Aussie Researcher Cracks OS X Lion Passwords

daria42 writes "Thought your Mac was secure running Apple's latest operating system? Think again. Turns out that in some respects Lion is actually less secure than previous version of Mac OS X, due to some permission-tweaking by Apple that has opened up a way for an attacker to crack your password on your Lion box. The flaw was discovered by an Australian researcher who has previously published a guide to cracking Mac OS X passwords. Sounds like Apple had better get a patch out for this."

Not really cracking the passwords.

He's not really cracking the passwords. He's just found a way to read the hash and salt from each users shadow file without root privileges. It's fairly serious, but the hashes still need to be brute-forced.

Re:Not really cracking the passwords.

for this to work, a particular java app must be installed and run on a website which is run on the Mac OS X computer. .

No, that's just one attack vector suggested in the article to illustrate how this could be abused.

This is all possible, but basically FUD

ANY application which runs with a regular user permission CAN access the hashes for ALL the user passwords on the system.
That's not FUD. Also, the method described is not just possible, that's exactly how many infections occur these days.

Here's the full details.

[Core+Condor]

http://www.techgineering.org/2011/09/22/2489/a-new-exploit-in-os-x-lion-allows-unauthorized-access-to-users-to-change-password/ - A New Exploit in OS X Lion Allows Unauthorized Access To Users to Change Password

Re:Here's the full details.

[spydir31]

Even better is the researchers' own blog post

Not good, but not a panic situation

[Sycraft-fu]

So looking at it, basically what it comes down to is you can effectively get at the shadow file as any user. That does indeed mean you can get the hashes to attempt to crack passwords. This isn't a good situation, and isn't how it should be. On any UNIX you should have to be root to get at the shadow file, on Windows you must be an administrator (and running elevated, if UAC is on) to get at the SAM file.

However, do note that it is just a set of hashes. So you still have to crack the password. So long as the passwords are good, this really doesn't get you anywhere. If you've ever messed with this you find that things quickly get impossible so long as passwords are reasonably long. As such, if you have good passwords, this isn't a huge problem.

That said, I think we'll want to send out a warning to our Mac types today since they seem to think Macs make them immune to security issues and as such are prone to bad passwords. Perhaps this can help convince them to adopt better password standards since, really, that is one of the big keys to good security these days.

Re:Not good, but not a panic situation

[Manip]

The SAM file on Windows is impossible to retrieve while the Windows kernel is running. The kernel has an exclusive read/write lock on the file and any attempt to access it will be denied. It is possible to read an NTFS file-system outside of the OS even while the OS is running but we're talking about deep-file system inspection.

Does sound kind of serious, maybe

[bryan1945]

Here is a bit from TFA-
"This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible."

It's not exactly a 1-2-3 step action. Also, the article never said he actually cracked any passwords, though he claims-

"Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. "

Little bit more backup would be a good thing, here.

Re:Extremely Serious

[teridon]

Not only can you retrieve the password for any user on the system but you can also reset their password without having to know what it was.

According to the FTFA, you can only reset passwords for the currently logged in user. It doesn't say anything about resetting other user's passwords:

It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user [emphasis mine]

Still not good, but not nearly as bad as you suggest. Now, all that said, I don't have a Lion system on which to test resetting another using password using dscl. I can only hope it doesn't work.