macOS High Sierra: Anyone can login as “root” with empty password | Better HN

macOS High Sierra: Anyone can login as “root” with empty password | Better HN

1056 comments

abritishguy8y ago

Just in case it is relevant for anyone here this is what our security team have established thus far:

- Can be mitigated by enabling the root user with a strong password

- Can be detected with `osquery` using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;";`

- You can see what time the root account was enabled using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";` then base 64 decoding that into a file and then running `plutil -convert xml1` and looking at the `passwordLastSetTime` field.

Note: osquery needs to be running with `sudo` but if you have it deployed across a fleet of macs as a daemon then it will be running with `sudo` anyway.

RJIb8RBYxzAMX9u8y ago

osquery is not a built-in tool. You can get the same info with plutil(1):

  $ sudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist

If I understand OP correctly, if passwd is a lone asterisk, then you haven't been exploited.

Edit: trying a little harder to dump accountPolicyData:

  $ sudo defaults read /private/var/db/dslocal/nodes/Default/users/root.plist accountPolicyData | grep -oE '[[:xdigit:]]+' | xxd -r -p

nothrabannosir8y ago

Wait, isn't the point of having root you can erase your traces? Are these logs immutable, even to root? That sounds pretty next level.. and how do I trust the tools?

As far as I know, possibility of root = root = pwn, game over, time to format.

> Can be mitigated by enabling the root user with a strong password

Instructions from Apple: https://support.apple.com/en-us/HT204012

You can also get the password last set time with:

    sudo dscl . -readpl "/Users/dan.koepke" accountPolicyData passwordLastSetTime

Excellent! Thanks for sharing

krock8y ago

apple have a security update out now: https://support.apple.com/en-au/HT208315

teddyh8y ago

I see a lot of comments here wondering why Apple seems to not care about software quality anymore. I don’t know if that’s true, but there’s a perfectly obvious answer: They don’t have to.

Software quality in macOS was important back when they were trying to get people to switch from Windows-based PCs to Macs. Nowadays, most people who were going to switch have already switched, so Apple has no incentive to keep up the same level of software quality anymore. They just have to keep people locked into their ecosystem (with iPhone etc.) enough that the barrier to switch out again is high enough.

There is no reason for Apple to improve macOS, since doing so won’t make anyone switch to Macs who hasn’t already switched, and not improving macOS won’t make anyone upset enough to switch back. Ergo, Apple leaves macOS to stagnate, and they will keep macOS at this bad-but-not-horrible-enough-to-switch level for the foreseeable future.

That’s my theory, anyway.

angrygoat8y ago

These days, where is the lock-in?

The core applications that I use (Firefox, Docker, VSCode, vim, ...) all work just as well on Linux, MacOS and Windows.

I have a Mac, because it's (at least previously) been pretty secure by default, doesn't require me to invest a lot of time sysadmining my own box, and lets me dip into a healthy ecosystem of commercial software useful to my hobbies (like photography.)

The software has definitely declined in quality, but not enough to massively annoy me.

If there is lock-in, it's on the hardware side. I've got an early 2013 MBP, still going strong, a bit dented but it's been around the world with me a few times, so that's understandable.

My workplace uses Dell XPS hardware, and that's good, but it still doesn't feel as solid to me. It's good, but it's not as good.

I think the hardware is the laurel Apple has really been resting on.

I could meet my main use cases on Linux quite happily, and dual-boot Windows for the rest. Right now the premium on Mac hardware, which only happily runs an increasingly decrepit operating system, isn't looking worth it. Previously, it was.

14 more replies

While your theory is interesting, if deeply cynical, the thing I find most interesting is that it's the top comment on an 800+ comment discussion when it was less than a minute old. Do new comments start at the top? I've never noticed that before.

Edit: By the way, regarding the vulnerability, ANY password you use when you first attempt to login as root BECOMES root's new password. (Blank is a red herring.)

So if you're going to test this, maybe use something non-obvious. In a terminal, setting a strong password for root with "sudo passwd" is the quickest mitigation.

Ill-advised, but in a pinch, you can apparently 'secure' a machine you don't otherwise have access to by attempting to log in as root with a long random password you fail to remember. An admin on that machine can later change root's password with a "sudo passwd".

Also, it appears the "dseneableroot -d" command suggested elsewhere here fails in preventing root login.

zelos8y ago

I really hope that's not true and this is just some extended blip.

That said, between this, the disk encryption bug, not being able to type "I" on an iphone you have to wonder what is going on. I recently upgrade my MacBook Pro to High Sierra and it's been plagued with problems (Weird red flash when displaying menus, hangs/crashes with external monitors etc.)

Then I look at switching away, and I lose all the OSX software I own, all the easy iOS integration, all those Pages documents etc.

Maybe I just need to build a cheap but upgradable Linux box and start trying to switch.

yoz-y8y ago

Maybe. But this particular bug happened precisely because Apple has changed _something_ in macOS. Also this something was probably quite profound since it has impacted a part of software that, at least from the outside, haven't changed much since a long time.

A lot of macOS users would actually prefer Apple to do less with it than what they are currently doing.

nathanvanfleet8y ago

I kind of love how you frame it as "everyone who has switched has switched" as if the job is done. As if there would be no market to capture. Which isn't true. And doesn't even consider the reality that there are young computer buyers who they need to capture because existing users don't buy new machines or won't last in the long run (people die).

klmr8y ago

> not improving macOS won’t make anyone upset enough to switch back

I’m not so sure about this — although it may be due more to the hardware side of their business: after the recent, disappointing iteration of their MacBook Pros I’ve heard a lot of people considering to switch (and actually switching).

Taken together with software quality issues, I wouldn’t be surprised if at least a subgroup of users are leaving Apple gradually. That subgroup being professional users, of course: Apple is still unassailed as a status symbol, and casual (+ mobile) users seem more than happy.

cmrdporcupine8y ago

I think it's more that desktop machines make them a fraction of the money that their iOS devices do. Development goes towards the profit centre.

Remember that back when Apple made only computers, right before the iPod, they were on the verge of bankruptcy and barely profitable.

Since then their laptops have taken off, of course, and I have no idea how much money they make off them. But compared to the huge torrent of cash Apple makes off iPhones I can't imagine the beancounters see a huge amount of value in investing heavily in the parts of OS X that aren't shared with iOS.

elysian_eunoia8y ago

Whether or not most potential apple users have already switched, security is surely vital to keeping their customers with them.

Much like the importance of feeling safe in our own house, if the computer that houses our information suddenly makes us feel unsafe or exposed, we'll naturally seek other options unless the issue is, shall I say, swiftly fixed or easily fixable.

reubenswartz8y ago

Not to excuse the bug, but I think it has more to do with the annual upgrade cycle for the iPhone. Everything else Apple does has to tie into this, which is a pretty tight cycle for an OS with new "regular" OS features, plus the integrations with iOS.

They can't afford to wait 2 years (or whatever) to update the phones, and Mac OS gets pulled along for the ride.

toadkicker8y ago

Their QA department has been in a downward spiral since 2014. I would love to name some people who were doing a fantastic job running the place until then, but I'll spare the embarrassment. This really isn't about some mega company not caring as much as one of their cornerstone departments being unable to function effectively.

martijn_himself8y ago

I really don't think that to be the case. Quality on OS X was a priority in its own right and fundamental to everything at Apple, not just a by-product of a strategy to get people to move from Windows.

Of course all that changed when its only priority became to shift more iPhones, and everything became secondary to that.

ryanmclovin8y ago

Surely they havent used up the pool of people that might/want switch to macOS. How can anyone make even such statement?

I do see people switching to Linux for this reason, Apple the new MS, Ubuntu the new Apple?

While I think there's a chance you might be right, I don't think it's logical in the long run. I think changes in perception like this are accumulated over time and will in the end hurt the product.

For some examples, look at the impression of Microsoft and Windows when it comes to quality. It is only now starting to improve, with gigantic efforts from Microsofts side. Another example is Linux and usability, which have constantly gotten better (maybe still not good enough, but that's better left for another thread) but still many see Linux as "advanced" and only for power users. These are not perfect examples, of course.

What I mean is that I think it's bad strategy on Apple's part (if they're doing this deliberately), especially considering the resources they have at their hands. I wouldn't be surprised if Apple could increase it's desktop market share further by positioning themselves as high quality. However, it's a reputation they are losing fast.

_sdegutis8y ago

But customer retention is still important.

I've heard of a lot of people switching away from Macs to Linux and Windows, especially with Windows building up their own official Linux subsystem now.

PC hardware is cheaper than Apple's, and hardware (even the "good stuff") becomes obsolete after 5 years anyway. Besides, most software is cross platform these days.

The only real good retention plan Apple has is that we can't release iOS apps without owning Apple hardware; there's a few Mac-specific software titles that certain professionals rely on; and a little bit of "it's overall higher quality than PCs" mindshare that some people still have either from the 80s and early 2000s, but that can't last long if Apple keeps this up.

SZJX8y ago

Nah. At this rate people will simply abandon the ship sooner or later. There's definitely some deterioration going on instead of only a cynical strategy shift.

The new MBP isn't attractive anymore. The software stagnates. The only reason I keep using Mac for usual use cases is just its wonderful collection of dictionaries (I like to constantly learn new languages). I wonder why no publisher ever bothered coming up with a decent dictionary software on Windows/Linux yet instead of making do with crappy online versions. If they did I'd happily just use a Windows + Linux dual boot machine.

juanmirocks8y ago

Surely they should care about the security of their _own_ developers, who surely program in macOS. I believe we are being too harsh on Apple unnecessarily.

hellofunk8y ago

> There is no reason for Apple to improve macOS, since doing so won’t make anyone switch to Macs who hasn’t already switched, and not improving macOS won’t make anyone upset enough to switch back.

I wouldn't be so sure about that. There are a lot of "about to switch" people out there, in both directions, who are just waiting for either the extra nudge or the extra reason to not switch.

frik8y ago

It reminds me of the Windows 95/98 login.

At the logon screen, just pressing ESC got you to the desktop.

Video: https://www.youtube.com/watch?v=CAH2j9mRgUM

_ea1k8y ago

Saying that you only care about existing users via lockin and don't expect switchers is a sure path to doom in the long run. Surely that cannot really be it.

Incompetence seems to be a more likely fit here than that.

fergie8y ago

There are probably a lot of people like me on HN who _need_ a unix box to do their work, and the various Macs are still far and away the best general purpose unix boxes available (best chassis, best peripheral compatibility, best (o|O)ffice software compatibility).

Now that Google Docs and Office 365 are "good enough" for most things, I would probably be happy to go back to Linux if there was a Linux machine that had comparable build quality yet was a bit cheaper than a Mac.

dtf8y ago

Amazingly, this was disclosed offhand on the Apple developer forums, two weeks ago (see final comment by chethan177):

https://forums.developer.apple.com/thread/79235

(spotted by https://twitter.com/fristle/status/935670476214378496)

chmars8y ago

… as a _workaround_ for an administrator account-related bug.

I should have known that updating to a new MacOS versions before 6 to 9 months have passed is a mistake. High Sierra is in my experience the buggiest MacOS release so far, not only security-wise. The system is not very stable and APFS reduced drive performance … :(

galobtter8y ago

"If you're able to log in (hurray, you're the admin now)" Personally not very hurray

dvhh8y ago

So not so much a 0day vulnerability anymore (+ 13 days ) ?

That’s absolutely terrible. Does Apple not monitor those forums at all?

raydev8y ago

I've been a developer for a long time. I understand bugs happen, even bugs with terrible consequences. A lot of bugs seem understandable, like I can see the chain of ifs/thens required to end up at some hilarious broken state.

But I'm breaking my brain trying to figure out how in the hell a login attempt for "root" will enable it if it's disabled. Why is this is a possibility, to just enable root, no questions asked?

Seems to be something related to a backwards-compatibility code path for upgraded systems. According to multiple posts on this thread it only affects systems upgraded to High Sierra, not fresh installs. See https://news.ycombinator.com/item?id=15802622 for example. Adding extra layers for compatibility complicates testing and debugging. With this many eyes on it hopefully someone will be able to deduce exactly what's going on.

zach438y ago

Maybe something like this was added to make debugging/testing of the OS easier? maybe they just forgot to remove it before shipping the new macOS

dec0dedab0de8y ago

I'm having a hard time understanding how this could happen too.

It would have to be that looking up the root account enabled it, maybe users go dormant or something, and this was a way to readd them? then once it was enabled it defaulted to a blank password, but you would think that it needs sudo to enable root in the first place.

kobayashi8y ago

This seems to be why: https://objective-see.com/blog/blog_0x24.html

e12e8y ago

I'm reminded of: "Solaris Telnet 0-day vulnerability", 2007: https://m.slashdot.org/story/80056

But this does indeed seem to be an extra level of user-friendly stupid.

martin-adams8y ago

Like an illusionist hiding the truth, this bug too will have a logical explanation that will leave us in wonder for as long as we aren't told how it happened.

emmelaich8y ago

Identity management is complex and boring.

Apples user management is even more complex than most Unixes.

x0x08y ago

OSX user management is weird. At least on prev versions, they don't show a root account in the Users & Groups ui.

A guess: there's a code path in the UI that is only tested on "mac" accounts, not the root account that the system requires to exist. Something about the non-macness of the root account interacts badly with the UI that expects to be run on a mac users account.

Another user suggested it may have to do with Apple’s new file system: https://news.ycombinator.com/item?id=15801643

migueh8y ago

Exactly, how can this happens and no one asks.

I hope a judge will order Apple to make all source code of macOS to be readable by everyone. This does not necessarily mean open source: you will not be allowed to modify and re-release it.

jcoby8y ago

Be careful testing this! It appears that you're creating a "root" superuser with no password. Be sure to clean up that user afterwords.

https://twitter.com/a_hailes/status/935601901839806464

rwc8y ago

It's worse than that. You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user.

psychometry8y ago

You're not creating it, but rather enabling it. When the bug is triggered, the root user is enabled (per Directory Utility).

This support article explains how to disable the root user: https://support.apple.com/en-us/HT204012

thought_alarm8y ago

Until this is fixed it's probably better to use Directory Utility to enable root with a strong password.

/System/Library/CoreServices/Applications/Directory Utility.app

Edit > Change Root Password

mschuster918y ago

The "root" superuser is always there, I'm not sure if it's possible to actually delete it.

ringaroundthetx8y ago

oh my god

_gjrn8y ago

Apple uses the slogan for High Sierra: "Your Mac. Elevated."

Kind of ironic that you can easily get elevated privileges with it.

Can this be used remotely? Edit: Yes, after turning on Remote Management on my second mac I was able to log into it using Remote Desktop, account root and no pw. It only works after getting physical access once.

swozey8y ago

Yes, I just had a coworker test it after I enabled remote management and they used screensharing.app. I didn't even get notified a user remoted in.. never used screen share, that seems awful. Had to look over and ask if he was in.

edit: I should say, I did test this locally first so I don't know if a fresh machine that hasn't done it will do the same thing and let a remote account enable root.. Would like to hear if anyone tested it remotely WITHOUT doing it locally first.

CGamesPlay8y ago

You can get undetectble remote access on most machines given "physical access once", so I don't think this qualifies as "remotely exploitable".

pilif8y ago

It only works after getting physical access once to enable the root user by gibing any password UI the root user with no password (which will enable the local root account, which is also why it fails the first time around)

I tested this by logging in as root at a preference pane then attempting to connect via ssh and screen sharing (both enabled) using root with no password. It did not work.

Not sure if you'd get different results after logging in as root at the login screen...

rcruzeiro8y ago

Been wondering that myself since it seems that this also happens with the login screen.

runesoerensen8y ago

"Perhaps nobody noticed two weeks ago when the root login vulnerability in macOS High Sierra was shared as a helpful tip on Apple’s own Developer forums. https://forums.developer.apple.com/thread/79235 "

https://twitter.com/fristle/status/935670476214378496

tomduncalf8y ago

I wonder what is going on with software quality and testing at Apple. It feels like recently there have been quite a few issues like this (the FileVault password bug, numerous issues with iOS 11, the issue that totally broke iOS Safari a couple of years ago) which should have been fairly easily caught, especially given the limited range of devices their software runs on.

I know testing is hard, but a company with Apple’s resources shouldn’t be making slip ups like this. It suggests some real issues such as lack of unit/automated tests and/or sufficient release testing, which pretty urgently need addressing.

Anyone got any inside scoop?

bangonkeyboard8y ago

macOS and iOS updates at Apple are now inextricably tied to new iPhone releases. There is a strict yearly deadline that the teams sprint toward, a timeline imposed by marketing rather than readiness. This affects prioritization of which features are pursued, where they lie in the stack, and how polished they get.

Insufficient testing at today's Apple is not limited to software. They bragged about their extensive input testing lab [0] when the new line of Magic accessories was released, but the Magic Keyboard with Numeric Keypad launched last summer had all of its inventory pulled from the channel last month because users discovered that the model was so thin that its midsection bowed over time.

[0]: https://medium.com/backchannel/what-i-saw-inside-apple-s-top...

Take this for the anecdata that it is. I interviewed at Apple, referred by old Microsoft friends that worked there. As I was trying to get a feel for things before the interview, I asked about the software testing. I was told, "don't expect what you're used to at Microsoft". The reference there is from when Microsoft often had more testers on a team than devs (ah, the good ol' days). The summary of what I was told by friends, and the questions I asked during the interview, is that testers at Apple aren't the testers that Microsoft used to have. Microsoft had testers working in MS Research, researching ways to better test software. Apple, from the impressions I got, is doing good to have testers than can write "hello, world". This was from the app side of things, not OS; I don't know if it's any different on the OS side.

But since I don't work there, I have no good inside info. But just from gut feel, I don't think my anecdata is too far off the mark. Based just on the bugs made public, I just don't get the impression that there are testers at Apple whose sole reason for being there is to tear into a piece of software and break it. There was a bug a few weeks ago posted to HN that I commented on. I don't have a link without digging through my comments, but it was something along the lines of "how could a tester not find this in five minutes of exploratory testing?" This bug is similar. It would take more than five minutes, but were this my area to test I'd pick at it once in a while when I had a few minutes. As I pick at it, I wouldn't expect to find anything, but I've got a minute between builds, so instead of randomly clicking Facebook I'll randomly click this dialog. What did the dev forget? What weird state was not accounted for? Some kind of state overflow if I click the button enough times? Shove some Unicode in there, that didn't find anything; meh, maybe I ought to move o...hey, wait a minute. Did that thing just log me in as root?

But my gut says that Apple doesn't employ a lot of testers like that.

zaidf8y ago

Unrelated to Mac OS but I used to wonder all the time why iTunes connect was so shoddy. I got my answer when I learned Apple had outsourced a ton of backend work including iTunes Connect, App Store backend to Infosys in India.

They’re now retreating from that strategy: https://factordaily.com/apple-to-pull-back-development-work-...

2trill2spill8y ago

It seems apple's software has been trending down in quality since Snow Leopard.

wonderous8y ago

Apple has always had QA issues, the difference now is that they’re increasingly tested by the users, hackers, etc.

spamizbad8y ago

The loss of people like Avie Tevanian and Bertrand Serlet took its toll.

Are there any "(tech) household name" engineers doing system-level work on iOS/macOS these days? It seems like Google and Facebook have a slew of them.

adamio8y ago

Repressive collusion to fix salaries and restrict industry movement, doesn't really inspire your employees to try their best

mholt8y ago

> Anyone got any inside scoop?

I have a feeling that anyone who does would get fired for commenting here about it.

cm21878y ago

iTunes had QA problems for more than 10 years, only the early versions were really solid. I am not sure that it is a recent problem.

socalnate18y ago

A [?] don't know what you are talking about.

rogaha8y ago

I've experienced lots of issues wiht IOS and High Sierra as well. Apple definitely reduced their software quality since IOS 11.

k3a8y ago

And seeing this I am wondering why people still trust closed-source software. My long term dream is using 100% free software on a HW with minimum binary blobs.

umanwizard8y ago

Anecdotal but I started noticing a decline in quality after Steve Jobs died.

thesephist8y ago

Encouraging users to "try it" is dangerous here. Recreating the bug enables root user across the system, and most users won't know how to disable it.

TechCrunch, if you're reading this... please discourage people from reproducing the bug.

hw8y ago

There’s no need to do this yourself to verify it. Doing so creates a “root” account that others may be able to take advantage of if you don’t disable it.

That should be much higher up in the article.

CrendKing8y ago

This bug exists regardless of user reproducing it or not. If there is anything good, reproducing it actually brings awareness to the user (make them change the password maybe). Hacker will "enable" the root user anyway.

What should be done is that Apple releases fix to this problem.

thomastjeffery8y ago

It can already be activated remotely:

https://gfycat.com/gifs/detail/sentimentalnaiveantelopegroun...

devindotcom8y ago

I was wondering about that. I'm going to change this.

Yes, but the most secure thing to do at this point _is_ to recreate the bug and then set a password for the root user.

Otherwise the hole is still there for others to exploit.

Can you talk about how to correctly disable the root account if someone did try it?

AdamJacobMuller8y ago

Enables root access in what way?

TonnyGaric8y ago

Apple released the following statement regarding this bug:

"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section."

sanbor8y ago

Thank you! I was looking for a workaround to avoid leaving my system vulnerable until the patch lands in App Store.

_jomo8y ago

Current workaround / fix:

1) open Directory Utility app (via Spotlight or other) 2) Click lock to make changes, log in with admin account 2) Click Edit -> Enable Root User 3) Click Edit -> Change Root Password… 4) Set a password 5) Do NOT disable root user!

If you disable the root user, the admin prompt will create it again with an empty password.

saagarjha8y ago

Once the fix for this issue is out, you should disable the root user.

Shank8y ago

With user switching enabled as a username + password combo, I was able to login to the root account from the login screen with no password on 10.13.1. It's not just a UI bug, it's a full on authentication bypass.

coreymayo8y ago

I'm able to do this as well, login as root with no password from the login screen.

quicklime8y ago

Anyone else think it was a bad idea to disclose this so publicly over Twitter? I thought that the usual practice was to let the development team know first.

SAI_Peregrinus8y ago

Letting the development team know first is nice to the development team, but not so nice to the users (especially not-nice if there's a workaround, which there is in this case.)

My personal policy: If there's a workaround or mitigation, then full disclosure is more responsible. If there isn't then report to developers and CERT or similar. Never report only to developers, always have a deadline for full disclosure, and always have a third-party (CERT, Project Zero, etc) to disclose if you come under legal fire.

5ilv3r8y ago

Time and time again we have been shown that the way to a company's heart is through it's PR department. This is a dev complaining to Apple like a lunchgoer would complain to Mc D's about a bad burger. Expect more of it.

Quarrelsome8y ago

its such a braindead problem that its plausible that the person who disclosed it over twitter didn't know what responsible disclosure is. Usually exploits are hard to exploit meaning that those who find them likely know of responsible disclosure. In this case though anyone who has ever installed Linux is capable of stumbling upon this.

If the vulnerability required scripting or special tools to be written, yes, it should be disclosed in private. But anyone can happen upon this, and I imagine the reaction for most is "Huh! That's funny! My friends and followers would get a kick out of this!" He was just being social about a problem he found with his new computer, which is something most people would do upon finding a something you can laugh about.

Nah, Apple really needs to realize that they need to step up their game. This might hurt some users, but it sets a much needed fire under Apple's ass.

ianmcgowan8y ago

Confirming this works, both from preferences, as well as from the main login screen

It seems like root has no password by default. Setting one is enough to close the hole. This is unbelievable!

Curious to see what's in /var/db/dslocal/nodes/Default/users/root.plist before trying this.

These are the contents of the file, after converting them from binary plist to plain xml: https://gist.github.com/shoghicp/2b529b54b9d70daf192b68e3564...

Looks like changing root’s password blocks the exploit but if you disable the root user, it re-enables the exploit.

Protect yourself by changing root’s password: ⌘ (Command) + Space, Directory Utility, click the lock and enter your password, Edit -> Change Root Password…, then do NOT disable Root User.

Or open a terminal and do:

    sudo passwd

AdamJacobMuller8y ago

> click the lock and enter your password

or just enter root with no password

davidkclark8y ago

Disabling the root user again with

  dsenableroot -d

does not re-enable the exploit

thomastjeffery8y ago

    sudo passwd

Does that change the password for the current user without authentication, or does it change the password for root without authentication?

I think it would be best to recommend an unambiguous

    sudo passwd root

sizzzzlerz8y ago

Fortunately, I'm OK. The latest OS upgrade failed to install and bricked my computer so that no one could log in, let alone root. I was able to restore it using Time Machine but I don't think I'll go through that exercise again for a while yet.

Piskvorrr8y ago

That probably takes some major doublethink: convincing yourself that a bricked machine is less broken than a vulnerable one.

you might be able to fix that. I had that too, had to manually update the preboot. Details are somewhere in here https://forums.developer.apple.com/thread/80174

dailyvijeos8y ago

Apple along with a decline in product utility, reliability and quality, their software has been getting buggier every year post-Jobs. The QA people should be fired and replaced with a team whom insists on perfection. Otherwise, these embarrassing incidents will repeat, errode their brand and encourage customers to seek other platforms.

2trill2spill8y ago

Apple has a serious software quality problem. Last night I was helping a friend with their computer. Safari couldn't even render apples website correctly. Nor could Safari connect to any site with HTTPS. Installed FireFox and HTTPS sites worked and apples's site renders. But the submit button on their developer site is broken[1]. Mail on my Mom's fully updated laptop crashes every time it's opened. Once I reported a bug in ptrace like 4 years ago and no response yet. Also the archive utility fails often to extract tar files that the tar command has no problem extracting at all. Quicktime can't play most videos, etc, etc. And now shipping an operating system with a root account with no password by default.

Come on Apple you have a quarter trillion dollars in the bank why don't you spend some on improving your software.

[1]: https://forums.developer.apple.com/thread/60763

> Safari couldn't even render apples website correctly. Nor could Safari connect to any site with HTTPS.

Sounds like something's wrong with your friend's computer, because neither of those issues are reasonable to expect no matter what your opinion of Apple's software is.

> But the submit button on their developer site is broken

Given the number of people who've successfully gone through that form, I'm willing to bet it's a content blocker extension that's blocking some dependency the form needs.

> And now shipping an operating system with a root account with no password by default.

The OS actually ships with root disabled. The bug isn't that there's no password (after all, a factory-set password isn't any more secure), the bug is that the login form is somehow re-enabling the root user when it's not supposed to be able to do so.

markdog128y ago

Paid $3,000 for an iMac. Can't even watch any video or have the kids FaceTime their grandparents because video freezes constantly. Rebooting fixes it...for 2 minutes.

minusSeven8y ago

Its not just Apple though. Microsoft had the similar problems in the past. Edge did not support silverlight causing people to move to other browser. It was strange to see Microsoft's own software not supported by Microsoft.

Seems as though this tweet is not the first time it came up in public. Nov 13, 2017 12:48 PM

https://forums.developer.apple.com/thread/79235

Screenshot. http://oi67.tinypic.com/2h6embp.jpg

mygo8y ago

My computer automatically downloaded high sierra without me wanting it to. Whether I was tricked into clicking something I don’t know. And then I heard about the disk utility password bug and decided I should wait a while before installing this OS— it seems as though Apple wants me to do their QA for them. And now I hear about this. And I see that dumb ugly notch on the iPhone X (seriously who approved that design decision?). And the 2015 MacBook Pro is more pro than the 2016 model? Apple is officially a tribute band, riding on the fame of its previous self. And I say this as someone who owns a MacBook Pro, MacBook Air, iPad Pro, iPhone, and Apple Watch. This comes from a place of love. You’re trendy now, but don’t you forget that trendy people will leave you for the next shiny thing in an instant. Please fire everyone who is just there to milk the profits, actually put some focus back into QA, and remember who your base was.

milesokeefe8y ago

Have you used an iPhone X? The notch actually makes a lot of sense once you've used the gestures associated with it, same with how it integrates into apps. I'll agree that they've made a lot of mistakes in their product lines recently but the iPhone X was not one of them.

Well, sparing software. I've had intermittent phantom screen input using the latest betas on the X, making it infuriatingly unusable at times.

nathancahill8y ago

Fix this by setting a password for root (or disable).

Instructions here: https://support.apple.com/en-us/HT204012

Doesn't help to disable it, you have to change the password. UPDATE: if you disable the account after setting a password, a login without a password is possible again ..

buryat8y ago

AWS ReInvent 2017 is going right now in Las Vegas, the number of attendees is about 40000, and I'm wondering how many laptops can be attacked using this technique. The `root` user stays in the system, so one just need to create it and open SSH quickly, and later they can do whatever they please.

joshuaturner8y ago

This reminds me of the jailbreaking scene a few years back. I was at an event centered around jailbreaking, and you were able to ssh into 80% of users iOS devices by using the default root password, alpine.

Washuu8y ago

Unlikely any AWS imaged employee MacBooks at least. AWS IT back in the beginning of October forbade employees to not upgrade to High Sierra.

I really hope there's an extra zero in your 40000.

For those who can't make it happen, it requires that the root account is disabled, which is the default. If you already enabled the root account for some other reason (which apparently I had on one of my Macs, although I don't know why) then that prevents it from working.

It seems like the best mitigation for the moment might be to enable the root user and set a password for it.

Once you disable the root account you can log in without a password again :/

This is comical at this point. I have no idea how such vulnerable software makes it to production.

It is really ironic that a company, making billions of dollars and branding itself as the leaders of quality, stability and so on, to have this kind of vulnerability.

I have truly lost faith in Apple.

Agreed.

iOS 11 was the tipping point for me (can't delete photos using trash icon, wrong orientation when unlocking phone, random lag/freezes etc).

Apple just doesn't care any more.

rimliu8y ago

   > and branding itself as the leaders of quality, stability
   > and so on

The days of Mac vs. PC guy are long over. Apple usualy compares their products only to their other products now (best iPhone ever, not best smartphone ever, etc.) Alas if you look around such vulnerable software makes it to production now and again, there is nothing new. Hindsight is 20/20.

i am not saying something like this will always happen, but it can happen. No matter what kind of testing and QA you employ (and i bet it's gigantic in Apples case), not having critical bugs in something as complex as an OS every few years is kind of impossible.

Should it happen ? Obviously not. But even popular open source software used by millions and developed by hundreds is not free of issues like this, like Heartbleed showed.

ag_478y ago

FWIW, as a mostly Android user, the latest Oreo update was pretty terrible as well. Its all about adding new "features" just for new features sake isnt it.

myth_buster8y ago

Is social media the goto for reporting security vulnerabilities in 2017?

If I remember correctly, one is supposed to make it public once patched or in event of no response, no?

Edit: What is "Responsible Disclosure"[0]?

[0] https://en.wikipedia.org/wiki/Responsible_disclosure

Someone notices that they can log in as root with no password. In 2017, reflexively tweeting about it seems pretty unsurprising.

donatj8y ago

I think the difference is if the problem is discovered by Joe Schmoe or a security researcher.

FireBeyond8y ago

Where is Joe Random's obligation to responsibly disclose?

To whom does he owe that obligation? Apple? The public? Both? Why?

cotillion8y ago

This is one of those cases where responsible disclosure just means you're doing the job one of apples automated tests should be doing.

Full disclosure is also a form of responsible disclosure.

DonHopkins8y ago

Twitter's also the goto for banning trans people from military service, attacking freedom of the press, threatening to declare nuclear war, and all kinds of other things too.

There have been some really horrible bugs at Apple lately. I'm still waiting on them to patch the camera bug in iOS 11 where if you try to use the camera in a web app pinned to the home screen, it shows the camera UI on a black screen. This dates back to June. How can it be that hard to patch such a glaring and embarrassing problem?

milesokeefe8y ago

How many people are using the camera in pinned web apps? What's the app you use? I'd imagine most camera-related functions are already best served by native apps.

zaro8y ago

Wow. This is fun. I remember my Windows98 had the same feature. You just use Administrator with empty password and you're in. Apple is finally catching up.

ksk8y ago

AFAIK, its not really a security bug. Windows 98 didn't really have any concept of user security. With the default install you could always cancel out of the login dialog and use the guest account. Every account was an 'administrator'. The user name / pwd was mainly to store the OS customization settings like UI colors and such.

I believe hitting "cancel" was enough. https://www.youtube.com/watch?v=DE5PRW-AR7Q

Also reminds me of https://youtu.be/BVL8_ne4WZo?t=19s

pkaye8y ago

Did Windows98 even have administrator role? I mean FAT file systems don't even have file ownership right?

romanovcode8y ago

Exactly my thoughts. I remember this, I think even early versions of WinXP had this feature.

yread8y ago

it was a feature not a bug. something related to not DoSing yourself by forgetting your password /s

thought_alarm8y ago

This will be a fun fix.

They'll not only have to patch the vulnerability but they'll also have to disable all of the root accounts that were inadvertently enabled. What a mess.

perfectstorm8y ago

What's going on with Apple's QA team ? Here's another serious bug that I came across:

I've two factor authentication on my Apple account and now every time I use a new browser (or after clearing the Cache) and try to log into one of the Apple developer sites it sends me the authentication code to the same machine that I'm using. How is that two factor ?

I've an iPhone which is connected to the same account but it's not my primary phone so it's most likely not ON when I do this. I guess Apple tries to send the code to my phone and when it fails sends to the next online device which happens to be the same machine I'm using to log in. So all I have to do is click Allow and enter the 6 digit code which is displayed in a different app.

rgrove8y ago

> I've two factor authentication on my Apple account and now every time I use a new browser (or after clearing the Cache) and try to log into one of the Apple developer sites it sends me the authentication code to the same machine that I'm using. How is that two factor?

Your password is something you know. Your computer (which is associated with your Apple ID) is something you have.

If someone tries to log in using your password from another computer, your account is safe. If someone steals your computer but doesn't know your password, your account is safe. You're only in trouble if someone steals your computer _and_ knows your password.

dyavuz8y ago

In the meantime, if you'd like to protect your mac, you can set a password for root by going to:

System Preferences > Users & Groups > Login Options > Join > Open Directory Utility > Edit > Change Root Password

cyberferret8y ago

Standalone iMac here - the 'Join' button is disabled. So is this vulnerability only for Macs on a network?

EDIT: My bad - editing was locked on that screen. Got it now...

EDIT2: Root user is disabled on mine. Is that enough, given that this bug seems to create a new root user each time? Should I enable root user and set a password rather than leave it disabled?

Alternatively, there's `sudo passwd`.

mcintyre19948y ago

I'm sure many of us can often see how some kinds of bugs managed to slip through testing/QA, but this is crazy to me given it works on the login screen if it's happening for everyone on whatever version: is "user cannot log in as root when root account is disabled" not a test case? That seems.. insane?

Xeoncross8y ago

There are thousands of ways you could test this. Like most tests, having them isn't the same as having good ones.

abritishguy8y ago

If you have `osquery` deployed to your fleet you can detect compromise with this query:

SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;

sounds8y ago

That only detects enabled root users, which is a start but may include innocent people who have set a root password to protect their machines.

codeisawesome8y ago

What does this say about the state of iOS security? I don’t know how to hope that my phone isn’t 0wned already. I’m not saying this from my high horse - more as a disappointed user who invested a lot of money in my Apple phone.

qualitytime8y ago

Top 10 software blunders of all time:

1) (Apple) 1 + 2 + 3 = 24 https://news.ycombinator.com/item?id=15538666

2) (Apple) Blank root password https://news.ycombinator.com/item?id=15800676

3) ...

manmal8y ago

0) Therac 25: https://hackaday.com/2015/10/26/killed-by-a-machine-the-ther...

There ARE areas more safety critical than desktop computing, you know.

isoprophlex8y ago

Sort of related:

- it is almost 2018 and copy pasting on an ipad/iphone is still a horrible, non-deterministic nightmare

Well I remember when the Ubuntu installer left your root password in a clear text file that was world readable on your FS.[1]

I would really like to see a top 10 list of software blunders, I think everyone on HN would.

1. https://launchpad.net/ubuntu/+source/shadow/+bug/34606

0xnotsohex8y ago

0)(Apple) If macOS High Sierra shows your password instead of the password hint https://news.ycombinator.com/item?id=15410953

https://en.wikipedia.org/wiki/Ariane_5

josho8y ago

Confirmed that root with no password unlocks the preferences pane. But, changing the require password after screen saver setting doesn't take effect. So, it seems to be a bug in the UI not an actual vulnerability.

edit: I stand corrected. The 'require password' setting under Security Preferences didn't change, but other settings do. Yikes

vladikoffOP8y ago

I have "Guest User" disabled normally. This allowed me to switch Guest User on, log out, login as `root` into OS X. lol

jameskilton8y ago

Oh this is a real vulnerability. It's possible to switch your user to System Administrator using "root" and no password.

nsnick8y ago

10.13.1 can't make it happen

Went to the next Apple store. Tried it out. It works. Can't believe it. Thousands of Macs are vulnerable. I'm wondering how fast all of these devices will be patched. Even if there is an update next week: How many devices won't get updated for quite some time. Unbelievable.

cmurf8y ago

I can't reproduce this on a clean 10.13.1 (17B48) system, either at the login window or an authentication dialog.

Update: And even after attempting it, checking Directory Utility the root user is still disabled. So I wonder if something 3rd party has enabled the root user and left it passwordless.

tim3338y ago

Temporary workaround (pasted from http://www.bbc.com/news/technology-42161823)

While Apple works on its fix, it offered a workaround for users concerned about the bug.

“Setting a root password prevents unauthorized access to your Mac,” the company explained.

"To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012.

---

Edit - for me those Apple instructions didn't work. This seemed to:

Search for 'Directory Utility' in Spotlight and click it.

Click the lock to make changes

Select 'Enable root user' from 'Edit' on the main menu and set a password.

senko8y ago

Am I missing something or does this require the attacker to have access to an unlocked computer? In which case all bets are off anyways.

It requires the attacker to be able to type a few characters into a logged in session. If the session is not an administrative one, it's not fair to say all bets were off.

If I give you a Mac logged in with an unprivileged account and you can use only the keyboard and mouse to gain root access, the security has failed.

I think you've conflated this with the attacker having (full) physical access to the machine, which conventionally means access to its ports and perhaps a screwdriver. This is not that.

valine8y ago

It works remotely if remote login is enable.

edit: Screen sharing is is vulnerable not ssh. Either way its bad.

devindotcom8y ago

nope. you can log in at the login screen, it creates a new root admin user

woodrowbarlow8y ago

an unlocked computer, or:

* a computer with remote login enabled

* a computer with the main login screen set to "username and password" mode

* a computer with a guest account

code_duck8y ago

The 'attacker' could be someone like your 12 year old son or an employee, who already has access to the computer but not necessarily everything on it at all times.

This would have been a pain for me when i was using parental restrictions to lock a 12 year old out of 18 hour a day Minecraft.

>In which case all bets are off anyways

How are all bets off if they don't have access to a root user? This isn't Windows we're talking about.

What if it's a stolen laptop with an encrypted hard drive?

pilif8y ago

A quick mitigation workaround: If you follow the steps here https://support.apple.com/en-us/HT204012 to disable the root account until the point where you open and authenticate the Directory Utility, in the Edit menu there's a "Change Root Password" option.

Set a good password there and disable the root account again.

Now people making use of this vulnerability will still be able to re-enable the root account (that's why it fail the first time - root is default off, but this bug enables it), but now there will at least be a useful password set.

if you disable the root account you can log in again without a password, even when you set one.

valine8y ago

This is deeply troubling. How does this even happen?

andrewstuart28y ago

All too easily. There's so much to keep track of in modern systems engineering. We should all have a healthy dose of awareness that we could be/create that weakest link even on our best days.

I'm on Sierra and haven't been able to reproduce. But does anyone know if it respects pam.d "nullok" and I could just delete that option?

    /etc/pam.d$ grep -RI nullok /etc/pam.d
    /etc/pam.d/authorization:auth       required       pam_opendirectory.so use_first_pass nullok
    /etc/pam.d/checkpw:auth       required       pam_opendirectory.so use_first_pass nullok
    /etc/pam.d/screensaver:auth       required       pam_opendirectory.so use_first_pass nullok

Tested it in the terminal with "su - root". Doesn't help. Or does one need to reboot after it? UPDATE: No effect after rebooting.

mrkd8y ago

Title should be changed to 'macOS'

I initially saw this thinking it didn't affect Sierra or High Sierra.

davidkuhta8y ago

Now you have me confused, is it just High Sierra or Sierra as well?

It seems to activate the root user with an empty password if you try, as an admin user, to use "root"/"" as credentials in a System Preferences authentication prompt.

It does not work if you are not admin. It does not work if your root user is enabled and has a password set. If you tried the vuln, you should set a password for the root user ("sudo passwd root").

romanovcode8y ago

Who needs security when we have animoji!

brucepucci8y ago

To fix this with a workaround open Terminal.app and run the command "sudo passwd" to set a password. Can't believe this is happening.

2trill2spill8y ago

Besides for APFS what user visible killer features has Apple made to Mac OS since 10.6.8? I'm sure they have made internal non user visible improvements to their kernel and userland. But it seems most of the "changes" to Mac OS is just churning code, or at least it seems that way from the outside.

To me personally 10.6.8 + Security Updates + APFS is extremely close to the ideal operating system.

There's the new poop emoji!! (unicode 10 emojis via 10.13.1 update)

Real answer, APFS (which changes the Filevault encryption model to no longer be full-disk-encryption...) and Metal2 graphics (which has brought a variety of new gfx bugs into play, even for 1st party applications) are the big technical draws

For a full list of changes, review the marketing page or the developer release docs

- https://www.apple.com/macos/high-sierra/

- https://developer.apple.com/library/content/releasenotes/Mac...

(yes Apple can't be bothered to update their dev docs with the point releases. Documentation quality has fallen off dramatically since the 10.6 days)

Given the stream of bug reports on various apple sites, I have not upgraded any of my personal machines, and my employer has stated they will not be upgrading our machines in the near term.

saagarjha8y ago

APFS is not an example of something I would consider "user visible"–for the average user there's no difference between HFS+ and APFS.

theoutlander8y ago

Kudos for reporting this publicly! We need this kind of stuff exposed publicly so that companies fix the issue and force an update. At the same time, consumers should be made aware of what security holes look like and what the risks are. Apple has been getting away with this stuff for a while now.

Do you think a hacker with ill-intent would have reported this issue at all?

philliphaydon8y ago

No one else has mentioned it seems, digging through the twitter comments I found a tweet which states this was already known by Apple, and posted on the forums in the form of a solution...

https://forums.developer.apple.com/thread/79235#277225

LeoNatan258y ago

Mentioned many times actually. And the forum is users self help. It is not monitored by Apple.

tbarbugli8y ago

So far the best mitigation I could find out is to enable the root account and set a strong password for it. Hopefully we'll get a security update quickly so that I disable root access again. While checking on this I also realized I was running 10.13 instead of 10.13.1 which fixes another major security flaw (key chain saves in plain text)

butterisgood8y ago

Doesn't work for me on a freshly installed MacOS High Sierra, but does work on an upgraded laptop to High Sierra.

Interesting...

Also the UX is different. Typing root on the fresh installed one fails, then resets the user text box to my name, and if I type root again it doesn't let me it.

On the upgraded laptop, if I type root, it sticks and clicking unlock twice gets me in.

nkrisc8y ago

I don't know much about OS development but isn't this just the sort of thing you'd automate testing for?

runesoerensen8y ago

Apple suggests the workaround also discussed in this thread until the issue is fixed:

"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section."

https://techcrunch.com/2017/11/28/astonishing-os-x-bug-lets-...

sccxy8y ago

I wouldn't have thought that NSA backdoors are so simple

DonHopkins8y ago

I wonder if you can also defeat Face ID by wearing a white face mask?

https://images-na.ssl-images-amazon.com/images/I/51I4nsyt9AL...

tolien8y ago

Fix has been released: https://www.macrumors.com/2017/11/29/apple-fixes-root-passwo...

k4ch0w8y ago

I just have no words, it seems intentional. They may want to review their build pipeline to check someone didn't manipulate the source code before it was signed. I haven't seen an easy root priv-esc like this in a long while.

alpb8y ago

[meta] I think this thread is currently being downvoted, or dragged down by the mods somehow. It should be in the #1 right now. I suspect people are flagging/downvoting because there is no responsible disclosure in this case.

mratzloff8y ago

Wow. As if I needed another reason to never "upgrade" to High Sierra...

Apple software quality has got very sloppy (again). I recall it was particularly bad around 2014, but then seemed to have improved. Seems the sloppiness is back again. It would seem Apple is no unique in the regard that its success has made it fat and lazy. My particular favourite one at the moment is that in iOS 11.1.2 navigation transition animations eventually break if the device is running long enough (a few days). Restarting the device fixes this. The fun part is trying to work out why on earth this would be? Transition animations are cached?

steeleduncan8y ago

To workaround this before Apple have had a chance to patch it(thanks @lemiorhan), it seems you can:

- Open Directory Utility (/System/Library/CoreServices/Applications/Directory Utility.app)

- Authenticate with the lock icon

- From the Edit menu you can enable the root user and set a proper password (it would already be enabled if you had tried out the exploit)

Having that root user enabled isn't great overall, so it would be best to set a reminder to disable it using the same Directory Utility app once the security hole is patched.

I mean, I only tried 15 times, I don't know if that counts as "several" but this doesn't work for me.

It looks to me like my root user is disabled.

When I type "root" into the username field and click unlock (in System Preferences > Users & Groups) "root" is replaced with my username and the dialog shakes... I have to type root in each time, but it never unlocks. 10.13.1

Edit: trying it after logging out keeps "root" in the username field, but never logs me in... tried 20+ times

rderewianko8y ago

Myself and others blogged about solutions: https://www.rderewianko.com/10-13-root-password-oh-my/ https://derflounder.wordpress.com/2017/11/28/blocking-logins...

This is very, very bad.

donatj8y ago

I can't seem to reproduce it locally. 10.13.1… Anyone else having issues?

I've upgraded a through a couple versions of OS X on this machine - maybe that makes a difference?

equivocates8y ago

So — if you log out and log in as root without a password (EEK!), you can set your own password as root. Once you do, Mac os will no longer bypass the password.

corecoder8y ago

How come nobody has picked a name for this vulnerability?

mackey8y ago

https://support.apple.com/en-us/HT208315

Fixed.

wat. confirmed on 10.13.1 (17B48). I was even able to add another super user.

Edit: changing the login method to "Name and password" under login options, then logout and login with "root" with empty password also works.

Fortunately, it doesn't work on cold boot with FileVault enabled, at least it doesn't appear so. `sudo su root` also doesn't work with an empty password.

abdullahi18y ago

This is hilarious. I wonder why it took so long for this bug to be discovered, I mean, wasn't High Sierra released back in September?

Works with "su - root" too in a Terminal.

mcintyre19948y ago

I guess Apple aren't the kind of company that would do it, but I'd love to read a frank post mortem about how this happened.

joe_hills8y ago

I just tested this on a Sierra (10.12.6) machine, and verified this bug isn't present in that earlier OSX version.

DonHopkins8y ago

They could have at least used "rms" instead of a blank password.

https://www.reddit.com/r/linux/comments/7hj6v/i_use_my_login...

Does this work from single user mode?

bennyg8y ago

Reminds me of an exploit back in 10.7 where you could create a new admin privileged user from a non-admin account using some bash commands. Used that to add Xcode to my work computer at college so I could fool around with learning how to code when I was at work.

oh-kumudo8y ago

LOL. Can we call this...front door?

mirekrusin8y ago

Maybe NSA asked for an easy access. Apple is generally good at making things simple for users.

j-pb8y ago

Oh god, seriously what happened to apple? They are the richest company in the world and the quality of their software has kept declining every year. Right now there is no computer system that I can wholeheartedly recommend to non technical people... :(

willyt8y ago

Security update just came out. Installed it and can no longer reproduce. Can anyone confirm?

jmuguy8y ago

Time to install Afterdark on all the computers in the Apple store. Confirmed here, 10.13.1.

I guess we finally figured out what the "insanely" great products was all about.

This is near Windows-95 levels of bad - at the very least you need to already be logged in

How can one of the most wealthy companies on the planet, that every single software engineer would kill to work for, manage to have a bug like this?

Maybe they need to re-think their hiring process, because clearly something is not working as it should.

1. Ensure you always have FileVault enabled (you should regardless) and shutdown after work until the bug is fixed.

2. Add a complex root passphrase and clean this up after the fix is released.

3. Reflect on how irresponsibly this serious security bug was ‘reported’, he didn’t just potentially miss out on $200,000, he put an enormous number of people at risk of local intrusions when instead if it was properly reported there’s a good chance Apple would have released a bug fix for this quicker thus reducing the potential impact and spread of misinformation.

https://en.m.wikipedia.org/wiki/Responsible_disclosure

https://support.apple.com/en-au/HT201220 (See ‘Security and privacy researchers’)

cm21878y ago

It really feels like the only thing that made Apple to be less prone to hacking and malware (and therefore more secure) than other OS is the lack of scrutiny by hackers and malware authors. This is a front door open kind of problem.

mk898y ago

Apple proves they still care about UX: finally, I found a way to login without typing.

w0m8y ago

The TC GIF is hilarious.

https://tctechcrunch2011.files.wordpress.com/2017/11/ooooooh...

stmw8y ago

Imagine what Steve Jobs would've said in a meeting today at Apple HQ to discuss this incident.

"Can someone here explain to me what is the login dialog supposed to do? ... Ok. Then why the !@#% doesn't it do that???"

mthoodlum8y ago

Press "command" and the "space" keys at the same time.

In the Spotlight Search type "Terminal" and press enter.

At the terminal type "passwd" and press enter.

The terminal will prompt you to change the password for "root".

You can just type root in the login window to get System administrator access.

uean8y ago

I haven't seen anyone mention this critical part of the flaw - if you disable the root account, then log out and log back in, the root account is active again.

Password change is the only protection until it is patched.

It seems as though buying a new apple product or upgrading one to new software implicitly signs you up to be a beta tester. It's pretty surprising from the world's most valuable company, no?

quotha8y ago

I tried it anyway and it does not work! I'm running version 10.13.1

anachronicnomad8y ago

I was able to successfully fix this by using the

``` dsenableroot ```

utility; by first enabling the root user with a strong password, then disabling it with the

``` dsenableroot -d ```

option. It's heavily recommended to not leave the root user enabled.

alexwebb28y ago

I asked this in the other thread, but... does anyone know how big of a bounty the guy missed by not disclosing this responsibly?

I'm guessing it probably would've been a fairly big chunk of change.

estevaovix8y ago

The solution for now is to set a passwd for root... this is ridiculous

pmoriarty8y ago

Has no one been running password crackers against OSX this whole time?

I didn't think the BSD's allowed a blank root password.

migueh8y ago

If I could just use Mavericks and develop apps for last iOS release, that will be great. But I should update to High Sierra. I hate this.

High Sierra seems to be focused in Emojis. Urghh

Confirmed on 10.13.1. As a workaround, once you login as "root", you can change the password to something else, and the empty password will stop working.

temporary576578y ago

The only current solution is to leave root enabled and change the password to something strong until this is patched by Apple.

Disabling root re-enables the blank password to root.

lolc8y ago

Reminds me of the time Mac OS X would trust any NIS server in the local net to authenticate local root. Can't find the story though. Did that even happen?

myrandomcomment8y ago

https://support.apple.com/en-us/HT204012

How to set root password.

danra8y ago

These bugs are getting ridiculous. With Apple's budget, finding such bugs in a security architecture review or just in QA should be as easy as 1+2+3.

eevilspock8y ago

Patched: https://support.apple.com/kb/HT208315

aezell8y ago

Should I leave my Mac unattended until this is resolved?

afiler8y ago

Even on El Capitan, I was able to unlock with "root" on my first try. From there, I could add a new admin user. This seems... not good.

Exuma8y ago

I wonder when/what Apple's response will be

knodi8y ago

High Sierra has been one of the worst OSX upgrade.

thanatropism8y ago

Anyone in a position to short AAPL? It's apparently 6bps up in after hours trading but that's very low liquidity.

https://finance.yahoo.com/quote/AAPL?p=AAPL

A higher risk, higher leverage bet: buy some put options the milisecond markets open:

http://www.nasdaq.com/symbol/aapl/option-chain

I would say I'm surprised such a serious bug made it out, but after the A � thing who knows what's going on at Apple

gkanai8y ago

This is indeed a bad black mark on Apple. With all the money they have, it's terrible that they let this one slip by.

I'm still on 10.12 Sierra. Long ago I stopped major updating when those releases were new. I learned to wait months or many months for bugs to be dealt with and for older software to be updated to be compatible with the new release. High Sierra provides nothing critical that Sierra does not provide, and thus, I am happy in my position as late adopter.

While this true, please keep in mind that rebooting your Mac into single user mode also allows anybody to login as root

kylehotchkiss8y ago

Does this bypass filesystem encryption?

On my system, the trick doesn't work. But then, I did explicitly set a non-empty root password.

Stephen-E8y ago

While reading this, my mac just prompted me to Upgrade to High Sierra. I think I'll hold off...

srathi8y ago

Confirmed on 10.13. I was even able to add a user as an administrator after unlocking with root.

sallyfour8y ago

I'm unsurprised, loginwindow is a piece of shit nobody wants to work on. Poor dude.

#whyidontupgrade

Until Apple forces me to with a required xCode update for the newest iOS SDK...>.>

MagerValp8y ago

To block this, set a random password for root:

sudo dscl . -passwd /Users/root $(uuidgen)

lanius8y ago

Good thing I haven't updated yet. I wonder how many machines are vulnerable?

cortesoft8y ago

Does this effect people who already have a root user with a password set up?

senthilnayagam8y ago

patch has been released in record time, I have update my mac

https://support.apple.com/en-in/HT208315

martins_irbe8y ago

This clearly is a feature!

if someone has discovered a way to wipe anyones paypal account, should he disclose it privately or let it trend on social media? and lets say the fix will take about a day at the earliest.

Excuse my language, but this was a dick move to post this publicly, especially on Twitter. Go through private bug channels properly for something as serious as this. Of course doing it that way doesn't give you your 15 minutes of interweb fame.

spsful8y ago

workaround: ENABLE ROOT USER AS FAST AS POSSIBLE

https://support.apple.com/en-us/HT204012

VeejayRampay8y ago

Doesn't matter, Apple gets an automatic pass.

AdamJacobMuller8y ago

Wow, setting a root password seems to fix this...

mfrw8y ago

I may not be an apple fanboy, but I admit, I really miss Jobs, and his commitment to quality. Apple has just been minting money and forgot all about its core values.

ghaydarov8y ago

Wow. Can't believe it. It's true.

fiatpandas8y ago

Worked for me on the second try (10.13.1)

TrueSelfDao8y ago

Serious 0-day on Twitter. How exciting!

There's no way this wasn't being used prior to being publicized on twitter. I'm sure the FBI/etc was on this day one.

In what version did the issue appear?

jason_slack8y ago

There is also now a patch available.

qubex8y ago

This is why I use disk encryption.

ddmma8y ago

Apple is the new Internet Explorer

therealmarv8y ago

Is this also in 10.13.2 beta?

cm21878y ago

Does it affect MacOS Server?

Confirmed here on 10.13

sugavaneshb8y ago

*macOS High Sierra

mrkstu8y ago

verified on latest build of 10.13.1 (17B48).

api8y ago

But there are new emojis, and emoji karaoke works!

TonnyGaric8y ago

Not cool to disclose this kind of bug on Twitter.

I miss Snow Leopard.

:/

1

DonHopkins8y ago

Pyramid's OSx version of Unix (a dual-universe Unix supporting both 4.xBSD and System V) [1] had a bug in the "passwd" program, such that if somebody edited /etc/passwd with a text editor and introduced a blank line (say at the end of the file, or anywhere), the next person who changed their password with the setuid root passwd program would cause the blank line to be replaced by "::0:0:::" (empty user name, empty password, uid 0, gid 0), which then let you get a root shell with 'su ""', and log in as root by pressing the return key to the Login: prompt. (Well it wasn't quite that simple. The email explains.)

https://en.wikipedia.org/wiki/Pyramid_Technology

Here's the email in which I reported it to the staff mailing list.

    Date: Tue, 30 Sep 86 03:53:12 EDT
    From: Don Hopkins <don@brillig.umd.edu>
    Message-Id: <8609300753.AA22574@brillig.umd.edu>
    To: chris@mimsy.umd.edu, staff@mimsy.umd.edu,
            Pete "Gymble Roulette" Cottrell <pete@mimsy.umd.edu>
    In-Reply-To: Chris Torek's message of Mon, 29 Sep 86 22:57:57 EDT
    Subject: stranger and stranger and stranger and stranger and stranger

       Date: Mon, 29 Sep 86 22:57:57 EDT
       From: Chris Torek <chris@mimsy.umd.edu>

       Gymble has been `upgraded'.

       Pyramid's new login program requires that every account have a
       password.

       The remote login system works by having special, password-less
       accounts.

       Fun.

    Pyramid's has obviously put a WHOLE lot of thought into their nifty
    security measures in the new release. 

    Is it only half installed, or what? I can't find much in the way of
    sources. /usr/src (on the ucb side of the universe at lease) is quite
    sparse. 

    On gymble, if there is a stray newline at the end of /etc/passwd, the
    next time passwd is run, a nasty little "::0:0:::" entry gets added on
    that line! [Ye Olde Standard Unix "passwd" Bug That MUST Have Been Put
    There On Purpose.] So I tacked a newline onto the end with vipw to see
    how much fun I could have with this....

    One effect is that I got a root shell by typing:

    % su ""

    But that's not nearly as bad as the effect of typing:

    % rlogin gymble -l ""

    All I typed after that was <cr>:

    you don't hasword: New passhoose one new
    word: <cr>
    se a lonNew passger password.
    word: <cr>
    se a lonNew password:ger password.
    <cr>
    Please use a longer password.
    Password: <cr>
    Retype new password: <cr>
    Connection closed

    Yes, it was quite garbled for me, too: you're not seeing things, or on
    ttyh4. I tried it several times, and it was still garbled. But I'm not
    EVEN going to complain about it being garbled, though, for three
    reasons: 1) It's the effect of a brand new Pyramid "feature", and
    being used to their software releases, it seems only trivial cosmetic,
    comparitivly.  2) I want to be able to get to sleep tonight, so I'm
    just going to pretend it didn't happen. 3) There are PLEANTY of things
    to complain about that are much much much worse. [My guess, though,
    would be that something is writing to /dev/tty one way, and something
    else isn't.]  Except for this sentence, I will also completely ignore
    the fact that it closed the connection after setting the password, in
    a generous fit of compassion for overworked programmers with
    ridiculous deadlines.

    So then there was an entry in /etc/passwd where the ::0:0::: had been:

    :7h37OHz9Ww/oY:0:0:::

    i.e., it let me insist upon a password it thought was too short by
    repeating it. (A somewhat undocumented feature of the passwd program.)
    ("That's not a bug, it's a feature!")

    Then instead of recognizing an empty string as meaning no password,
    and clearing out the field like it should, it encrypted the null
    string and stuck it there. PRETTY CHEEZY, PYRAMID!!!! That means
    grepping for entries in /etc/passwd that have null strings in the
    password field will NOT necessarily find all accounts with no
    password. 

    So just because I was enjoying myself so much, I once again did:

    % rlogin gymble -l ""

    Password: <cr>
    [ message of the day et all ]
    #

    Wham, bam, thank you man! Instead of letting me in without prompting
    for a password [like it should, according to everyone but pyramid], or
    not allowing a null password and insisting I change it [like it
    shouldn't, according to everyone but pyramid], it asked for a
    password. I hit return, and sure enough the encrypted null string
    matched what was in the passwd entry. It was quite difficult to resist
    the temptation of deleting everyone's files and trashing the root
    partition.

        -Don

    P.S.: First one to forward this to Pyramid is a turd.

P.P.S.: The origin story of Pete's "Gymble Roulette" nick-name is here: http://art.net/~hopkins/Don/text/gymble-roulette.html The postscript comment was an oblique reference to the fact that I'd previously gotten in trouble for forwarding Pete's hilarious "Gymble Roulette" email to a mailing list and somehow it found its was back to Pyramid. In my defense, he did say "Tell your friends and loved ones.")

patcheudor8y ago

Apple makes it pretty easy to report vulnerabilities to:

product-security@apple.com

They also respond to security@apple.com but prefer the product-security address.

Further, there are any number of legit bug bounty programs out there like ZDI that would pay for a bug like this then immediately disclose to Apple for it to be fixed.

Disclosing an 0Day root authentication bypass vulnerability on Twitter isn't cool, even if it is local: think of the impact to shared iMacs on university campuses.

32 more replies

rilex18y ago

kk

lgxz8y ago

the MOST STUPID OS bug FOREVER?

llamataboot8y ago

That twitter thread and lots of the comments are missing the point. MANY people don't know about what the ethics of reporting vulnerabilities are, they just want to say something and get it fixed. yes, it probably would have been better if this person had gone through proper channels, but there's no evidence they did it for the lulz/fame.

In this case the bug is so bad and egregious, that publicizing it with the fix might have been the best thing to do -- no telling how many people have already discovered this or how long it would take Apple to fix.

Yes, let's educate each other about what responsible disclosure WITH A DEADLINE TO FIX looks like, but don't assume this person just wanted internet points. And now that the report and a workaround are out there, at least it can be mitigated personally.

Though I imagine there will be some SERIOUS hijinks that result from this until Apple fixes it because it is so easy to do. :(

jeffisabelle8y ago

I still can't believe more people complain about this being publicly disclosed than this being possible in the first place. No one is obligated to know the procedures on InfoSec 0-days and follow those steps.

michaelmcmillan8y ago

Are we really ready for self-driving cars? https://www.youtube.com/watch?v=4G1Boh-URIM

10 more replies

Why is this so far down the front page? Are people flagging it for some reason?

mholt8y ago

The HN title is wrong. This reportedly affects High Sierra, not Sierra.

bsaul8y ago

I wonder who they're going to ask to write a public letter of apology this time.

This isn't just a snarky comment. They have just released the most awfull iOS upgrade for a long time, and now this. Something's messed up, and they better fix it soon.

I've think i've read somewhere they merged the iOS and macOS teams, i suppose the wrong people were promoted during the operation.

Can't reproduce on multiple High Sierra machines.

sillysaurus38y ago

This is the first time I've felt happy I rarely upgrade.

The new Apple is the old Microsoft, and the new Microsoft is the old Apple.

After 8 months of living hell using their overpriced MacBook Pro, I'm moving to Surface Pro (running Xubuntu, though).

danjoc8y ago

The person who found this is at greatest risk. Public disclosure keeps him safe.

"Oh, good boy. Thanks for the responsible disclosure. You're sure you haven't told ANYONE else about this? Great! Keep it that way and we'll send you a big check real soon. Promise!"

Coordinates acquired.

Boom.

Keep in mind, Apple was caught working directly with NSA in Snowden disclosures. The US government will drone strike people outside the US without trial or charges. Apple illegally SWATed a Gizmodo reporter over a leaked iPhone prototype.

I don't blame this Turkish national, not one bit.

realworldstuff8y ago

People going on about responsible disclosure when this is such a gross violation of CUSSE: https://web.archive.org/web/20170712120031/http://www.cusse....

Dope

When you're too busy as a company making sure the corners of your products are sufficiently rounded, you get things like this.

gaius8y ago

But someone at Apple got their bonus for shipping the animated poop icon in time for this release.

zaro8y ago

Classical click and bait title. First promises that you'll become a hacker, and then when you actually click the tweet is deleted.

singularity20018y ago

Is http://hckrnews.com/ buckling from the tremendous traffic this issue generates?

I guess they were more focused in introducing bugs and less performant filesystem than security in High Sierra.

FiveSquared8y ago

Oh my goodness. I have a High Sierra MBP. I am scared right now BADLY

tekacs8y ago

Now that this is public, it's likely worth passing this message on to non-technical folks too (e.g. share this or write a similar post - this is my only public post):

https://www.facebook.com/amar.sood/posts/10209545863036116

KyeRussell8y ago

This post reminded me of why Twitter is a pretty awful place.

The replies to this tweets are all everyones snarky comments to the @AppleSupport account or their edgy 'hot takes' on the issue. @AppleSupport responded promptly - albeit obviously out of their depth, and a bunch of people couldn't help but make fun of this fact. It's almost like tweeting to Apple's customer support account is not the best way to report a vulnerability?

Responsible disclosure has a proven history of working. When the vulnerability is appropriately patched and disclosed to the public, there is still a lot of backlash. You only need to look at the recent responsibly disclosed vulnerabilities for proof of this. Instead, we have a bunch of armchair analysts—who don't at all seem to be driven by past occurrences / existing data in any way—claiming that it didn't work.

tombrossman8y ago

Fellow Linux users, please keep the snark in this thread to a minimum. Here's just one recent example why, there are more: http://www.omgubuntu.co.uk/2017/05/ubuntu-guest-sessions-log...

j / k navigate · click thread line to collapse