A researcher at the Defense in Depth blog has discovered a flaw in Apple’s recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user’s password.
The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner.
An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required:
testmac:~ TestUser$ dscl localhost -passwd /Search/Users/TestUser
Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder:
testmac:~ TestUser$ passwd
Changing password for TestUser.
Old Password: -OldPass-
New Password: -NewPass-
Retype New Password: -NewPass-
Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it.
Defense in Depth showed how you can parse the hash from openly readable directory information and recover both the hash and the salt used to encrypt the password.
This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available. Taking the following steps will help ensure you are protected:
- Use a secure password to prevent brute force attacks against your account using stolen hashes.
- Enable the screensaver and set it to prompt you for your password.
- Disable automatic logon.
- Never leave your Mac logged in and unattended. Use a “Hot Corner” or the Keychain lock to lock your screen.
Keychain preferences windows on OS X 10.7 allows for status bar icon for locking.
For more tips on securing your Mac check out our three part series on top tips for Mac OS X security.
This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.
Cnet had reported that you can also change other users passwords, but I was unable to replicate their findings.
Hopefully Apple will release an update soon, I was able to confirm with testers of OS X 10.7.2 that the flaw still exists in test builds.
Creative Commons photo of lions courtesy of fortherock’s Flickr photostream.
4 comments on “Flaw in OS X Lion allows unauthorized password changes”
Thanks for this info. I just got a security update from Apple, wonder if that fixed this issue. On another, related note, I was given an Apple G4 Desktop system earlier this year and unfortunately the person who gave it to me couldn’t remember the password they used. So, in order to reset it I had to do the following (which worked like a champ):
1. Reboot into single user mode (at boot, when you see the grey screen, hit Command-s)
2. At the prompt, type the following:
mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
3. Next you need the user name of the id you want to change the passed for. Don’t know it? Use ‘ls /Users’ to find it.
4. Execute the following:
dscl . -passwd /Users/
That’s it. On OSx 10.4/10.5 that would work, and you didn’t even need the OSx disc. I haven’t tried it yet on Lion to see if it would work or not, but it is definitely scary that you don’t need the disc to do that.
Thanks Chet! In all my years of using Macs, I’ve never bothered to look into Keychain Access.app’s preferences. I’ve been writing quick hacks to do what that menu item does for years!
Also, everyone using a Mac may want to mouse on over to the third preferences tab: Certificates. With all the excitement regarding DigiNotar recently, our readers may find it interesting that OCSP and CRL are disabled by default.
For the vast majority of Mac OS X users who use their Macs at home, this means absolutely nothing.
If your wireless network is properly secured, this security hole isn't accessible to anyone unless they break into your house and steal your Mac.
If you're on a wired network at home, then it's impossible for anyone to gain access.
Let me know when a drive-by virus for Mac OS X is in the wild and infecting Macs. Then I'll take notice.
Just confirmed that the bug is patched in 10.7.2. release.