Old and Known

Here is a very old and known issue with Mac: Too many ways to bypass authentications and too few fixes.

A week ago, a person emailed us (SecuriTeam) about another bypassing issue in Mac OS X Tiger (10.4 family).

The person told us that he was able to change the root password (because he couldn’t remembered it) using the Netinfo program.

Sounds ok… on any *nix I can change the root password. All I need is to become a sudoer, or become root some other way, without necessarily knowing the root password.

But here, the person did not have any special privileges, as far as I could understand, and still he was able to change the ROOT password.

I don’t have a Mac to test this issue on :( so searching SecuriTeam and using google I was able to find that this issue was known even before Mac OS X. That is, Mac users could bypass user access restrictions. There was an unofficial patch to fix this issue, and theoretically, Apple fixed this for Tiger as well.

But this person claims that his system is up to date, and that he can still bypass any root based authentication in order to change the password.

There is no reason to publish this as news in SecuriTeam, because this is a known issue that was reported back in 2001 by us. Repeating the same story where the only change is that it works with newer versions is useless, so I decided to blog it instead.

I really hope that Apple fixes this issue once and for all, but then again, thats why I prefer open source products. If the vendor does not fix the problem, I can always find a way to fix it, at least for myself…

  • christian

    Well, I am glad to tell you that the issue has either been resolved by apple, or never existed. I just tried in Tiger (Darwin Kernel Version 8.2.0) and a non-admin users can not change roots password or other admin users passwords, nor members in the admin group.

    I am saying never existed because users created when installing your mac is admin users, and surprise surprise, they can change roots password. I am just getting suspicious when anyone is changing roots password, there are so many confused mac users writing about who to enable the root account, when it in fact is enabled, it is just that it does not have a password. Any admin-user can use sudo to run commands as root, as configured out of the box by apple.

    I think setting root:s password is just wrong. To me that is an indication that they cant differ between admin and non-admin accounts to start with.

    Just a thought.

  • http://BeyondSecurity.com ik

    Thats even worse. If the root password is not set by default, then anyone can access the machine as root !

    I think that users should start to understand better the machine they are operate instead of just “using it”.

    BTW what do you mean by “…and a non-admin users can not change roots password or other admin users passwords, nor members in the admin group.” ? Do you mean that users can change password to other users that are not in the admin group ? if so thats a very bad situation. And the problem may be even worse then the above.

    I wonder if a user can set him/herself as administrator user on Tiger, but the problem is that I do not have have Mac to test it on :(

  • ph0enix

    well, it’s still true: when you boot into single user mode, you don’t need a password for root. I guess, Apple didn’t fixed this because of ‘maintenance reasons’. The only way to avoid this, is to set a password in Open Firmware. Also, no one without admin privileges is able to manipulate the NetInfo database.