Slashdot Mirror
Aussie Researcher Cracks OS X Lion Passwords
daria42 writes "Thought your Mac was secure running Apple's latest operating system? Think again. Turns out that in some respects Lion is actually less secure than previous version of Mac OS X, due to some permission-tweaking by Apple that has opened up a way for an attacker to crack your password on your Lion box. The flaw was discovered by an Australian researcher who has previously published a guide to cracking Mac OS X passwords. Sounds like Apple had better get a patch out for this."
He's not really cracking the passwords. He's just found a way to read the hash and salt from each users shadow file without root privileges. It's fairly serious, but the hashes still need to be brute-forced.
http://www.techgineering.org/2011/09/22/2489/a-new-exploit-in-os-x-lion-allows-unauthorized-access-to-users-to-change-password/ - A New Exploit in OS X Lion Allows Unauthorized Access To Users to Change Password
So looking at it, basically what it comes down to is you can effectively get at the shadow file as any user. That does indeed mean you can get the hashes to attempt to crack passwords. This isn't a good situation, and isn't how it should be. On any UNIX you should have to be root to get at the shadow file, on Windows you must be an administrator (and running elevated, if UAC is on) to get at the SAM file.
However, do note that it is just a set of hashes. So you still have to crack the password. So long as the passwords are good, this really doesn't get you anywhere. If you've ever messed with this you find that things quickly get impossible so long as passwords are reasonably long. As such, if you have good passwords, this isn't a huge problem.
That said, I think we'll want to send out a warning to our Mac types today since they seem to think Macs make them immune to security issues and as such are prone to bad passwords. Perhaps this can help convince them to adopt better password standards since, really, that is one of the big keys to good security these days.
Unlike Snow Leopard
I was expecting to read one of the normal fear-mongering stories that we often see on /. (e.g. "Drop Box sends passwords in plain text!!") but actually this is one of the most serious OS level holes I've seen in years. Not only can you retrieve the password for any user on the system but you can also reset their password without having to know what it was.
People have posted "they're still hashes so you still have to break them" which is of course true, but if you keep reading down he shows you how to reset the other user's password without ever having to know them.
The only complaints would be from people incited by you deliberately trying to troll.
Could those with mod points wipe this jerk down to -1?
I suspect that a lot of people are sticking with Snow Leopard at the minute, for a variety of reasons.
Here is a bit from TFA-
"This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible."
It's not exactly a 1-2-3 step action. Also, the article never said he actually cracked any passwords, though he claims-
"Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. "
Little bit more backup would be a good thing, here.
Vote monkeys into Congress. They are cheaper and more trustworthy.
Ok, now it's time for a bunch of people to complain about how snide and awful Mac users are, how they think that they're immune to security problems. We'll get a string of posts about how some study indicated that OSX was less secure than Windows, maybe some anecdotal evidence that some slashdotter knew a guy who was a Mac user, and he was an asshole and said something stupid about computers once.
When we've gotten enough of those, we'll see a backlash of posts rehashing old complaints about Windows and Linux, defending Macs.
You can change the password for any user on a Windows box without ANY credentials, provided you have physical access. Seems we have forgotten this while everyone is fear-mongering about what someone can do over the 'net.
It's OK Bender, there's no such thing as 2.
Some of us never left.
Its interesting how when OSX has a security hole, everyone downplays it as "not that serious, no big deal". In contrast, if this same issue happened with XP/Vista/7, then the entire /. crowd would be jumping on the bandwagon of Microsoft bashing, "OMG another MS security hole! See people, Windows is crap!". Its funny how people will defend their preference and bash their competitors, even though the root issue can be the same for both. Anyhoo, just an observation.
L0phtcrack can nab a SAM file from a a running system. I am not sure how it goes about doing that, but it works. I presume it dumps the in-memory copy.
However, as I said, you have to be an administrator to do it and on UAC enabled systems, you must escalate. As such it is fairly hard to get at.
Like being on a Hackintosh and being concerned that the original version of Final Cut Studio and Adobe CS3 will work and also the trouble of making the OS X drivers work with your hardware.
That would be one reason, yes. Using programs that require any PPC code would be another (and for some reason quite a few programs still use(d) PPC installers and plug-ins even if the actual program was all Intel. That either has or will change quickly, of course). Not liking the way Lion forces an inflexible revision system onto you is another. Personally I just don't really see the need to move from Snow Leopard.
Anyway, this is all a bit off-topic, except that Snow Leopard at least doesn't have this vulnerability, even if it does have a couple of others.
The blog post has the patch. Lower the privs:
sudo chmod 100 /usr/bin/dscl
There are two types of people in the world: Those who crave closure
It's trivial to break the password on a Windows machine, in fact a hell of a lot easier on a Windows machine, if you have physical access. I'll happily do it, and have done it, in about 10 seconds with a boot USB or CD if the machine so too old for USB. A friend assures me a Linux box isn't that much harder. I use Linux, OSX and Windows in one form or another for my given needs but I feel that the REAL issue here shouldn't be "it's easier to do this on Windows, it's all anti-Apple FUD", but rather "we shouldn't be fanboys to any company/brand/make/type, there is no excuse for bad QA and security auditing in any OS". Ultimately though, physical access is the death of any OS.
This sounds like a typical PEBKAC coding error. The dscl is probably (not much of a mac user here) running as root for indexing and such , but of course you do not need to be root to run it. Reminds me of when locate used to return / index all files, including ones that you did not have permission to, and of course now we have slocate. This is the kind error crops up in Microsoft vulnerabilities all the time. Its like they just didn't think it through from the black hat perspective at all.
neorush
"Decent white southern democrats "
Contradiction in terms. Nice try though!
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Agreed; and what most here have totally missed is the fact that there is no "existing password" challenge if you use dscl localhost... as TFA says right at the end, almost as an afterthought.
-- This
Either it's already been patched, as I'm running the developer builds of 10.7.2, or there's an issue in his particular setup vs. a normal install that's allowing this to happen.
Stepping through the information on his own blog at: http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html
When performing his "dscl localhost -read /Search/Users/" I do NOT get the dsAttrTypeNative:ShadowHashData result UNLESS I have root privileges through sudo. Not even for my own user.
...through an unsuspecting update or upgrade?
Lion is the Vista of OS X, I think Apple took a huge step back from Snow Leopard and I have yet to find a good reason why they needed to cripple Lion when Snow Leopard was so stable and secure.
Its like Apple decided iCloud was the only feature that matters and dropped quality and reliability of almost every aspect of OS X in order to hit a fall target date for iCloud integration. Problem is I think iCloud is going to be a huge disaster for Apple if Lion's lack of quality is any indication of how Apple has been handling their software development over the last few years.
Bottom line is I am waiting for at least 5 or 6 service packs before I touch Lion again, my first foray into a Lion server update found it unusable and lacking, just like Vista.
You call this a tabloid? think again.
FTA: "The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible."
Face it Apple Sux. It is a FACT you buy more expensive stuff and it is just as unsecure as the avg. Joe product. Plus they control you more. WHY WOULD ANYONE DO THAT?
ImaPC.
when the screen started displaying everything upside down
how many pairs of boxer shorts should you own?
Mod parent up. This is perhaps the one constructive comment in this thread, though I can't test it - but others seems to report it to work.
Emotions! In your brain!
Get real. How many crackers are going to look at something as weird as /etc/password, in a terminal, looking through all of the shine and gloss that comes before it?
10002$ dscl localhost -passwd /Search/Users/konohitowa
New Password:
Permission denied. Please enter user's old password:
And in other news, OSX is as insecure as it's always been: http://securitytracker.com/archives/underlyingos/1432.html
could get the 'hash' and the 'salt'. then you add the pepper, and your goose is cooked.
Holy lion's loins, batman!!! They've gotten to it's privates!
Yeah, whatever!!!
Could do all the "Pro-*NIX" FUD spreading around here. 1 that can't handle he made the wrong decision and opted for learning a dying family of Operating Systems is why. After all: If HBGary could figure out how that's done to get "jump on the bandwagon" attempts at "consensus majority opinion" view, so can the FUD spreading trolls on this website or any other.