Giveaway: Bracketron Case If outdoor adventures are in your future this summer, enter to win a Bracketron Sport Case with Mount Strap from MacNN and keep that iPhone, iPod or other electronic device safe from the elements.      
toggle

AAPL Stock: 454.74 ( + 1.77 )

http://www.macnn.com/articles/11/09/19/works.without.root.access/

Lion security hole lets hackers change account passwords

updated 04:30 pm EDT, Mon September 19, 2011

 

Works without root access


OS X Lion has a serious security vulnerability allowing hackers to alter the password of any user account, writes security blog Defence in Depth. The OS reportedly allows non-root users the ability to view password hash data. As a consequence, an attacker can potentially use a basic Python script to glean a person's password.

Aggravating the situation is that Lion doesn't require a password to change a current user's login. Entering the command "dscl localhost -passwd /Search/Users/______," with the blank substituted by a person's account name, will therefore prompt for a new password. Keeping the threat under control at the moment is that an attacker needs local access to a Mac, as well as Directory Service access.

Several extra safeguards are suggested. These include disabling automatic logins, turning on sleep and/or screensaver passwords, and finally shutting off guest accounts. Except for the guest accounts, the tips are common Mac security measures.


by MacNN Staff

Post tools:

TAGS :

 security, Mac OS X, Lion

Related Articles

Recent Articles

toggle

Comments

  1. Eldernorm

    Fresh-Faced Recruit

    Joined: Sep 2007

    +13
    09/19, 04:46pm | report spam | (1 reply) Reply |

    So, you are saying

    That if someone breaks in late at nite, they can hack my computer....

    Of course, if they steal it, they get to keep the computer too... Hmmmmm!!!

    This does mean that its possible to do ID theft by stealing the computer. But usually break in people are not looking for ID theft.

    Just a thought,
    en

  1. facebook_Francis

    Via Facebook

    Joined: Sep 2011

    +3
    09/19, 04:54pm | report spam | (3 replies) Reply |

    Why would you post this

    While I understand that you at MacNN mean to inform us about it, giving us the code to use is ridiculously stupid. How do you know that I'm not a hacker who has physical access to a high-profile Lion computer?

    I'd recommend removing that bit of code there.

  1. facebook_Collin

    Via Facebook

    Joined: Sep 2011

    +9
    09/19, 05:11pm | report spam | Reply |

    Almost News

    Let me know if someone manages to exploit this in the wild without physical access to the machine before Apple patches this. Then I will be alarmed, afraid, impressed etc...

  1. facebook_Newton

    Via Facebook

    Joined: Sep 2011

    +14
    09/19, 05:19pm | report spam | (2 replies) Reply |

    I don't think the author actually tried this

    In order to change a user's password with the directory services command line tool you're prompted for the user's existing password. Otherwise, the command fails.

    MacBookPro:$ dscl localhost -passwd /Search/Users/test
    New Password:
    Permission denied. Please enter user's old password:
    passwd: DS error: eDSAuthFailed
    DS Error: -14090 (eDSAuthFailed)

  1. lkrupp

    Junior Member

    Joined: May 2001

    -5
    09/19, 05:25pm | report spam | Reply |

    Kinda hard to excuse...

    I'm a bit amazed that this got by the beta testers and I agree that that physical access to any computer leaves it wide open. But it's also true that Apple critics/detractors will run around waving this in front of everyone they can find. The haters love this sort of thing and will try to make the biggest mountain out of it they can so I would expect to see a Lion security update relatively soon.

  1. burnin

    Fresh-Faced Recruit

    Joined: Sep 2011

    -3
    09/19, 05:53pm | report spam | Reply |

    it worked 8l

    now you cant even open an app that you havent previously used..because you dont know if you can trust it... it may run this code, then enable SSH, then have full access to your computer and files..
    Enable Firewall !

  1. imNat-imadouche

    Fresh-Faced Recruit

    Joined: Apr 2011

    -17
    09/19, 06:10pm | report spam | (1 reply) Reply |

    Mac is another windows

    :)

  1. bjojade

    Fresh-Faced Recruit

    Joined: Jun 2007

    +13
    09/19, 07:03pm | report spam | Reply |

    Physical Access Required

    You need physical access to the machine to run this. You do realize that with a boot CD, you can change account passwords as well. You can also boot to single user mode, without a CD and create a new admin account for the machine. Big deal.

  1. ggirton

    Fresh-Faced Recruit

    Joined: Nov 1999

    +5
    09/19, 07:07pm | report spam | Reply |

    not shakin'

    After what I've read here, let's just say I'm not shakin' and I'm not quakin'. Because it looks like if you're at my house, and you know my password, you can change it with a program.

    Perhaps it was news of this serious "security hole" that caused AAPL stock to go up 11 points today while the rest of the market was tanking.

  1. thomasoniii

    Fresh-Faced Recruit

    Joined: Apr 2010

    0
    09/19, 09:02pm | report spam | Reply |

    comment title

    Physical access? Sure. But is there anything stopping a trojan app downloaded from somewhere from shelling out to the command, changing the password, then emailing out connection info to a black hat to ssh into your box.

    Yeah, yeah, if the user's behind firewalls and SSH is closed off and whatever (my home box only allows public key authentication), you're safe(r), but that's still requiring the end user to have their machine configured properly. That fails the mom test - if my mom can't figure out how to do it on her own w/o a prompt from me, it's not a reasonable request.

    This needs to be patched ASAP.

    In the meantime, since I'm overly paranoid, I did do this:

    sudo chmod go-x /usr/bin/dscl

    that removes execute permission from anyone except the file owner (which is root, in this case), with the end effect of requiring authorization. Note that I don't know if disabling execute for everyone else will cause problems or not, so take that paranoia with a grain of salt.

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

HTC One

It is hard to understate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming declin ...

Samsung Galaxy S 4

Samsung's new flagship Android smartphone, the Galaxy S 4, faces even stiffer competition than its popular predecessor. With a five-in ...

HighPoint RocketU 1144CM USB 3.0 PCI-E card

Apple was one of the first -- if not the first -- major computer manufacturers to provide then-fledgling USB support at the expense of ...

toggle

Most Commented

 

Popular News