Slashdot Mirror
MacOS High Sierra Bug Allows Login As Root With No Password (theregister.co.uk)
An anonymous reader quotes a report from The Register: A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug is triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world -- it's certainly far from a remote hole or a disk decryption technique -- it's just really, really sad to see megabucks Apple drop the ball like this. Developer Lemi Orhan Ergan was the first to alert the world to the flaw. The Register notes: "If you have a root account enabled and a password for it set, the black password trick will not work. So, keep the account enabled and set a root password right now..."
So, logging as root without password works on High Sierra if there's a root account without password?
Tim Cook, please leave. Give us back a decent OS. Give us back good laptops/computers. Go sell shoes back again.
What a joke. Great enterprise level software. But hey, animojis are cool.
John C. Randolph (aka jcr), can you please comment on this issue?
Maybe I'm mistaken, but I've heard that you worked at Apple in the past. I've also seen some of your comments here, and I know you're a man of integrity.
Can you please tell us what's actually going on here? Can you help us distill the facts from the stew of information that's surrounding this issue?
Is it as big of an issue as it's being portrayed as?
If it did happen, what factors do you think contributed to a bug like this being introduced and making it past whatever QA processes Apple has?
What could be done to prevent bugs like this?
We need you to help us understand this matter. Any background and information you could give us would be greatly appreciated.
Thank you, sir.
So now macos is using systemd ?
https://github.com/systemd/systemd/issues/6237
is "courage" to go beyond the heteronormative system of power and privileges. Why would you require privileges in a progressist society where everybody is equal.
USER LIVES MATTERS !
And no, not my SE/30 that runs NetBSD.
My co-workers are trying to reproduce this on their Macs running High Sierra but it just keeps denying them access.
Is there a particular config that's affected?
There is no "enter" key on a macOS (unless you include the fine print on later models - disgusting!). One of the identifying marks of a Dark Side Convert is their use of the phrase "hit enter". Cheers
Set the root password to something long and hard to guess (32 chars of mixed-case alphanumeric should do). Do this by running as an administrator:
sudo passwd -u root
This should do until Apple releases a real fix.
Source
Finding God in a Dog
Please link to a factual article that isn't full of malware ads, clickbait crap, twitter bullshit, or garbage fanboy commentary and actually shows how to fix it. There are plenty out there already - but Slashdot links to a crap brit fag website like the register.
Fucking slashdot editors are such scumbags.
But how did it get onto Linux, running in MAC?
Apple drops the ball constantly. Sometimes they don't pick it back up, either. They leave routinely leave known, reported bugs in versions of the OS that are still in common use (in fact, they force them to be in common use by not letting some perfectly capable machines, even high end, expensive ones, upgrade to a later OS.) Then there are major screwups like "app nap" they stab us with, and the constant churn of "feature in, feature out" (like displays in the menu bar), abandonment of applications they sold (Aperture), the aforementioned OS abandonment of relatively recent (and certainly still very fast and very functional) computers, the constant annoyance of how they "notify" upgrades (you'll either do the upgrade, or go look at it... those are your two choices. There's no simple "no.") Some incredibly basic amenities still haven't found their way into the OS (like audio mixing and EQing, or even a basic bluetooth profile so your phone can send audio to the computer.)
Sometimes I think they're trying to be annoying.
As for High Sierra, it wasn't ready for the public when they shipped it. I really don't get why a company with that much cash in the bank can't manage to field a decent OS test protocol system (not to mention manage to continue to support hardware that is still very shiny.)
But hey, what do I know. I'm just a lowly developer and user. I'm sure I'm just not... courageous... enough.
I've fallen off your lawn, and I can't get up.
I can understand if it let you in after hitting enter once, because then it's just ignoring something. If it denies entry the first few times and then lets you in, what do the *nix gurus think is happening after the first few denials to have it change its 'mind?
"There is no real right or wrong, just what the majority accepts at the time."
https://forums.developer.apple.com/thread/79235
'course, this post may not have been reported directly to security folks. it was something that they should have found while monitoring the beta forums, though.
The correct response, as always, is for people to chime in with Mine Works Fine/I've Never Had A Problem posts.
Seems like a pointless thing to show up and say, but tradition is as tradition does.
This isn't an apple-exclusive phenomenon, but they are the masters of it.
I know it's probably a typo, but someone over at The Register is either probably racist or gay.
Boot holding Command-S and you are in single user mode. In the past you could mount the drives and set a password for the root account. Not sure if they have locked it down now.
Linux also has a single user mode. If you can get to the grub command line, add "single" and you'll get there. On some systems it will ask for the root password, but apparently not all.
I have heard that you can do similar things along the lines with disk encryption, also on previous versions.. This "feature" has been around for a while..
My educated guess from 20 years in computer security:
The graphical UI it gives up after a few tries, which is reasonable. Unit tests tested that you can login that way and maybe tested that it gives up.
Separately, on the underlying Unix side they may have tested that part well - if you enter a correct password you get in, an incorrect password doesn't get you in.
In Integration testing UI designers made sure it WORKS - you can log in that way. They didn't test crazy shit like entering a million-character password, entering no password over and over, etc. Who would do that anyway? Besides, "garbage in, garbage out", right?
No! "Garbage in, garbage out" is not okay for anything related to security, or really anything connected to the web. Security stuff has to expect garbage input of all kinds - megabytes of input when only a few bytes are expected, passwords with line feeds, empty input, etc. It has to be "garbage in, denied". Which normally means checking for whitelisted sane input first, and denying if the input is anything other than what you expected. Applications exposed on the internet are similar - you have to expect you'll be attacked a thousand times a day.
Therefore it's not enough to test that it works. You have to think about all the ways it could fail, ways it could not work, and test those.
I don't know anybody named "root" so I shouldn't have to worry, right?
-Mac fan since 1984
"If you can't log in with your new password after restarting your Mac, take these additional steps:
Restart again, then imediately hold down Command-R or one of the other macOS Recovery key combinations until you see the Apple logo or a spinning globe.
When you see the macOS Utilities window, choose Utilities > Terminal from the menu bar.
In the Terminal window, type resetpassword, then press Return to open the Reset Password assistant pictured above.
Select ”My password doesn't work when logging in,” then click Next and follow the onscreen instructions for your user account."
Straight from apple. Anyone with physical access to your mac can get in and muck it up, its been this way since forever.
It takes a lot of #courage to ship root without a password...
I submitted this a couple hours before it was posted on the front page. Why does it say an anonymous reader posted it? https://slashdot.org/submissio...
Tried it on three different machines, both from admin and non-admin accounts. All running 10.13.2 Beta (17C83a).
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Seriously, any one who knows a bit about unix will enable the root account and set a fairly strong password.
It is only the "Its Apple! Its immune to hacks!! Its got the ultimate security!!!" fanbois will be affected.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
#flamebait #noobs
so it's not exactly "far from a remote hole or a disk decryption technique" as the post suggests. If Screen Sharing is turned on, it allows remote login; if you have access physically or via Screen Sharing, you can use it to turn off FileVault. So it's potentially both a remote hole AND a disk decryption technique. "sudo passwd -u root" now if you hadn't already reset the root passsword!
I've tried to reproduce it on three different machines, all on the latest beta, and it's not happening for me. From what I've seen, it doesn't appear to be remotely exploitable, so it's only an issue if an attacker has physical access to your machine.
So, I'd say it's serious but not catastrophic.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
worked for me first try, went into Users & Groups.. hit the lock button, typed in root with no password, it shook like I entered a bad password then it unlocked for me.. High Sierra 10.13.1
Right.
I got my first computer in Feb, 1978 -- TRS-80.
Discuss.
It little behooves the best of us to comment on the rest of us.
Recorded how stupid this bug is: https://youtu.be/pMTPn7Tyrb4
did not enable root and set a hard to guess password?
I mean, come on, a lawyer, designer, doctor, writter or grandma with a mac, I can understand that is actually BETTER for them to have no root account by default. No disrespect, maybe you Lawyer/designer/writter/doctor/gramma are ultra smart in your field (and perhaps many more). And I am sure know you know way more about your field than I'll ever be....
But Slashdot has a big proportion of programmers, computer scientists, and EETREs (Electrical/Electronics/Telecoms/Robotics Engineers) readers.
Who of that slashdotian demographic in their right mind did _not_ enable root and set a strong password for it on their mac?
I know I did. As is the first thing I do everytime I bring a new mac home.
BTW, for those who did not read TFA, the workaround for the problem is to enable root account and set a strong PWD.
*** Suerte a todos y Feliz dia!
Happens when my nephew goes on vacation over @ Apple - he never lets shit like this happen & he controls ALL the builds of their OS' there (MacOS X + iOS - more on the phone side & that got some alleged 'bugs' too in his absence).
* He should be getting back soon & this will all be fixed, 'lickety split, no shit' I am sure upon his return...
APK
P.S.=> It's a "high-turnover " dept. he works in & you have to know "everything going on" - NOT AN "EASY JOB" & TAKES TIME to "know it all" on it - & when new hires come in, THAT is when you see this type of thing (they're still 'green' on all the dependencies in their "OS forge" there is my guess - I've seen similar things in my career over decades - it happens, & I'd wager his absence + 'noobz' (not dumb - you don't get in there being 'dumb'/unskilled) are the root cause on a guess (educated one)... apk
Tried it on three different machines, both from admin and non-admin accounts. All running 10.13.2 Beta (17C83a).
-jcr
The bug is against 10.13.1, and is noteably not in 10.13.2 beta. So of course you can't reproduce it on the beta version: it doesn't exist there.
It DOES it exist in the publicly deployed "stable" version. You know, the one that most users are using. People have also confirmed you can exploit it remotely.
Unusual to find out about a security flaw like this, while it's still out in the wild, complete with directions on how to reproduce. Did the person who found this report it to Apple and give them time to correct? Or did they tell him to fuck off?
With it not being in the subsequent beta release and no other previous releases, I'm guessing it's a back door intended for Q/A purposes that was accidentally left in the code.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Who doesn't set a root password on a new computer?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Why the quotes around exploit?
The quotes allow for de-escalation synonym transposition that helps to stabilize the reality distortion field that protects the mac psyche... without it Apple would surely implode.
From what I gather so far, you're missing software freedom. Whether this is creation of an unprivileged account named "root" or granting admin privileges to anyone patient enough to "click on unlock a few times" (as the story intro claims), something is wrong. Are MacOS users still being denied the permission to inspect what's really going on in the source code, fix the problem, and distribute fixed code to others?
In the referenced twitter.com thread, Apple wants to "take a closer look at what's happening together" in an unpublished discussion ("Send us a DM that includes your Mac model along with your macOS version. We'll meet up with you there."). There are plenty of skilled programmers willing to help but without software freedom, this makes Apple look even worse than their lame attempt at seeing the problem which it's entirely possible only they have the privilege to really study, understand, and fix.
Digital Citizen
.....It 'Just works!"
Are you a psychic man! See his reply below. Your are correct its the typical apple worshippers denial; but still; Bang on prediction.
October 1979, spend half an hour trying to figure out how to answer "Memory Size?", as it was (IIRC) not in the instruction manual(s). Went Mac in 1985, after a short side-trip through CoCo land to play with 6809 code.
I smugly know that I'm not vulnerable to this because I normally run 10.9. The highest I have is a Mac Mini that came with 10.12 installed, and once I "jail broke" that one, there was no reason to downgrade. I wish companies would quit trying to "re-imagine" operating systems all the time. And quit trying to make "pro" hardware "thin" (or round) for no good reason.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
My thoughts exactly. It's too perfect... We don't even have root anymore because it's too insecure! Except that it's trivial to create a root account with this one simple trick!
MacOS is still a better UNIX desktop than Linux, but under Tim Cook's watch software quality dropping fast. Holy shit, the way iMessage in iOS lags when you go to type so all my texts start with white space is pissing me the fuck off. Might have to put a sim in one of these god awful Android devices laying around for development if it gets much worse.
So, I just tried it on a completely fresh install, and I was able to reproduce the bug. No idea why it didn't manifest on any of my existing installations.
I would expect that the relevant teams at Apple will push an update to fix this in a day or two at the most. In the meantime, you can work around this from any administrator account by setting a password on the root account ( open a terminal window, enter "sudo passwd root", and follow the prompts.)
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
As it turns out, I did just reproduce it on a fresh install that I updated to today's beta.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Clearly you havenâ(TM)t seen the internal names etc in use at Redmond...
> Right. I got my first computer in Feb, 1978 -- TRS-80. Discuss.
"Fuck, you're old."
husshhh, let the sheeple drink their kool-aid. Apple is the best, with best hardware and quality OS. They can't insert backdoor on these iDevices! /s
He doesn't know how to read TFA, and can't produce it on his first run due to being dumb
They are not an enterprise company.
and they will tell you this, ad nauseam...any time you have an issue they cant fix.
I believe the problem here stems from the fact that some time ago, Apple decided it would be a peachy idea, (pun definitely intended) to do away with a root user, and just let the regular user do privileged things by sudo-ing them, locking the high-privilege stuff with the user password. The sad part is that that makes it so they could have the root account HAVE no password. BAD PROGRAMMING, Apple. BAD. SUCKY. PATHETIC.
Also, on another note... COME ON, APPLE! JESUS HOLY M.F.'ing CHRIST! Don't you even test the beta software you're pushing out as if it were production-ready?!? You guys are getting to be as bad as MICROSOFT!!! This is amatrurish, Microsoftish crap, shipping something with this big of a hole in it. This is worse than Kryptonite's 'open-with-a-BIC-pen' locks. At least with THEM, you needed to have a BIC PEN!
Just because you don't call it beta does NOT mean it's not beta quality. Or sub-beta quality.
I swear one of these days I'm going to put GNU/LINUX on all my Macs and wash my hands of iMac-OS-X (or whatever they're calling their buggy, un-secure garbage OSes this week,) once and for all!
TIRED of Apple's CRAP! TIRED of it!
Our reign has gone on long enough. Indeed. Summon the meteors.
Discuss. OK. Well, I know that you old timers have trouble keeping up with the lingo "the youth" use these days and all their newfangled technology, but, clearly, this is flamebait and you are trolling. As it turns out, The Oxford English Dictionary places the origin of the term "Troll" in 1990 on Usenet in which veteran users would "Troll for newbies", or "noobs" and yank their chains a bit. So, I think you may have misunderstood my second hashtag (and hashtags in general). One clue was the pluralization of "noobs" - as you would (hypothetically) be a singlenoob this would not apply to you. Secondly, hashtags go at the end of a twitter post, and this was meant as a comical appendix to your comment, implying it would be you (the self-proclaimed old-timer) calling everyone else "noobs" for responding your flamebait comment. In this way, I use sarcasm to call out and shame you for your flamebaiting. Clearly, all Operating systems have bugs and always will. Claiming one is better than another is just trying to start a flame-war. Frankly all OSes suck. Just differently.
Late 50s or early 60s ... kids gone, health still good, mortgage paid, new trophy wife, retirement approaching ... best time to be alive!!!
If you have the root account enabled and have set a root password then it will not work. If you have a machine that you aren't using for anything, try doing a fresh install then trying it.
apple deserve to have the eternal piss taken out of them forever and ever.
especially with all of their pretentious wanking over system integrity protection when holes like this are present.
I propose we give this bug a name: Superuser Login Absent Password, or SLAP for short.
But I can just use another OS to access the hard disk. Or is the data on there encrypted?
The private user data too?
.
.
I didn't think so.
Well according to the BBC article (http://www.bbc.com/news/technology-42161823), they've known about this particular oopsie for 2 weeks +. I guess it takes time to figure out how to set a root password, and add the Administrator user to wheel with sudo access.
Curious question: Can this be done via ssh / shell (via sudo or su)? Or is it only via GUI / Coca authentication mechanisms?
White versus black passwords?
The fix was just posted.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Details here.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Whistler? Vail? Your attempt at funny needed to include the funny.
Or we could just call it the "I Am Root" bug.