Major macOS High Sierra Bug Allows Full Admin Access without Password

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
On Macs running the latest version of High Sierra, it appears that anyone can log in just by putting “root” in the user name field in a certain place. This is a huge, huge problem. Do not leave your Mac unattended until this is resolved.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password. This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
 
it works. tested on the mac at work from different coworkers.
just root as a username can even install software
 
The bigger question, is if this exploitable remotely, or if it only works with local access. Still a huge security flaw if local only, but you may have bigger problems if someone has local access to your machine that would use this.

Also, it isn't exactly intuitive to enable the root account on OSX, or at least it wasn't in 10.11. You can do pretty much anything you need to do for daily use without root enabled, only if you want to tinker under the hood, or are doing network sysadmin style work on the computer, so this probably won't affect a lot of people. Again, still a huge security flaw that needs fixed.
 
To any of the fanbois out there feel free to send me any of you'all's shamed and worthless Apple stock. I'll be sure to put it all down gently.. up state.. at grandpa's farm. Totes.
 
TheBuzzer said:
it works. tested on the mac at work from different coworkers.
just root as a username can even install software
Click to expand...

It doesn't work on my High Sierra macOS 10.13.2. All it does is open a new login window.
 
Tested on a few machines at our office, but not working so far. Checking their build version now.
 
Oh this is a fun one! Anyone up to date recently forget their password? Now is your chance to recover it.
 
High Sierra on mac OSX (patch from September) has root account disabled and set with no password. Logging into root with no password enables it.
Problem 1) Anyone who tries this enables the root account which means people could potentially exploit it remotely.
Problem 2) You can't disable the root user, you can keep doing the trick to re-enable it.
The only solution that appears to work at the moment is to enable the root user and change the password on it.
 
Wouldn't sudo /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false in terminal disable root and prevent it from being logged in via shell/terminal and the GUI?
 
can't replicate it here and im running 10.13.2 Beta (17C83a) I assume its fixed. good thing my MacBook never leaves my house tho.
 
AltTabbins said:
Try it a few times. Sometimes it takes a few login attempts.
Click to expand...
I went to update 5 yesterday and today I could replicate the problem. Took two repeated attempts.

But hey, High Sierra is a public beta. It's not like Windows that's perpetual beta :D
 
To be fair, Mac OS is such a security hole-riddled mess, it's hard to keep track of all the issues...
 
I used this on a co-workers Mac just to see his reaction since I work in information security.
 
  • Like
Reactions: Meeho
like this
You must log in or register to reply here.
Back
Top