And It Just Roots: New MacOS Security Flaw Emerges

Posted on November 28, 2017 by Mehedi Hassan in Hardware with 53 Comments

Update: Apple has issued a fix for this. –Paul

A major new macOS vulnerability has just been discovered, and it’s also been disclosed publicly…on Twitter. The bug gives anyone unauthorized administration access to a Mac using a very simple trick: logging in as root.

When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device. This will only work if you actually try authenticating as “root” from an account that’s already logged in, and then the root user will be enabled on your device, allowing you to login as “root”. The vulnerability affects all latest versions of the operating system, but it only seems to affect devices running macOS High Sierra and can’t be reproduced on older versions of the OS.

Using the same trick, you can add new users (even as admins) to a device, remove other users, reset their passwords, decrypt disks encrypted by FileVault, or change almost every other setting that requires admin access. It’s pretty ridiculous:

Apple has acknowledged the security flaw on macOS, and a software update is now available for the issue:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Disabling the root user won’t help, by the way. The security flaw isn’t too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device.

Still, flaws like this really undermine the level of security you get from Apple’s premium devices, even though such issues are rarely discovered.

Editor’s note: The article has been updated to include Apple’s statement regarding the issue. The article was initially incorrect about the steps to reproduce the issue, however, we have now updated the article to correct that. 

Tagged with , ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (53)

53 responses to “And It Just Roots: New MacOS Security Flaw Emerges”

  1. wunderbar

    This is hilarious, but before anyone goes too far into the "lolol apple" remember that Microsoft OS's have bugs too.

    • nbates66

      In reply to wunderbar:

      "Look over there! Nothing to see here!!"



      I'm curious about how serious this one is... Have found various comments that the exploit can be used via remote accesses and at least one case via a terminal.

    • SRLRacing

      In reply to wunderbar:

      You are of course correct but if this was Windows the internet would be aflame with "lol Windows sux" so let us sit back, open a bottle of fine craft beer, and type "lol Apple sux" as often as we can to really soak the moment in.

    • warren

      In reply to wunderbar:


      Yeah, no, you know what, -- given all the noxious yammering we've been hearing for years from Apple-heads about IT'S UNIX, IT'S SO MUCH MORE SECURE THAN WINDOWS, I say we spent the next five years throwing this right back at them.


      Over and over and over.



      • hrlngrv

        In reply to warren:

        This doesn't happen in most Linux distributions or BSD versions. Never installed a true Unix system, but I figure the installation script required a nontrivial root password.

        This problem appears limited to Apple. Unlike Linux, Apple's macOS is perfectly happy to login as root when root lacks a password.

    • evox81

      In reply to wunderbar:

      It's true, Windows does have security vulnerabilities as well. It's the type of vulnerabilities we've been seeing lately that I find interesting. Most Windows exploits found today are obscure vulnerabilities that are complicated, or at least cumbersome, to exploit. This is type a word, press enter, repeat and you successfully have full root access to the device.

  2. seapea

    I didn't realize the new macOS was an IoT operating system.


    seriously though, doesn't W10 do the same thing with the builtin Administrator account?

    • Stooks

      In reply to seapea:

      Yes it does.


      Walk up to a Windows 10 PC logged in by a user with Administrative privileges and you can create new accounts with admin privileges, take ownership of any files, delete users etc. All of this can be done with no challenges as in prompting to for user/password. This is the default behavior on Windows.


      You can make changes to require a user/pass (UAC cranked way up) and then it acts like Unix/Linux/macOS by requiring a user/pass.

      • seapea

        In reply to Stooks:

        Your paragraph starting "Walk up" contradicts the initial sentence of "Yes it does."

        W10 has a built in Admin account, is it accessible by a person? If so, then I don't think the macOS root issue is unique to Apple.


  3. Dan1986ist

    If one does a web search, one will find this exact issue was posted in an Apple Developer forum post on the 13th of this month. A full two weeks before this security issue was made known to apple via twitter.

  4. Brazbit

    "The security flaw isn’t too much of a big deal, though, as one would need physical access to your device in order to get unauthorized administrative access to your device."


    Such as regularly found in schools, libraries, store demo systems, kiosks, hotel lobbies, etc... It may be minor for individuals and irritating in an office setting, but for those with publicly accessible systems, and often little to no dedicated IT staff, it could quickly become a big deal.

  5. Waethorn

    Um, ok.


    So you have to have physical access to a system that's already logged on as an admin in order to do this.


    Microsoft doesn't patch these kinds of problems, labelling them as "low-risk" and would say "don't allow unauthorized users physical access to the computer" as the fix. Why is this getting news just because it's Apple, when it affects such a minor amount of the populace?

  6. Stooks

    So walk up to any Windows 10 PC logged with a Admin account and you can do ANYTHING you want with the computer, no extra login required. Basically macOS is just like Windows 10....right now.


    Once this is fixed and back to normal macOS behavior it will once again be more secure than Windows.

    • Greg Green

      In reply to Stooks:

      Not quite. Any logged in account would've allowed you access to root when you have access to the computer. You don't have to be logged in to root to do this, so your admin log in example isn't quite the same.

    • hrlngrv

      In reply to Stooks:

      Picky: there's a lot the built-in Administrator account can't do in Windows until taking ownership of various files or directories and giving itself full control permission.

      • Stooks

        In reply to hrlngrv:

        Is that a serious reply?


        Does taking ownership require you to put in a password on Windows? Nope, so the built in Administrator can simply click apply.


        macOS and Linux would require and admin user/pass to do this. HUGE difference.

        • hrlngrv

          In reply to Stooks:

          Yes, serious reply whether you could appreciate as such or not.

          No, the built-in Administrator account can't just clock away. Taking ownership isn't so easy either. File Explorer tends to miss files in folders, so running takeown at the command line is the most robust way to do so. It can be done without entering a password, but it is an extra step.

  7. Bob Shutts

    Exploit patched a few hours ago as of this post. Still, not a good thing, Apple. Management has relegated the Mac to the back seat behind the phone, the pad, and the watch.

  8. UbelhorJ

    This reminds me of using the Help dialog to bypass the login screen in Windows 98. Pretty epic levels of fail.

  9. markbyrn

    and today Apple issued an update to fix

  10. bls

    After far too many years and operating systems, it's clear that every OS sucks. They just suck differently.

  11. hrlngrv

    root is root. If you can login in as root, you can do anything the OS can do.

    FWIW, most Linux GUI login systems don't allow logging in as root. Also, out of the box, as it were, one can't log in as root. It's necessary to run sudo passwd to set a password for root.

  12. TEAMSWITCHER

    If somebody has Physical access to your computer and you are not present to monitor them ... face it ... you don't have ANY security.

  13. nbplopes

    Yup, bad. Hours later, patched, good.

  14. dontbe evil

    but but mac are secure /s ... apple is the best /s ... ROTFL


  15. Stooks

    Sure this is a bug.


    However this..."When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device."


    You can't change the user name at the login screen. You can only choose from the list of users (usually just one) on the login screen. In the case of having just one user then you are prompted for the password automatically, no ability to choose another user.


    That said if the Mac is logged in then you can use this via the System Preferences panel. So you need a Mac that is logged in and it has to be on the Mac...not from across a network.


    Also Apple has responded.


    "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."





  16. PincasX

    That is a pretty big miss on the part of Apple.


    Also this is an inaccurate description of the issue:

    When trying to login to a macOS device running High Sierra, you will simply need to use the username “root”, leave the password field empty, and then hit the login button a couple of times to get access to the device. “


    People can’t log into the machine as root using this exploit or at least not initially. To get it to work you have to be logged in already and use the exploit to enable the root user (disabled by default) in system preferences. Once you have done that then you can log out and log back in as root without a password. So for so one to use this exploit they would need to have physical accesss to the machine while a user is logged in.


    Still incredibly sloppy on Apple’s part.


      • PincasX

        In reply to MikeGalos:

        Nope, try reading the article. They go through system preferences like Mehedi does and the person that found it did. This process enables the root user and does so without a password. Just booting the machine and trying doesn’t work as 1. The root user is not enabled and can’t log in 2. MacOS has no option to type in a user by default. Getting that option is done by a user logging in and changing the login screen preferences.



        I’m not saying all of this makes the bug a nonissue, it’s a huge issue. That said, it being a substantial issues doesn’t excuse poor reporting. Given that you completely invent demos of products to promote your conspiracies that last part may be lost on you.



        • Mehedi Hassan

          In reply to PincasX:


          You are right. I have updated the story, thanks!

          • James Wilson

            In reply to Mehedi:

            Just checked and remote connectivity to High Sierra doesn't work using SSH. Seems to be a privilege escalation issue.


            So you have to physically have the mac, be logged in as a non-root user and then you escalate rights to root. Still - pretty bad but I don't think people are going to lose data over this.

        • MikeGalos

          In reply to PincasX:

          Apple disagrees and tells you to enable root access in order to set a password on the root account. You wouldn't need to do that if it didn't work with root disabled.

          • PincasX

            In reply to MikeGalos:

            Again, no. Apple acknowleged there is a bug that can compromise a root account that is inactive or was made active with no password. They then explain how to secure the root account so that it won’t be vulnerable to the exploit.


            What you don’t really get is how the exploit works. The exploit allows you to enable the root user with no password but to get to that point you have to already be logged in already. Once it is active you could log in at the log in screen or remotely (in specific cases) as the root user. Apple’s suggestion is that you enable root user and give it a password. That keeps someone else from enabling root and giving a password because it would already be enabled and have a password.


            Again, I know this hard for you but you don’t get to make things up because they are what you would like to believe.

    • Stooks

      In reply to PincasX:

      You are correct. You CANT change the user name at the login screen, only choose from the list of users.

      • Brazbit

        In reply to Stooks:

        Of course you can. At the List of Users (login screen) press the down arrow. This will highlight the default choice. Press Option+Enter (Alt+Enter if using a PC keyboard) this will switch it from List of Users to Name and Password. You can now enter the login name for hidden accounts.


        It would be kind of hard to make use of the Root account, for its intended uses, if this ability to switch login modes at the login screen did not exist.

        • Stooks

          In reply to Brazbit:

          So yes, you can do that (if you know all of that) but if the root user is disabled (default) then you cant use it from the login screen. You will only be able to use the valid/enabled users on the Mac.


          The root user would be a choice if it was enabled via this bug. But to do that you would have to have physical access to a already logged in Mac that has not set a root user password. (most would not have a password).


          A lot of "if's" and requirements. However if you have physical access to a bug free Windows 10 computer that is already logged in via a Admin account you can own it 8 days a week.

  17. brettscoast

    Thanks Mehedi for the heads up this really isn't good enough from Apple who constantly rave on about how good their security is on their devices well this is an epic fail and i would have thought there would be some urgency to issue a security patch immediately. By the way welcome to thurrott.com looking forward to more of your articles going forward.

  18. neumarke

    There are reports of people getting this to work remotely, no physical access required. So, a very big deal.


  19. rameshthanikodi

    this is extremely embarrassing and with the slow adoption of iOS 11, it seems like it's amatuer hour at Apple's software group.

  20. MikeGalos

    Apple is now confirming that this security vulnerabilty exists matching Paul's statement and that the temporary fix is to enable the root account and set a password.


    Here's their statement:


    We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012 . If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.


  21. jimchamplin

    I'm not incredibly surprised. High Sierra is garbage.

Leave a Reply