Go | New | Find | Notify | Tools | Reply |
Security Sage |
https://www.google.com/amp/s/w...ug-admin-access/amp/ Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated] Nov 28, 2017 12:33 pm PST by Juli Clover There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check. The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac. To replicate, follow these steps from any kind of Mac account, admin or guest: 1. Open System Preferences 2. Choose Users & Groups 3. Click the lock to make changes 4. Type "root" in the username field 5. Move the mouse to the Password field and click there, but leave it blank 6. Click unlock, and it should allow you full access to add a new administrator account. At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password. This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer. It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address. Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here. Update: An Apple spokesperson told MacRumors that a fix is in the works: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section." RB Cancer fighter (Non-Hodgkins Lymphoma) since 2009, now fighting Diffuse Large B-Cell Lymphoma. | ||
|
Member |
Yeah, that was a big screw up on someone’s part. Thankfully it’s not a remotely exploitable one. -- I always prefer reality when I can figure out what it is. JALLEN 10/18/18 https://sigforum.com/eve/forum...610094844#7610094844 | |||
|
Drill Here, Drill Now |
Thanks for posting. I followed the temp fix. WTF is wrong with Apple? It's like they hired bunch of Microsoft people and have to release non-stop updates to fix OSX and iOS security flaws. Ego is the anesthesia that deadens the pain of stupidity DISCLAIMER: These are the author's own personal views and do not represent the views of the author's employer. | |||
|
Member |
This is why I just got around to upgrading my main system to El Capitan. Demand not that events should happen as you wish; but wish them to happen as they do happen, and you will go on well. -Epictetus | |||
|
Member |
Does this mean + a new User? _________________________ | |||
|
goodheart |
If I understand this correctly, a bad guy would have to find my Mac unlocked AND know the login password in order to unlock the users group section. Am I wrong? I had to enter the login password (which is NOT an easy one) to try to create a root user, and even then Apple’s instructions were not sufficient, at least for me. _________________________ “ What all the wise men promised has not happened, and what all the damned fools said would happen has come to pass.”— Lord Melbourne | |||
|
Member |
me neither... _________________________ | |||
|
Member |
Apple has been really slipping as of late under Cook, really wish they would get rid of him. "Hold my beer.....Watch this". | |||
|
Free radical scavenger |
You are not wrong. ETA: I've always enabled the root account with a password, so this issue does not apply to me. | |||
|
Optimistic Cynic |
Cannot replicate this here. Recent install of 10.13.1. | |||
|
Free radical scavenger |
Upon further brief review, it may be possible for a non-administrative account to create a root administrative account. That seems to be the proposed bug. If so, you would still need to have access to an unlocked Mac to do so. As stated, I've always had a root account with a password and cannot duplicate this alleged bug. | |||
|
Free radical scavenger |
Continuing with this breaking news, even if this unlikely situation occurs, the root account cannot do much harm unless "System Integrity Protection" has been disabled. This is something which should and will be fixed, but it should be no cause of alarm. This is just computer people reporting Apple's bugs. | |||
|
Free radical scavenger |
Continuing further, neutered root privileges (SIP is enabled) are available to my "rh" account. The "God" account only has guest privileges. After entering the passphrase to even access my encrypted Macs, the God account could enable a neutered root account, except that the root account already exists on my Macs and has a different passphrase. Even if the God account could crack my passphrase, the God account could not do much other than access my encrypted files. This alert is not a big deal unless you share your Mac with others and have disabled SIP. | |||
|
Baroque Bloke |
I agree about Cook. Things like this didn't happen while Jobs was in charge. I never install an OS release until it's been out for awhile. Serious about crackers | |||
|
Member |
The patch (security update) is already out. It should auto update but you might want to ck. I just did my Macbook. https://support.apple.com/en-us/HT208315 Collecting dust. | |||
|
Free radical scavenger |
As usual, it is a good idea to backup your system before applying the security update. From what I have read, a patch was released earlier today, but it was soon retracted. Corrections and clarifications: With SIP enabled (by default), the root account cannot alter mac OS, but the root account can alter and read all user files on the system, so you do not want an intruder to have root access. Physical access to your machine is not necessary if you have remote logins enabled. ETA: The "God" account that I found which did not have administrative privileges was an security artifact of mine which preceded Apple's SIP. No disrespect intended, that's just me being me. Backup complete, I'm applying the patch now. | |||
|
Free radical scavenger |
Patch was installed. A reboot was not forced for some reason. I rebooted anyway. A sequence of setup menus appeared, and I was asked for my Apple ID. My Mac seems to work. | |||
|
Stop Talking, Start Doing |
Say what? _______________ Mind. Over. Matter. | |||
|
אַרְיֵה |
I really don't think that Mr. Cook (nor Mr. Jobs, when he was alive) did much coding, nor hands-on system testing. הרחפת שלי מלאה בצלופחים | |||
|
Free radical scavenger |
Steve Jobs used the products that he designed and was known to be quite temperamental (i.e., "not likeable") about silly mistakes such as this. He would have been even more furious about the Mac OS Sierra bug where the password hint revealed the actual password. Apple is more of an iPhone company now, with Macs being de-emphasized. Their goal is to have create an OS unifying iPhones, Macs, and iPads. Apple is clearly cutting costs on talent in Mac OS's evolution, relying upon beta testers and such to find their bugs. | |||
|
Powered by Social Strata | Page 1 2 |
Please Wait. Your request is being processed... |