macOS High Sierra bug allows Admin access without password

Raz0rEdge · Nov 28, 2017

There is a macOS bug that allows anyone with physical access to your machine to gain admin access without the password. The method of access is extremely easy so anyone can do it. Be sure to lock your computers when you are not using it then only you can unlock the machine.

Comments suggest that this might be fixed in the latest betas, so the bug might be short lived.

However, general good security practice is to set your screen lock to engage within a few minutes of inactivity and have it require your password to continue use.

Read more: https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

To fix the issue before the next version of macOS is out, you can set the root password to avoid this problem.

Read here: https://9to5mac.com/2017/11/28/how-to-set-root-password/

pm-r · Nov 28, 2017

There is a macOS bug that allows anyone with physical access to your machine to gain admin access without the password.

Well I don't have to worry with only my wife around in the house, and besides I haven't bothered to install Apple's "latest and greatest" macOS version, but good grief… how did they manage to miss this rather serious security booboo??? Just mind boggling. :-(

And why and how did it take so long to get discovered???

- Patrick
======

KevinJS · Nov 28, 2017

I just came on to post this. Glad to see you guys are on the ball.

ProTruckDriver · Nov 28, 2017

I'm sure glad I haven't upgraded to macOS High Sierra yet.

chscag · Nov 28, 2017

I read that earlier. However, it looks like Apple is aware of the "root" password back door entry and will close it off with 10.13.2.

chscag · Nov 28, 2017

ProTruckDriver said:
I'm sure glad I haven't upgraded to macOS High Sierra yet.

Excuses, excuses, excuses. LOL.

dtravis7 · Nov 28, 2017

Um, on my MBP I have the Beta 4 of 10:13:2 and tried till my hands hurt and root does not log me in. If it was an issue it's fixed and when the .2 update officially comes out the issue will be gone.

I have the iMac still at .1. going to try it there.

ferrarr · Nov 28, 2017

I just tried on my mini, and it didn’t let me log in with root?

macgig · Nov 28, 2017

high sierra serious flaw. wanted to share this.

https://www.komando.com/happening-n...macos-until-this-major-security-flaw-is-fixed

looks like Im too late posting this.

chscag · Nov 28, 2017

@macgig:

Be sure to read if there is already a thread of the same subject before you post. Merged your post together here with this one.

Groovetube · Nov 28, 2017

This sort of thing always makes me glad I never update an OS until at least a few point releases are out!

Lifeisabeach · Nov 28, 2017

MASSIVE security hole uncovered in High Sierra!!!!!

There is a very serious security flaw just uncovered in High Sierra that lets a user enable root by simply entering "root" as the user name and hitting the "enter" key with no password entered until it takes. If you have remote access enabled, you risk being remotely hacked. Malicious app that knows this trick? Hacked. Someone sitting in front of your Mac that wants in? Hacked. The flaw can be sidestepped by enabling the root user yourself and setting a password up. I've always done this in the past, but completely forgot about it the last time I did a clean install (which was Sierra). Only High Sierra is affected. Read the details in the article below.

macOS bug lets you log in as admin with no password required

chscag · Nov 28, 2017

This is the second time we had to move a post to a thread that already exists. Please guys and gals.... let's pay attention to what has already been posted. Also, this is the correct forum as it refers to macOS security.

Thanks.

Rod · Nov 29, 2017

I have set my login preferences to display as a list of users rather than requiring me to enter my user name. Consequently I can only choose Guest or my user icon. So as there is no option to enter "root" as a user name that would seem to eliminate the problem. Or am I wrong?

dtravis7 · Nov 29, 2017

Rod, you are correct as that would prevent someone sitting in front of your system from using that hack, BUT I still with 10.13.1 on my Quad Core iMac can not get root to log me in and I have never set up a root account. I have now tried it 100's of times and it keeps failing and wanting a password.

Cr00zng · Nov 29, 2017

It did work on my macOS 10.13.1 on the second try...

That's not a bug, it's a feature in case I forgot my password and locked myself out of the system... :Cool:

While the adage of "if you have physical access to the device, it's game over" is true, still.

Come on Apple, how could you overlook this bug? It's sloppy development and Q&A for sure. There are signs that Apple's software quality isn't as good as used to be and this bug does not help...

cwa107 · Nov 29, 2017

Cr00zng said:
Come on Apple, how could you overlook this bug? It's sloppy development and Q&A for sure. There are signs that Apple's software quality isn't as good as used to be and this bug does not help...

It's yet another sign that MacOS (and likely the entire Mac lineup) is an afterthought at Apple today. It is frankly mind-boggling that such a simple flaw made it through what is presumably a mature QA process. Apple lost a lot of credibility on this one.

I changed my root password this morning after having no trouble replicating the flaw. The funny thing is that you have to "enable" root before you can even change the password, and then in-turn, disable it. More information here:

https://support.apple.com/en-us/HT204012

I am also stunned that Apple didn't have a fix deployed within hours of the discovery. If we had such a severe security flaw in the wild at my company, developers wouldn't be leaving their cubicles until it was patched. This whole situation is very troubling for Apple.

cwa107 · Nov 29, 2017

Also, we have a tendency to dismiss flaws like this by saying "...but it requires local access". Actually, in this case, it doesn't... all I need to do is develop a compelling trojan that gets the user to execute. From there, I can make my malware run in the context of root and completely own the system. If a crafty hacker hasn't taken advantage of this yet (it's been at least 12-14 hours since this hit mass media), I'd be amazed.

Why hasn't Apple released an immediate patch that sets the root password (at the very least)? Their lack of action indicates a severe cultural problem at Apple surrounding security.

Cr00zng · Nov 29, 2017

cwa107 said:
It's yet another sign that MacOS (and likely the entire Mac lineup) is an afterthought at Apple today. It is frankly mind-boggling that such a simple flaw made it through what is presumably a mature QA process. Apple lost a lot of credibility on this one.

I changed my root password this morning after having no trouble replicating the flaw. The funny thing is that you have to "enable" root before you can even change the password, and then in-turn, disable it. More information here:

https://support.apple.com/en-us/HT204012

I am also stunned that Apple didn't have a fix deployed within hours of the discovery. If we had such a severe security flaw in the wild at my company, developers wouldn't be leaving their cubicles until it was patched. This whole situation is very troubling for Apple.

This bug seems really bad...

Once you assign a password to the root account, it is seemingly a workaround for this bug. But, if you follow the recommendation of disabling the root account afterward, you might be in for a surprise.

Go ahead and try changing system settings, after the password is set and the root account disabled:

Type in root and no password for admin credentials in the authentication window and press enter
do the same again and voila, you have root access

At the first time, the system will enable the root account and sets the password to blank. At the second try, it'll just log you in, just like it worked initially. I've seen a lot of serious bugs before, but this one is the worst ever!

Leaving the root account enabled, not recommended by Apple, seemingly prevents this bug to resurface. The side effect is that, if you look in the logs there is a failed authorization and then it succeeds in spite of that. Awesome Apple, one of the system process relies on the root account without password. Are you !@#$ serious!!

Cr00zng · Nov 29, 2017

cwa107 said:
Also, we have a tendency to dismiss flaws like this by saying "...but it requires local access*". Actually, in this case, it doesn't... all I need to do is develop a compelling trojan that gets the user to execute. From there, I can make my malware run in the context of root and completely own the system. If a crafty hacker hasn't taken advantage of this yet (it's been at least 12-14 hours since this hit mass media), I'd be amazed.

Why hasn't Apple released an immediate patch that sets the root password (at the very least)? Their lack of action indicates a severe cultural problem at Apple surrounding security.

*-Emphasis mine...

Stand corrected... My excuse, old habits die hard...

If you have remote management or screen sharing enabled, this bug works remotely as well. Argh!!!

macOS High Sierra bug allows Admin access without password

Raz0rEdge

Well-known member

pm-r

KevinJS

ProTruckDriver

chscag

Well-known member

chscag

Well-known member

dtravis7

ferrarr

macgig

chscag

Well-known member

Groovetube

Lifeisabeach

chscag

Well-known member

Rod

dtravis7

Cr00zng

cwa107

cwa107

Cr00zng

Cr00zng

Shop Amazon