Apple’s High Sierra allows root with no password
29 November 2017 | 0
A developer has posted a screenshot on Twitter and reported that it is possible to obtain root access on Apple’s High Sierra without a password.
Several users have now recreated this issue on their own systems, including a staffer at IDG. However, as problematic as this issue is, the workaround is rather easy.
The issue was first reported by Lemi Orhan Ergin, a developer in Istanbul, Turkey. In his initial tweet, directed to Apple, he explained the issue fully, which allowed others to confirm the problem on their own systems.
After some testing, the problem was confirmed, even as a standard user, and that creating new administrators resulted in the ability to disable the firewall and file vault, enable sharing, remote log-ins, and more.
The issue discovered in High Sierra is a bad one, but there is a workaround that seems to solve the issue. Enable the root user account with a strong password.
Apple recommends that the root user be disabled after a password is set, which is solid advice in the long run, especially if the account isn’t needed (hint: it isn’t).
At this point, it is not clear if High Sierra is the only OS affected. Internal testing here at IDG couldn’t reproduce the issue on anything other than High Sierra.
Now for the really bad news.
High Sierra users need to address this issue urgently, as the root password bug is exploitable remotely, including VNC and Apple Remote Desktop. This was confirmed shortly after the public started looking at the bug by various researchers.
Another important note comes from researchers at Bugcrowd. Those testing (exploiting) the problem locally will open themselves up to remote attack. Especially via Screen Sharing.
“By testing this vulnerability on your own computer, you’ll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services such as Remote Desktop,” explained Bugcrowd’s Keith Hoodlet, Trust and Security Engineer.
“By testing this vulnerability on your own system, you remove existing safeguards around the root (i.e. God-mode) user—enabling passwordless root access to your system. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.”
Apple says it is working on a software update to address the issue, and is directing users to a support document explaining how to enable root and set a secure password.
Rob Fuller, also known as Mubix, has some sound advice for those who are enabling and setting a root password in order to deal with today’s problems. Randomise them, since you will not actually need the account.
While the original command with echo will work for some, others may need the code below:
cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 60 | xargs -I rootpw sudo dscl . -passwd /Users/root rootpw
There has been a bit of a debate after the disclosure. Those in the Responsible Disclosure camp disagree with how the issue was brought to Apple’s attention, namely in a public tweet. However, the root password bug was being suggested on Apple’s Developer Forums as a helpful tip earlier this month.
Blank password issue
Hours after the Internet first learned about the High Sierra flaw that leaves the root account exposed (Apple has promised a fix), one security researcher has discovered the issue is far more serious than a blank password, as the video explains.
In fact, researchers who have been scanning the Internet might have accidentally created a wider attack surface and left users exposed. So, if anyone is scanning the Internet and trying to make connections to exposed Apple boxes, stop.
“You are setting the root password to every machine you authenticate to, as a blank password or whatever you choose to put into the password field,” security researcher Tom Ervin explains.
Doing so may make things harder for Apple to address all of these compromised systems.
“How are they going to know the difference between a system somebody has intentionally set the password for, and a system that somebody has exploited this vulnerability on and set the password for that user?” Ervin asked.
Again, it is critical that a password for the root user be set. For the scenario shown in this video, a password for the root account seems to address the flaw and prevent remote exploitation. It’s also wise to disable Apple Remote Desktop.
Ervin is continuing to research other attack surfaces, and we’ll update as his work progresses.
IDG News Service