Major macOS High Sierra Bug Allows Full Admin Access without Password

Discussion in 'HardForum Tech News' started by Megalith, Nov 28, 2017.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    13,004
    Joined:
    Aug 20, 2006
    On Macs running the latest version of High Sierra, it appears that anyone can log in just by putting “root” in the user name field in a certain place. This is a huge, huge problem. Do not leave your Mac unattended until this is resolved.

    At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password. This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
     
  2. Ultima99

    Ultima99 [H]ardness Supreme

    Messages:
    4,891
    Joined:
    Jul 31, 2004
    Insert random excuse and comment about Mac superiority here.
     
  3. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,677
    Joined:
    Dec 15, 2003
    That's not a bug, that's a bloody feature!
     
    mynamehere likes this.
  4. Tiberian

    Tiberian DILLIGAFuck

    Messages:
    5,725
    Joined:
    Feb 12, 2012
    "And once again Apple simplifies the experience for the end user, making it almost idiot-proof to log in as Administrator and get things done..." :D
     
  5. TheBuzzer

    TheBuzzer HACK THE WORLD!

    Messages:
    12,482
    Joined:
    Aug 15, 2005
    it works. tested on the mac at work from different coworkers.
    just root as a username can even install software
     
  6. jardows

    jardows [H]ard|Gawd

    Messages:
    1,656
    Joined:
    Jun 10, 2015
    The bigger question, is if this exploitable remotely, or if it only works with local access. Still a huge security flaw if local only, but you may have bigger problems if someone has local access to your machine that would use this.

    Also, it isn't exactly intuitive to enable the root account on OSX, or at least it wasn't in 10.11. You can do pretty much anything you need to do for daily use without root enabled, only if you want to tinker under the hood, or are doing network sysadmin style work on the computer, so this probably won't affect a lot of people. Again, still a huge security flaw that needs fixed.
     
  7. gunbust3r

    gunbust3r Gawd

    Messages:
    900
    Joined:
    Dec 12, 2004
  8. modi123

    modi123 [H]ardness Supreme

    Messages:
    5,413
    Joined:
    Sep 6, 2006
    To any of the fanbois out there feel free to send me any of you'all's shamed and worthless Apple stock. I'll be sure to put it all down gently.. up state.. at grandpa's farm. Totes.
     
  9. B00nie

    B00nie [H]ardness Supreme

    Messages:
    7,913
    Joined:
    Nov 1, 2012
    It doesn't work on my High Sierra macOS 10.13.2. All it does is open a new login window.
     
    StryderxX likes this.
  10. J3RK

    J3RK [H]ardForum Junkie

    Messages:
    9,176
    Joined:
    Jun 25, 2004
    Hauling around a computer with no root password is actually pretty courageous. Assuming you know about it I suppose. :D
     
    ruffbytes likes this.
  11. bucket

    bucket [H]ard|Gawd

    Messages:
    1,070
    Joined:
    Nov 1, 2004
    10.13.2 is a dev build. Confirmed and repeatable on current public release 10.12.6 (October 31st, 2017).
     
  12. viper1152012

    viper1152012 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Jun 20, 2012
    Its a feature .... In case you forget yur password
     
    mynamehere likes this.
  13. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009
    Tested on a few machines at our office, but not working so far. Checking their build version now.
     
  14. Jovian

    Jovian Limp Gawd

    Messages:
    363
    Joined:
    Jun 8, 2004
    Oh this is a fun one! Anyone up to date recently forget their password? Now is your chance to recover it.
     
  15. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009
    High Sierra on mac OSX (patch from September) has root account disabled and set with no password. Logging into root with no password enables it.
    Problem 1) Anyone who tries this enables the root account which means people could potentially exploit it remotely.
    Problem 2) You can't disable the root user, you can keep doing the trick to re-enable it.
    The only solution that appears to work at the moment is to enable the root user and change the password on it.
     
  16. StryderxX

    StryderxX [H]ard|Gawd

    Messages:
    1,135
    Joined:
    Jun 22, 2006
    I'm running the same build and this issue isn't present.
     
  17. missalaire

    missalaire Gawd

    Messages:
    641
    Joined:
    Jul 22, 2012
    Wouldn't sudo /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false in terminal disable root and prevent it from being logged in via shell/terminal and the GUI?
     
  18. AltTabbins

    AltTabbins [H]ard as it Gets

    Messages:
    19,104
    Joined:
    Jul 29, 2005
    Try it a few times. Sometimes it takes a few login attempts.
     
  19. rhexis

    rhexis [H]ard|Gawd

    Messages:
    1,075
    Joined:
    Jul 25, 2005
    can't replicate it here and im running 10.13.2 Beta (17C83a) I assume its fixed. good thing my MacBook never leaves my house tho.
     
  20. B00nie

    B00nie [H]ardness Supreme

    Messages:
    7,913
    Joined:
    Nov 1, 2012
    I went to update 5 yesterday and today I could replicate the problem. Took two repeated attempts.

    But hey, High Sierra is a public beta. It's not like Windows that's perpetual beta :D
     
  21. focbde

    focbde Gawd

    Messages:
    546
    Joined:
    Jan 31, 2008
    To be fair, Mac OS is such a security hole-riddled mess, it's hard to keep track of all the issues...
     
  22. BHenry

    BHenry Limp Gawd

    Messages:
    353
    Joined:
    Oct 8, 2008
    I used this on a co-workers Mac just to see his reaction since I work in information security.
     
    Meeho likes this.