Mac OS X Lion flaw allows unauthorized password changes

Mac OS X Lion flaw allows unauthorized password changes

Summary: Apple's redesign of the Mac OS X leaves passwords vulnerable to attack or change.

SHARE:

A researcher over on the Defence in Depth blog has outlined a flaw with Apple's Mac OS X 10.7 'Lion' OS that allows passwords to be changed without the user's consent.

A hacker that has access to a system that is logged in (either physical access or remote via VNC or SSH) can grab the password hash data using Directory Services and then parse this hash to recover both the hash and the salt used to encrypt the password.

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

But if the password is a hard one to crack, the surely the system is safe, right? Wrong! Directly Services in Lion no longer requests authentication for password changes for the current user. So if you can't break the password, you could just change it! Previous versions of Mac OS X had required the existing password to authenticate password changes.

Defence in Depth provides a scenario where this attack could be used:

A user with administrative rights is browsing the internet with Safari. The user happens to browse to a website hosting a malicious Java Applet. Unbeknownst to the user, they allow the innocent looking Java Applet to run. The Applet will proceed to make a connection back to the attacker, providing the attacker with full shell access. Whilst the attacker has access to the system, they are provided only with limited user privileges (they still do not have root access). This would limit what an attacker could accomplish. However, with the vulnerabilities described above the attacker now has an advantage: they can change the password of the current user. Now remember, the current user is an administrator. So now all the attacker has to do is sudo -s to become root. If lets say the victim did not have administrative rights, the attacker still has the ability to extract user hashes from the system and attempt to crack them.

So, what can you do to protect your system until Apple patches this? A temporarily solution offered is to limit standard access to the dscl utility as follows:

$ sudo chmod 100 /usr/bin/dscl

This is not the first password bug to plague Lion. Last month a bug surfaced that allowed clients to use any LDAP password for authentication.

Stay safe!

Topics: Browser, Apple, Hardware, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

50 comments
Log in or register to join the discussion
  • RE: Mac OS X Lion flaw allows unauthorized password changes

    Sorry I had to laugh. So much concern about Windows security flaws and it turns out that Lion is a stitched together mess. It's for sure the Apple's Vista. That's why I will stay with Snow Leopard for the time being (a very long time it seems).
    xpect
    • Ditto on the gaffaws!

      @xpect
      ;-)
      kd5auq
    • No Java by default

      @xpect Currently Windows vs Mac security flaws is night and day different. Windows is getting better, so it's no longer 1,000 to 1, but it's still more than 10 to 1. No system is perfect, but I'll still take a Mac over Windows for security.

      The main issue is gaining access to the system. If a Java App can execute this command on the system, that's the real issue, regardless of what the command can do.

      That said, most users won't install Java these days IMHO, and Lion doesn't install it by default. Of course there are other third party utilities that might enable the same issues if a user installs them.

      I've verified that /usr/bin/dscl does let you change the current user's password without entering the old password. It does require the old password for another user (even non admins) unless you use "sudo dscl . passwd /Users/greg yourNewPassword", so they HAVE TO change the current user's password before doing anything else, and the current user HAS TO BE an admin (default install sets up one user and that's an admin).

      To get all users:
      dscl localhost -readall /Search/Users > ~/Desktop/allusers.txt

      Use a text editor's "Find" feature to find "KerberosKeys". Using that ascii encoded binary data to recover the password is not trivial, but it is possible.
      wjanoch
      • RE: Mac OS X Lion flaw allows unauthorized password changes

        @wjanoch

        You are confused, the market share ratio is in the regions of 10 to 1 or a bit more probably. In terms of security it is pretty damm clear that Microsoft is well ahead of the game. Lion still falls short of Windows 7 and let's not talk about the upcomming Windows 8 where Microsoft yet again raises the bar considerably higher.

        When security is concerned Osx and specifically Swiss cheese Safari are a bad choice, this unbelievable flaw is yet another example of Apple's severe shortcommings in the security area.
        sjaak327
    • RE: Mac OS X Lion flaw allows unauthorized password changes

      @xpect
      Yes! Maybe this is why all the FUD about PC's leaving the earth and dying on the vine. Love the propagandaist! LOL!
      eargasm
    • RE: Mac OS X Lion flaw allows unauthorized password changes

      @xpect

      This is the exact reason WHY Apple will never be a player in the corporate world. These guys claim the fame to security but are far from Supremecy. MS is still king and will always be king of the Desktop/server market. With Windows 8 they'll take the tablet and phone market as well.
      Rob.sharp
  • Switch to Windows

    OS X is terrible.
    toddybottom
    • RE: Mac OS X Lion flaw allows unauthorized password changes

      @toddybottom I'm sure we all owe you a debt of gratitude for such a comprehensive insight into this particular issue.

      Keep up the good work.
      Simpsoid
    • RE: Mac OS X Lion flaw allows unauthorized password changes

      @toddybottom the NonZealot has spoken... ;)
      ScorpioBlue
  • RE: Mac OS X Lion flaw allows unauthorized password changes

    99% of people I know choose Mac over PC due to security and this is what they get in the end ... shame on Apple charging high fees and stating maximum security
    AdnanPirota
    • RE: Mac OS X Lion flaw allows unauthorized password changes

      @AdnanPirota

      We learned a long time ago, that Apple simply doesn't have security. They have Obscurity. Combine that with the smoke and mirrors effect you usually get from Jobs, and there you go. There's your "security".

      It took then nearly a month just to admit that Mac Defender was a problem, and some time after that to actually fix it.
      The one and only, Cylon Centurion
      • Apple simply has security

        @Cylon Centurion, You've bought Microsoft's FUD completely. Security isn't something you "have or dont' have", it's something that you have a certain level of, and it's never perfect.

        Apple's claim to Security fame is having almost everything default to inaccessible, requiring users to turn them on, and Apple makes it simple for them to do so.

        Microsoft's downfall is that they still default many, many services to accessible by default so users/admins have to figure out how to turn them off to secure their systems.

        And a "secure system" is only "as secure as it can be".
        wjanoch
    • RE: Mac OS X Lion flaw allows unauthorized password changes

      @AdnanPirota
      Hey! You know what they say?? an Apple a day keeps the security away! He-he-he!!
      eargasm
  • RE: Mac OS X Lion flaw allows unauthorized password changes

    Now Ed can pick up where he left off a few months ago.
    Return_of_the_jedi
  • RE: Mac OS X Lion flaw allows unauthorized password changes

    I always hear that OS X is secure because it's 'Unix'

    ...how come none of the other flavors of Unix I use have this "feature"?
    UrNotPayingAttention
    • Give me physical access to your UNIX box and I can

      root it in less than a minute.
      baggins_z
      • Highly, highly doubtful.

        @baggins_z
        UrNotPayingAttention
      • RE: Mac OS X Lion flaw allows unauthorized password changes

        @baggins_z I have an ALTOS 1700 with 24 ports running SysV and Real World - wanna take a stab at it ?
        dev/null
      • RE: Mac OS X Lion flaw allows unauthorized password changes

        @chmod 777 Not doubtful at all, 100% possible with physical access. Look up :"Kon-boot". If it's any consolation, it works on Windows too.
        Full disk encryption might be the only way to deter Kon-boot.
        jgm@...
      • RE: Mac OS X Lion flaw allows unauthorized password changes

        @baggins_z

        Sure by getting the domain admin drunk.

        lol...
        ScorpioBlue