+ Reply
Results 1 to 12 of 12

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Article: Lion Security Flaws Let Anyone Change Passwords on Your System

is a discussion within the

Mac News

forums, a part of the

General Apple/Mac

section;
Apparently OS X Lion does a pretty lousy job securing passwords. So much for the whole “king of the jungle, protecting the pride" metaphor. In earlier versions OS X encrypted
...
  1. #1
    MMi Staff Writer Phillip Swanson's Avatar
    Join Date
    Apr 2011
    Location
    Michigan
    Posts
    1,342
    Thanks
    0
    Thanked 79 Times in 46 Posts

    Default Lion Security Flaw Lets Anyone Change Passwords on Your System


    Apparently OS X Lion does a pretty lousy job securing passwords. So much for the whole “king of the jungle, protecting the pride" metaphor.

    In earlier versions OS X encrypted passwords and stored them in “shadow files” placed in a secure location on the user’s hard disk. The files—while still editable—can only be changed by the user or an Admin with proper authentication. However, it has come to light that in OS X Lion these security features are missing.

    The security structure in OS X Lion allows any user on the system to modify their passwords or the passwords of other local accounts without too much effort. The shadow files discussed earlier usually require users have direct access to view, however, this is bypassed “because the system holds the password hashes in the systems directory services.” The problem? Every user has access to the directory services.

    Even worse, those with the most basic understanding of terminal (i.e. know how to launch it) can directly change any user’s password, including adminss, with the simple command line “dscl localhost -passwd /Search/Users/USERNAME.” When run, an error will appear, but if you enter the same newly minted password at all password prompts it will work. Obviously this is huge as someone could change the Admin’s password and gain full access to any system.

    There are a few limitations for this exploit, most notably being local access to the system. The person trying to change the passwords must have physical access the computer and its accounts. It could be done remotely via SSH, but the hacker would need to know usernames and passwords beforehand to do this.

    Second, the hacker needs to have directory service access. Even if the hacker can log into a system they’ll be dead in the water without access to the directory setup and be unable to change account information. Below are a few steps CNET recommends users take until Apple releases a security update:

    1. Disable automatic log-in
      OS X has the option to automatically log in to a system. While this is convenient, it is also a security risk (especially for administrator accounts). By disabling automatic log-in in Lion you can prevent your account from being accessed merely by restarting it, and thereby prevent access to the Terminal and other utilities that can allow access to the directory services. Note that if you have FileVault 2 enabled, then automatic log-in will not be enabled.
    2. Enable sleep and screensaver passwords
      Since this problem can be taken advantage of by anyone with physical access to an unlocked account, if you leave your system in a public area then someone can sit down at your account and invoke this hack. Therefore, enable a password both for waking from sleep and for when the screensaver starts, to prevent unauthorized access if you step away.
    3. Disable Guest accounts
      If you have the Guest account enabled on your system, disable it in the Users & Groups section of System Preferences. Furthermore, only keep accounts active that are regularly used by people you know, and delete those that are no longer in use.
    4. Manage users on the system
      It may seem easy to just set up all accounts with administrative privileges, but this setup is not a secure way to run the system, especially given this latest security issue. In OS X you can set up one admin user and then set all other users to be managed accounts. This will allow you to govern whether they have access to tools that could modify the directory services. For instance, since the Terminal allows for this you can disable access to that program for all accounts on the system except for the Admin account. If you enable the "Limit Applications" feature for an account in the system's Parental Controls, the Terminal and other similar utilities will be disabled by default for that user.
    Source: CNET
    Last edited by Phillip Swanson; 09-21-2011 at 02:37 PM.

  2. #2
    iPhone? More like MyPhone WaLLy3K's Avatar
    Join Date
    May 2009
    Posts
    118
    Thanks
    2
    Thanked 13 Times in 10 Posts

    This is an extremely long way around to an "issue" that's been present in pretty much all versions of OSX. There is a way through single user mode that anyone, with the right command, can reset the admin password on any given account.

  3. #3
    iPhoneaholic andypropaganda's Avatar
    Join Date
    Jan 2008
    Location
    Massachusetts
    Posts
    300
    Thanks
    27
    Thanked 13 Times in 13 Posts

    There seems to be some definitely mistakes that Apple has made in Lion and needs to correct ASAP if they are going to be toting themselves as the most advanced operating system in the world.

  4. #4
    Super Penguin Mod i.Annie's Avatar
    Join Date
    Jun 2009
    Location
    SW Ohio
    Posts
    16,888
    Thanks
    136
    Thanked 2,196 Times in 1,919 Posts

    I agree with the above comment, it's not just Lion. In previous versions of OS X there's other ways around it. Something as simple as resetting administration username will allow reset of password without a restore disc.Simply boot up, get into terminal, put in a few commands and you get the original welcome screen as if you just restored the computer. It goes through for you to enter language, username, password, etc. And it still keeps all your files and settings in tact afterwards. Sooo that's another security issue, I could just steal someone's MacBook and do just that, then access all their stuff. Meh, I plan on just not letting anyone use my MBP.

  5. #5
    What's Jailbreak?
    Join Date
    Sep 2011
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Allow only root / admins to do these queries and you've got the issue avoided for the most part. Run this to apply this fix:
    Code:
    sudo chmod 100 /usr/bin/dscl
    Quote Originally Posted by WaLLy3K View Post
    This is an extremely long way around to an "issue" that's been present in pretty much all versions of OSX. There is a way through single user mode that anyone, with the right command, can reset the admin password on any given account.
    No, it's more than that. If a user unknowingly allows a java applet to run, it could change the password without the user knowing, and then use "sudo" to gain system privileges, if that user is an admin on the machine. That's pretty bad if you ask me.
    Last edited by io41; 09-21-2011 at 03:55 PM.

  6. #6
    iPhone? More like MyPhone DaMan05's Avatar
    Join Date
    Apr 2008
    Location
    Home of the HABS
    Posts
    150
    Thanks
    16
    Thanked 8 Times in 8 Posts

    Big woop. You can hold command-something (I think it's R, if I remember) when rebooting and reset any Lion's password from there. And that's a feature, not a security flaw.

  7. #7
    Super Moderator Cer0's Avatar
    Join Date
    Apr 2008
    Location
    MN/WI
    Posts
    13,939
    Thanks
    386
    Thanked 1,133 Times in 883 Posts

    Quote Originally Posted by DaMan05 View Post
    Big woop. You can hold command-something (I think it's R, if I remember) when rebooting and reset any Lion's password from there. And that's a feature, not a security flaw.
    You can change the password for that too to block it. But nobody does.

    Same goes for Windows XP; aways got people that forgot their password. Just boot into safe mode and go into admin and remove the user password. Most users dont go and add password to the admin account in XP.

  8. #8
    I'm not a star Imahottguy's Avatar
    Join Date
    Jul 2007
    Location
    MI, USA
    Posts
    2,440
    Thanks
    92
    Thanked 164 Times in 143 Posts

    Slightly misleading title for this article. At first glance, one would think that some 13 year old 1000's of miles away would be able to somehow get in your system and then hack your passwords. Truth is that if you leave your Mac in a public setting and also have autologon and no password resume enabled, you are asking to get screwed with.

  9. #9
    What's Jailbreak?
    Join Date
    Sep 2011
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    You're all missing the point. Anyone with physical access to any machine can get at and change any part of it unless disk encryption is used. But that's not the point. That's not why this flaw is so bad.

    This flaw means someone who manages to execute something on your system from anywhere in the world, (i.e. through a java applet running in your browser -- because you went to a website with this on it) they can now, by very simple means, get full system access.

  10. #10
    iPhone? More like MyPhone WaLLy3K's Avatar
    Join Date
    May 2009
    Posts
    118
    Thanks
    2
    Thanked 13 Times in 10 Posts

    Quote Originally Posted by Phillip Swanson View Post
    There are a few limitations for this exploit, most notably being local access to the system. The person trying to change the passwords must have physical access the computer and its accounts. It could be done remotely via SSH, but the hacker would need to know usernames and passwords beforehand to do this.
    Yep.

  11. #11
    What's Jailbreak?
    Join Date
    Sep 2011
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    No. You CAN change the password without having the original password. Local access doesn't mean physical. SSH access, is only one way. It could be via a java applet, an email attachement or anything else, where usernames/passwords are not required. Yes, this still requires you to trick the user, but once done, you no longer need the users password to get root access due to this flaw.

    This allows you to change the current users password, without having it.

    Code:
    dscl localhost -passwd /Search/Users/$USER
    After that, you know the password and can use sudo to gain full system access, which would allow you to change the users password pack to the original, using the hash and salt, thereby leaving the user clueless that you now have full system access.

    Like I said earlier, you can fix this problem on your local system using:
    Code:
    sudo chmod 100 /usr/bin/dscl
    Last edited by io41; 09-22-2011 at 08:01 AM.

  12. #12
    szr
    szr is offline
    iPhone? More like MyPhone szr's Avatar
    Join Date
    Aug 2009
    Posts
    288
    Thanks
    111
    Thanked 23 Times in 19 Posts

    Quote Originally Posted by io41 View Post
    No. You CAN change the password without having the original password. Local access doesn't mean physical. SSH access, is only one way. It could be via a java applet, an email attachement or anything else, where usernames/passwords are not required. Yes, this still requires you to trick the user, but once done, you no longer need the users password to get root access due to this flaw.

    This allows you to change the current users password, without having it.

    Code:
    dscl localhost -passwd /Search/Users/$USER
    After that, you know the password and can use sudo to gain full system access, which would allow you to change the users password pack to the original, using the hash and salt, thereby leaving the user clueless that you now have full system access.

    Like I said earlier, you can fix this problem on your local system using:
    Code:
    sudo chmod 100 /usr/bin/dscl
    And make sure it is owned by root.

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts