FacebookTwitterLinkedIn

Critical Root Access Flaw on macOS

Karolis Liucveikis Written by on

Apple has recently patched a serious root access flaw found macOS High Sierra. The flaw allows for the authentication to bypass making the system exceptional vulnerable to exploitation. The flaw would enable a potential attacker to gain root access to the vulnerable system. Apple has described the vulnerability as a logic flaw, and in a recently released statement confirmed that “An attacker may be able to bypass administrator authentication without supplying the administrator’s password,”

The flaw appears to be first mentioned on an Apple Developer forum on November 13 by a user who had been trying to help others solve a macOS issue related to all their admin accounts being turned into regular accounts after updating to High Sierra. Apple only became aware of the problem on Tuesday of this week when a Turkish developer sent a tweet to Apple Support and the media started covering the issue. Apple did respond in record time. Within 24 hours a patch was released for the vulnerability labeled CVE-2017-13872. It is hoped that the speedy response by Apple has mitigated any future damage that could come from the flaw being exploited. macOS users are advised to ensure that security update for High Sierra 10.13.1 has been downloaded and installed on their systems.

According to Apple, the vulnerability does not affect macOS Sierra 10.12.6 and earlier versions of the operating system. The flaw can be regarded as serious as CVE-2017-13872 can be easily exploited. On an unpatched system, this flaw can be exploited by accessing “System Preferences” from the Apple menu and click on any of the categories that require administrator privileges in order to make changes (e.g. Security & Privacy, Users & Groups, Parental Controls). All that is then required is then to click on the lock icon in the bottom left corner of the window and enter the username “root” with any password when prompted. The Enter key or the Unlock button must be hit twice.

Initially, it was believed, that the exploit worked by entering the username “root” with a blank password. Researcher Tom Ervin clarified that the attack works with any password. Essentially the password entered becomes the root password if the field is left blank then no password gets assigned to the root account. The attack can only be pulled off in such a manner if the root account has not been enabled and a password has not been set for it. To further prevent this be exploited by potential hackers Apple has deactivated the root account by default.

critical root access flaw macos

While it initially appeared that the flaw could only be exploited by having physical access to the targeted machine. Patrick Wardle, an experienced macOS hacker, managed to exploit the flaw remotely. This could be done if the sharing services are enabled on the device. Some researchers have warned that malicious actors could be scanning the Web for remotely accessible computers that they can attack using this security hole. Given that certain hacking groups, such as Cobalt, are quickly jumping on vulnerabilities to exploit such a statement is not based on myth.

Second flaw affecting passwords in two months

At the start of October, a Brazilian developer noticed that macOS High Sierra 10.13 after installation began leaking passwords for encrypted Apple File System (APFS) volumes via the password hint. APFS is a new system introduced with High Sierra. When installed on a system with a Solid State Drive (SSD), the startup volume is automatically converted to APFS and users cannot opt out of the transition. APFS was promoted as a tool for strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.
Matheus Mariano discovered the password leakage after he used the Disk Utility in High Sierra to add a new encrypted APFS volume to the container. When users add a new volume, they are asked to enter a password or write a hint for it. As soon as the new volume is mounted the user is asked to enter their chosen password. Mariano noticed that if the “Show Hint” button is pressed, the hint that is displayed is actually the password set by the user. If you entered no hint then nothing would be displayed, however, Apple recommends users use the hint function. Apple has released a patch for this issue. If the user wishes they can also correct the problem by using the diskutil command line to change the hint.

The vulnerabilities continue

In September, Patrick Wardle discovered that unsigned applications can steal data from the operating system’s Keychain password management system on High Sierra. In order to demonstrate this, the expert made a video showing how an unsigned application can programmatically dump and exfiltrate sensitive data from the Keychain, including plaintext passwords, without needing the master password. If an attacker wished to exploit this it would require the targeted user to download and execute a malicious application and ignore the warnings displayed when a program from an unidentified developer is being launched. However, it would not need any root permissions. At the time of discovery Wardle informed Apple and until a patch was released did not release any details to the public for fear of being exploited by malicious actors.

Of late researchers and experts have been asking questions as to the frequency of vulnerabilities that have appeared since High Sierra was launched. Wardle seems to have made a habit of discovering vulnerabilities on the latest macOS version. In August, he demonstrated how attackers can bypass the new Secure Kernel Extension Loading (SKEL) security feature introduced in the latest version of macOS. It has not just been High Sierra that has made headlines for flaws, over the past several years researchers found ways to bypass the Gatekeeper security system, abuse legitimate apps to spy on users and conduct DLL hijacking attacks.

One of the reasons for this is the pressure felt by the tech giants to constantly release not only new products but also software updates. In order to be seen as leading the pack so to speak ensuring solid and safe updates is secondary to how quickly you can put out new tools and applications.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog