Mac flaw allows full admin rights without a password

By on
Mac flaw allows full admin rights without a password

Apple had not set a password for the root superuser in its macOS High Sierra desktop operating system, a flaw that grants full access to all parts of a Mac computer.

The company quickly pushed out a patch to the fix the flaw, which only affected macOS High Sierra 10.13.1.

The issue was made public by software developer Lemi Orhan Ergin, who demonstrated the flaw and reported it to Apple's tech support account.

CRN's sister title, iTnews, was able to replicate the flaw and access a Mac without a password as the root superuser from the main log in screen.

Even when it was not possible to enter a user name at the main macOS login screen, the flaw could be exploited via the system preferences settings.

An attacker could for instance enter root as the username in the users and groups preferences setting, leaving the password field blank, and clicking on the unlock button.

After that, it was possible for an attacker to add new accounts with full administrative rights.

Attackers with root privileges could turn off macOS security features such as FileVault disk encryption, install malware, and copy and delete data.

Security researcher Patrick Wardle noted the flaw could also be exploited remotely if the target macOS system had resource sharing services enabled.

Attempting to log in created the root account with a blank password, Wardle said. If the root account was disabled, logging in remotely re-enabled it.

Despite suggestions that the flaw could be mitigated by disabling the computer's guest account, this would not work - it simply restarted the computer with Safari the only application running.

It was possible to mitigate against the flaw, however, by adding a password for the root user in the users and groups preferences pane.

Users could click on the login options button, then select the join network account server option.

In the dialog that popped up, users could click on open directory utility, and from the tool's menubar, select the edit item, and then change root password.

Disabling the root account in the open directory utility tool did not work, as the root account became re-enabled when entered into the user name field on login.

Story updated 7.20am on 30 November after Apple released its patch.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?