Apple Macs have gaping root hole – here’s a superquick way to check and fix it

By | 4:21 PM Leave a Comment

What’s the maddest, baddest, craziest, can-you-believe-it, how-did-that-happen security blunder of recent memory?

Companies contending for the top three spots in the past quarter surely include:

Well, Apple just did it again, and this one is even worse that before – so Cupertino may well be back in first place.

The default root login password is…

In High Sierra, the latest version of MacOS (currently at 10.13.1), you can easily guess the password for root, the all-powerful system administration account.

The average number of guesses you need is…

…ONE.

In fact, strictly speaking you need ZERO guesses, because you almost certainly know the password already.

Just login as root with the password “”, by which we mean no password at all – just hit [Enter].

We’re guessing that Apple didn’t bother to set a password for root because you don’t usually login or authenticate as root.

Instead, you specify that one or more regular accounts have Administrator powers, and can perform root-like activities one-at-a-time, as needed, by putting in their own passwords.

In theory, this is good for security because: you aren’t logged in as an administratoer all the time; you don’t need to share a single root password amongst multiple administrators; and there’s accountability because admin activities are tied back to the user who initiated them.

In practice, of course, you do need to have a password on the root account if it’s active, and ideally it should be randomly set when you configure the system, so no one knows it. (It’s much easier to stop someone using a password by mistake, or against policy, if they CAN’T use it!)

In other words, if you have no login passwoord on the root account, you also need to configure the account so it can’t be used to login, no matter how many different sneay ways an attacker finds to get at a login prompt.

This is an epic fail by Apple, and all the world knows about it now, because it was disclosed publicly on Twitter rather than privately to Apple.

What to do?

You can easily set a strong root password of your own, so no one else knows it or can guess it.

The good news is that there’s an easy and safe way to check and fix this problem.

Open a Terminal window and enter the command passwd root, which is how you set the root password in the first place.

Don’t worry – you can’t set a new password this way unless you already know the old one, so just hit [Enter] three times:

$ passwd root
Old Password: [just hit enter to assume that it's blank]
New Password: [hit enter again to leave it blank if it already is]
Retype New Password: [hit enter a third time]

Note that if the old password isn’t blank, you don’t get an error message until the end, so if you see an error like this…

passwd: authentication token failure

…then you don’t have a blank root password and you may stand down from high alert.

However, if you don’t see any message at all, then your password was, and still is, blank, so you need to change it.

Run the same command again, but this time put in [Enter] as the old password and choose a proper password for root:

$ passwd root
Old Password: [just hit enter]
New Password: **************
Retype New Password: ***************
$

Job done.

Technically, you don’t even need to keep a record of the password you typed in (though you can’t just type random garbage because you need to put the same password in twice).

You’ll still administer your Mac with your regular Administrator-enabled account by typing in your regular password when needed, just like before.

Instead, or as well, you can disable the root account so that it can’t be used for logging in or authenticating against.

So, if your regular account has administrator powers, you can do this:

$ dsenableroot -d
username = [your username will appear here]
user password: [enter your own password]

dsenableroot:: ***Successfully disabled root user.

Check your Mac, and fix this now!

Note. We think that the default setup of macOS prevents you using this trick remotely. You must have physical access to the computer. Also, if FileVault (full disk encyrption) is turned on and the Mac is shut down rather than logged off or locked, you have to enter the disk password before you can get at a login prompt at all.



from Naked Security http://ift.tt/2hZejV3

0 comments:

Post a Comment