Mac OS X flaw allows dodgy password resets

The latest version of Apple's OS allows anyone to change passwords

20 Sep 2011

A flaw in Mac OS X 10.7 could let attackers reset passwords without knowing the existing one.

A researcher writing on the Defence in Depth blog revealed a pair of permissions problems in the latest Apple OS.

First, the system gives easy access to users' shadow files - files that can only be accessed by those with a high-privilege level. Those hold hashed passwords, which can be brute-forced for access.

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked

"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," researcher Patrick Dunstand said. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services."

While Dunstan said major cracking tools don't yet support OS X 10.7 hashes, you don't actually need to crack them - thanks to the second permission problem, you can simply change the password.

"Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user," he wrote.

"You will be prompted to enter a new password without the need to authenticate," Dunstan wrote.

Dangerous flaw

According to Sophos' Chester Wisniewski, the flaw is "particularly dangerous" for anyone using Apple's FileVault 2 disk encryption.

"If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," he said in a blog post.

Wisniewski has checked with people testing OS X 10.7.2, and said the flaw still exists in test builds.

Read more about: