Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
09-21-2011, 02:30 PM #1
Lion Security Flaw Lets Anyone Change Passwords on Your System
Apparently OS X Lion does a pretty lousy job securing passwords. So much for the whole “king of the jungle, protecting the pride" metaphor.
In earlier versions OS X encrypted passwords and stored them in “shadow files” placed in a secure location on the user’s hard disk. The files—while still editable—can only be changed by the user or an Admin with proper authentication. However, it has come to light that in OS X Lion these security features are missing.
The security structure in OS X Lion allows any user on the system to modify their passwords or the passwords of other local accounts without too much effort. The shadow files discussed earlier usually require users have direct access to view, however, this is bypassed “because the system holds the password hashes in the systems directory services.” The problem? Every user has access to the directory services.
Even worse, those with the most basic understanding of terminal (i.e. know how to launch it) can directly change any user’s password, including adminss, with the simple command line “dscl localhost -passwd /Search/Users/USERNAME.” When run, an error will appear, but if you enter the same newly minted password at all password prompts it will work. Obviously this is huge as someone could change the Admin’s password and gain full access to any system.
There are a few limitations for this exploit, most notably being local access to the system. The person trying to change the passwords must have physical access the computer and its accounts. It could be done remotely via SSH, but the hacker would need to know usernames and passwords beforehand to do this.
Second, the hacker needs to have directory service access. Even if the hacker can log into a system they’ll be dead in the water without access to the directory setup and be unable to change account information. Below are a few steps CNET recommends users take until Apple releases a security update:
- Disable automatic log-in
OS X has the option to automatically log in to a system. While this is convenient, it is also a security risk (especially for administrator accounts). By disabling automatic log-in in Lion you can prevent your account from being accessed merely by restarting it, and thereby prevent access to the Terminal and other utilities that can allow access to the directory services. Note that if you have FileVault 2 enabled, then automatic log-in will not be enabled.
- Enable sleep and screensaver passwords
Since this problem can be taken advantage of by anyone with physical access to an unlocked account, if you leave your system in a public area then someone can sit down at your account and invoke this hack. Therefore, enable a password both for waking from sleep and for when the screensaver starts, to prevent unauthorized access if you step away.
- Disable Guest accounts
If you have the Guest account enabled on your system, disable it in the Users & Groups section of System Preferences. Furthermore, only keep accounts active that are regularly used by people you know, and delete those that are no longer in use.
- Manage users on the system
It may seem easy to just set up all accounts with administrative privileges, but this setup is not a secure way to run the system, especially given this latest security issue. In OS X you can set up one admin user and then set all other users to be managed accounts. This will allow you to govern whether they have access to tools that could modify the directory services. For instance, since the Terminal allows for this you can disable access to that program for all accounts on the system except for the Admin account. If you enable the "Limit Applications" feature for an account in the system's Parental Controls, the Terminal and other similar utilities will be disabled by default for that user.
Last edited by Phillip Swanson; 09-21-2011 at 02:37 PM.
- Disable automatic log-in
09-21-2011, 03:00 PM #2
This is an extremely long way around to an "issue" that's been present in pretty much all versions of OSX. There is a way through single user mode that anyone, with the right command, can reset the admin password on any given account.
09-21-2011, 03:28 PM #3
There seems to be some definitely mistakes that Apple has made in Lion and needs to correct ASAP if they are going to be toting themselves as the most advanced operating system in the world.
09-21-2011, 03:40 PM #4
I agree with the above comment, it's not just Lion. In previous versions of OS X there's other ways around it. Something as simple as resetting administration username will allow reset of password without a restore disc.Simply boot up, get into terminal, put in a few commands and you get the original welcome screen as if you just restored the computer. It goes through for you to enter language, username, password, etc. And it still keeps all your files and settings in tact afterwards. Sooo that's another security issue, I could just steal someone's MacBook and do just that, then access all their stuff. Meh, I plan on just not letting anyone use my MBP.
09-21-2011, 03:49 PM #5
Allow only root / admins to do these queries and you've got the issue avoided for the most part. Run this to apply this fix:
sudo chmod 100 /usr/bin/dscl
Last edited by io41; 09-21-2011 at 03:55 PM.
09-21-2011, 07:28 PM #6
Big woop. You can hold command-something (I think it's R, if I remember) when rebooting and reset any Lion's password from there. And that's a feature, not a security flaw.
09-21-2011, 08:49 PM #7
Same goes for Windows XP; aways got people that forgot their password. Just boot into safe mode and go into admin and remove the user password. Most users dont go and add password to the admin account in XP.
09-21-2011, 11:27 PM #8
Slightly misleading title for this article. At first glance, one would think that some 13 year old 1000's of miles away would be able to somehow get in your system and then hack your passwords. Truth is that if you leave your Mac in a public setting and also have autologon and no password resume enabled, you are asking to get screwed with.
09-22-2011, 03:19 AM #9
You're all missing the point. Anyone with physical access to any machine can get at and change any part of it unless disk encryption is used. But that's not the point. That's not why this flaw is so bad.
This flaw means someone who manages to execute something on your system from anywhere in the world, (i.e. through a java applet running in your browser -- because you went to a website with this on it) they can now, by very simple means, get full system access.
09-22-2011, 06:14 AM #10
09-22-2011, 07:58 AM #11
No. You CAN change the password without having the original password. Local access doesn't mean physical. SSH access, is only one way. It could be via a java applet, an email attachement or anything else, where usernames/passwords are not required. Yes, this still requires you to trick the user, but once done, you no longer need the users password to get root access due to this flaw.
This allows you to change the current users password, without having it.
dscl localhost -passwd /Search/Users/$USER
Like I said earlier, you can fix this problem on your local system using:
sudo chmod 100 /usr/bin/dscl
Last edited by io41; 09-22-2011 at 08:01 AM.
09-22-2011, 09:43 AM #12