A researcher at the Defense in Depth blog has discovered a flaw in Apple’s recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user’s password.
The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner.
An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required:
testmac:~ TestUser$ dscl localhost -passwd /Search/Users/TestUser
Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder:
testmac:~ TestUser$ passwd
Changing password for TestUser.
Old Password: -OldPass-
New Password: -NewPass-
Retype New Password: -NewPass-
Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it.
Defense in Depth showed how you can parse the hash from openly readable directory information and recover both the hash and the salt used to encrypt the password.
This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available. Taking the following steps will help ensure you are protected:
- Use a secure password to prevent brute force attacks against your account using stolen hashes.
- Enable the screensaver and set it to prompt you for your password.
- Disable automatic logon.
- Never leave your Mac logged in and unattended. Use a “Hot Corner” or the Keychain lock to lock your screen.
Keychain preferences windows on OS X 10.7 allows for status bar icon for locking.
For more tips on securing your Mac check out our three part series on top tips for Mac OS X security.
This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.
Cnet had reported that you can also change other users passwords, but I was unable to replicate their findings.
Hopefully Apple will release an update soon, I was able to confirm with testers of OS X 10.7.2 that the flaw still exists in test builds.
Creative Commons photo of lions courtesy of fortherock’s Flickr photostream.