say the victim did not have administrative rights, the attacker still has the ability to extract user hashes from the system and attempt to crack them.
So, what can you do to protect your system until Apple patches this? A temporarily solution offered is to limit standard access to the dscl utility as follows:
$ sudo chmod 100 /usr/bin/dscl
This is not the first password bug to plague Lion. Last month a bug surfaced that allowed clients to use any LDAP password for authentication.
Stay safe!
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Mac OS X Lion flaw allows unauthorized password changes
Ditto on the gaffaws!
;-)
No Java by default
The main issue is gaining access to the system. If a Java App can execute this command on the system, that's the real issue, regardless of what the command can do.
That said, most users won't install Java these days IMHO, and Lion doesn't install it by default. Of course there are other third party utilities that might enable the same issues if a user installs them.
I've verified that /usr/bin/dscl does let you change the current user's password without entering the old password. It does require the old password for another user (even non admins) unless you use "sudo dscl . passwd /Users/greg yourNewPassword", so they HAVE TO change the current user's password before doing anything else, and the current user HAS TO BE an admin (default install sets up one user and that's an admin).
To get all users:
dscl localhost -readall /Search/Users > ~/Desktop/allusers.txt
Use a text editor's "Find" feature to find "KerberosKeys". Using that ascii encoded binary data to recover the password is not trivial, but it is possible.
RE: Mac OS X Lion flaw allows unauthorized password changes
You are confused, the market share ratio is in the regions of 10 to 1 or a bit more probably. In terms of security it is pretty damm clear that Microsoft is well ahead of the game. Lion still falls short of Windows 7 and let's not talk about the upcomming Windows 8 where Microsoft yet again raises the bar considerably higher.
When security is concerned Osx and specifically Swiss cheese Safari are a bad choice, this unbelievable flaw is yet another example of Apple's severe shortcommings in the security area.
RE: Mac OS X Lion flaw allows unauthorized password changes
Yes! Maybe this is why all the FUD about PC's leaving the earth and dying on the vine. Love the propagandaist! LOL!
RE: Mac OS X Lion flaw allows unauthorized password changes
This is the exact reason WHY Apple will never be a player in the corporate world. These guys claim the fame to security but are far from Supremecy. MS is still king and will always be king of the Desktop/server market. With Windows 8 they'll take the tablet and phone market as well.
Switch to Windows
RE: Mac OS X Lion flaw allows unauthorized password changes
Keep up the good work.
RE: Mac OS X Lion flaw allows unauthorized password changes
RE: Mac OS X Lion flaw allows unauthorized password changes
RE: Mac OS X Lion flaw allows unauthorized password changes
We learned a long time ago, that Apple simply doesn't have security. They have Obscurity. Combine that with the smoke and mirrors effect you usually get from Jobs, and there you go. There's your "security".
It took then nearly a month just to admit that Mac Defender was a problem, and some time after that to actually fix it.
Apple simply has security
Apple's claim to Security fame is having almost everything default to inaccessible, requiring users to turn them on, and Apple makes it simple for them to do so.
Microsoft's downfall is that they still default many, many services to accessible by default so users/admins have to figure out how to turn them off to secure their systems.
And a "secure system" is only "as secure as it can be".
RE: Mac OS X Lion flaw allows unauthorized password changes
Hey! You know what they say?? an Apple a day keeps the security away! He-he-he!!
RE: Mac OS X Lion flaw allows unauthorized password changes
RE: Mac OS X Lion flaw allows unauthorized password changes
...how come none of the other flavors of Unix I use have this "feature"?
Give me physical access to your UNIX box and I can
Highly, highly doubtful.
RE: Mac OS X Lion flaw allows unauthorized password changes
RE: Mac OS X Lion flaw allows unauthorized password changes
Full disk encryption might be the only way to deter Kon-boot.
RE: Mac OS X Lion flaw allows unauthorized password changes
Sure by getting the domain admin drunk.
lol...