MacOS High Sierra Bug Allows Login As Root With No Password

An anonymous reader quotes a report from The Register: A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug is triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world -- it's certainly far from a remote hole or a disk decryption technique -- it's just really, really sad to see megabucks Apple drop the ball like this. Developer Lemi Orhan Ergan was the first to alert the world to the flaw. The Register notes: "If you have a root account enabled and a password for it set, the black password trick will not work. So, keep the account enabled and set a root password right now..."

Re:Am i missing something here?

By default, there's no root account. Attempting to log in as root with no password multiple times creates a root account with no password.

Why/how though?

[Xuranova]

I can understand if it let you in after hitting enter once, because then it's just ignoring something. If it denies entry the first few times and then lets you in, what do the *nix gurus think is happening after the first few denials to have it change its 'mind?

User chethan177 was actually first to report

https://forums.developer.apple.com/thread/79235

'course, this post may not have been reported directly to security folks. it was something that they should have found while monitoring the beta forums, though.

Re:Can Anyone Here Reproduce This?

[anegg]

I just reproduced it.

I have a MacBook Pro that I upgraded to High Sierra (10.13.1) over Thanksgiving. My login screen is set to only offer the pre-defined user accounts. I logged into a non-privileged account that I keep around for testing purposes. Went to the top-level of the file system; did a "Get Info" on a folder I didn't have access to; asked it to show me "Sharing and Permissions"; clicked the lock icon to unlock them; got a username/password dialog box; entered "root" as the username with a blank password once; the dialog box shook and cleared; entered "root" with a blank password again, and the action completed with the lock unlocked. Now when I go to the login screen, I have an "Other" account showing; if I click "Other" I get a username and password dialog box; if I enter "root" as the username with a blank password Bob's your uncle. Logs right in, shows the username in the upper left of the screen as "System Administrator." The account has root access to the machine.

This is probably exercisable remotely if remote logins are enabled (screen sharing, anyway); I don't think anything I did would not be doable through a remote login (but I have not the means to test at the moment). Seems like there might be some blood on the floor over this one, at least at some organizations. I don't envy sys admins in large academic environments either.

Re:Calling John C. Randolph (jcr)! We need your in

[jcr]

So, I just tried it on a completely fresh install, and I was able to reproduce the bug. No idea why it didn't manifest on any of my existing installations.

I would expect that the relevant teams at Apple will push an update to fix this in a day or two at the most. In the meantime, you can work around this from any administrator account by setting a password on the root account ( open a terminal window, enter "sudo passwd root", and follow the prompts.)

-jcr