Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

Got Lion? Get OWNED?

10.7 has a massive security hole, says researcher.


Get It

Try It

CUPERTINO (Rixstep) — There's a reason that seasoned security experts don't play with fire. That seems to be something Apple engineers never learn. Michael Evsteen of New South Wales claims that Apple's password security in 10.7 Lion is wide open for root escalation.

Here's the command line for testing.

$ dscl localhost -passwd /Search/Users/<YOU>

Substitute your account name for '<YOU>' of course.

What's so great about that? Try the ordinary command line passwd first if you don't remember.

$ passwd
Changing password for <YOU>.
Old Password:

So now try this - from your default (admin) account on 10.7 Lion.

$ dscl localhost -passwd /Search/Users/<YOU>

You won't get prompted for your old password. You just set the account password to anything you want just like that. This according to Michael Evsteen.

Now if that is true, then for those a bit slow on the uptake:

  1. Take time to download WTF.app. You've been putting if off - so do it now.
  2. Run WTF.app - or any app starting tomorrow when the black hats and pranksters get ahold of this.
  3. WTF.app starts a rogue background (unseen) process to reset your admin password.
  4. WTF.app's rogue process now escalates to root using the password it just set.

And your Mac is burnt to a crisp.

It remains to be seen whether this affects all 10.7 systems. Tests show it at least does not affect earlier OS X systems.

PostScript: Brace Yourselves for 'Works as Designed'

Apple may very well pull the old 'behaves correctly' / 'works as designed' on this one if Evsteen's model holds up to scrutiny. The dscl manpage seems to have a promiscuous command line switch for password prompting. dscl will always prompt for a new password first - and then and only then demand an old password if it's needed. Evsteen seems to claim there's no second prompt on 10.7 Lion.

dscl(1)                   BSD General Commands Manual                  dscl(1)

NAME
     dscl -- Directory Service command line utility

SYNOPSIS
     dscl [options] [datasource [command]]

          options:
                -p           prompt for password

'Frankly I'm speechless', writes Sean Collins of CoreITPro. 'I keep telling myself that there must be some mistake, there's something I'm missing.'

'This is bad.'

Update II: Something Missing?

The commenters who can't get Evsteen's claim to work on their Lion boxen now outnumber the others by at least 2 to 1. The claim inaccessible data is suddenly accessible through 10.7's Directory Services remains.

Update III: '10.7 is Toast? This Sucks!'

Two separate corroborations of the password exploit have arrived. The hack definitely seems to be real. Curiously the most seen comment by those who've heard of it and those who've tested it is 'this sucks'. So err on the side of caution - don't run any new software on Lion. For now.

See Also
Defence in Depth: Cracking OS X Lion Passwords

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.