Print

Print


http://neworder.box.sk/showme.php3?id=4401

Summary
There's always the constant battle between user-friendliness and security.
Apple has known about this vulnerability for some time now; and back in
the days of OpenStep, a patch to that OS was released to fix this problem.
Now is the era of Mac OS X, and even though that old OpenStep patch won't
work for OS X, Apple could still easily release a similar patch, or better
yet, a permanent fix that will be forever installed by default.
It is argued that Single User Mode should allow full root privileges to
allow forgetful users to change their password. The average Mac user might
forget his or her password, but they probably wouldn't like going into the
command line interface of Single User Mode. Rather, they'd boot from the
Install CD and reset their password from within the nice, eye pleasing
Aqua GUI. Besides, the sysadmins and power users (who might like the CLI
more so than the average user) probably won't forget their passwords and
would also prefer the security advantage of not having root open as such.
So having the ability to reset the password without knowing the password
to begin with in Single User Mode is an unnecessary risk and is
unnecessary in general.
Moreover, the current granting of root privileges in Single User Mode
gives the user the direct ability to not only change the password, but to
dump the password hash and crack it. Somebody could easily just obtain the
administrative password that way, therefore giving them administrative
privileges without even generating anything that would alert the sysadmins
of a breach. Whereas if somebody were forced to reset the password to gain
root privileges (like the Install CD does), the fact that the
administrative password was changed would be a key off to the sysadmins
that somebody breached their system.
In conclusion, Apple should work something out to make the Single User
Mode require the root or administrative password before granting access
into root. Furthermore, the Install CD should be the only method to reset
the passwords without knowing the passwords to begin with.


Details
Situation:
Somebody's at a Mac running Mac OS X, and they've completely forgotten
their user and/or administrative account password on it (or even worse,
they never had an account to begin with and are trying to hack the
system), so they can't just login at the login screen. If it has a
keyboard attached to it, and those keys can be pressed, here's how someone
can get into root access with just a couple taps of the keyboard and maybe
the scribble of a pen.

Vulnerability:
Single User Mode under Mac OS X gives root access privileges without
requiring the root password. (Note: Single User Mode is not the
vulnerability here; the vulnerability is the fact that root access is
given without having to enter in any password whatsoever.)  Exploit:
Step 1) Restart the computer (or turn it on if it's already off) while
holding down the command and s keys at the same time. (If the computer is
running Mac OS Public Beta, just press the s key.) They have root
privileges at this moment, but now it's time to take advantage of these
privileges.

Step 1.5) Type "/sbin/fsck -y". (Type this without the quotes, of course.)
(This step really isn't necessary at all, but it just takes a second, and
they might as well just do a quick check of the hard disk before mounting
it.)

Step 2) Type "/sbin/mount -wu /" (This mounts the volume "/" with
read/write access.)

Step 3) Type "/sbin/SystemStarter" (This starts the network services,
which is necessary to gain access to NetInfo).

Step 4) Here, one could now just type "passwd root" and override the
existing root password with one of their own, or worse yet, someone could
just get the current root password (and/or the administrative user account
password) so the administrators of that computer don't know that their
security has been compromised. One of the easiest ways to do this is to
just type "nidump passwd ." and write down the root account's password
hash. (The hash will be the text that looks like just a garbled mess of
alphanumeric characters between two colons.)

Step 5) Now one can type up what they wrote down into a plain text file
like the following example: "root:rQkFQ37SYveHw:0:0::0:0:System
Administrator:/var/root:/bin/tcsh".

Step 6) Finally, they'll use a cracking program like John the Ripper for
the PC, or the Meltino, a Classic Macintosh application, to crack the
password hash.


Solution:
A good makeshift fix for this can be found at
http://users.ez-net.com/~jasonb/secureit.html (Version 1.05 of SecureIt
has been verified to work under Mac OS X Build 4K78).

Step 1) Download the file: http://users.ez-net.com/~jasonb/secureit.tar.gz

Step 2) Open a terminal window, type "su", and type in the root password
when prompted.

Step 3) Go to the directory to where you downloaded the secureit.tar.gz
file to, and type "tar xvzf secureit.tar.gz".

Step 4) Type "cd secureit1_05" and then type "./install".

Step 5) You should now be prompted to type in the password that will be
required for you to boot up into single user mode. This password does not
have to be the same as your root password or any other password you might
have, so you can be newly creative for this password.