Aghaster

OSX Insecurity

16 posts in this topic

Okay, please tell me I'm wrong or something.

I found this while I was exploring my first Mac OS X box last week. I wanted to set the root account, so I opened a Terminal and did:

$ passwd root

Changing password for root.

password for aghaster:

New password:

Retype new password:

And that's it, I put a password on the root account, as it had none by default. So basically, everything that you need in order to get root access in a Mac OS X box where the root account wasn't set is a user account. I just disillusionned one of my mac fanatic friend who thought macs were very secure. Mac systems used by semi-competent admins surely have a password set for root (which would cause you to have to enter the old root password), but I guess there are tons of home computers like my friends' who don't have the root account set up yet.

This just looks like the default Administator account in Windows, which parents often forget to set in their home computer.

0

Share this post


Link to post
Share on other sites

I find a lot of mac fanboys (aka the ones that just love Steve Jobs a bit too much) are very arrogant when it comes to that.

Normal users are fine, fanboys are too much.

0

Share this post


Link to post
Share on other sites

I find a lot of mac fanboys (aka the ones that just love Steve Jobs a bit too much) are very arrogant when it comes to that.

Normal users are fine, fanboys are too much.

yeah, fanboys are too much. Look at this:

http://www.sxemacs.org/

In their faq:

What SXEmacs has that XEmacs doesn't (yet)

# Win32

SXEmacs does not support the Win32 platform and it never will. Yes, we consider this a feature.

When it comes to that...

0

Share this post


Link to post
Share on other sites

Okay, please tell me I'm wrong or something.

I found this while I was exploring my first Mac OS X box last week. I wanted to set the root account, so I opened a Terminal and did:

$ passwd root

Changing password for root.

password for aghaster:

New password:

Retype new password:

And that's it, I put a password on the root account, as it had none by default. So basically, everything that you need in order to get root access in a Mac OS X box where the root account wasn't set is a user account. I just disillusionned one of my mac fanatic friend who thought macs were very secure. Mac systems used by semi-competent admins surely have a password set for root (which would cause you to have to enter the old root password), but I guess there are tons of home computers like my friends' who don't have the root account set up yet.

This just looks like the default Administator account in Windows, which parents often forget to set in their home computer.

Doesnt work for me. Sure you werent already logged in as admin? If you are, it works but not from a regular account.

Narcissus:/Users/larsrohdin $ passwd root

Changing password for root.

password for aoeu:

New password:

Retype new password:

Sorry

The root account is disabled from scratch and you use the sudo command for administration. Its not as bad as the default admin in win, because you can only change/enable root account from the account with sudo rights.

So happy macing, from the Fanboy! :D

0

Share this post


Link to post
Share on other sites

Hum... on my iBook I'm administrator, so no surprise here.

But my mac friend told me he wasn't administator on his mac, only his dad was. I'll have to verify that...

0

Share this post


Link to post
Share on other sites

I'm no Mac fan boy, but I've got to tell you that this has nothing to with insecurity. OS X has no root account by default (which is probably a good thing), and the main (first created) user is a sudoer. This is no different from what is done in GNU/Linux distros like Ubuntu.

Edited by snow
0

Share this post


Link to post
Share on other sites

Only recently converted to the Mac cause (not a fanboy atm). Basically what I found is that if your account is set to be an admin you can do a lot of things root can. The first account (like with windows) has too many rights. The good news is that it's way easier to down grade your account and still do everything without too much bother. Any installs you do after not being an admin will ask for you to give the credentials of a admin account.

I just fired up the shell and SU'ed to my admin account. And that can indeed change the root password without too much bother. My main (downgraded) account can't do it though. Neither can it su to root. It can only su to my admin account.

0

Share this post


Link to post
Share on other sites

I'm no Mac fan boy, but I've got to tell you that this has nothing to with insecurity. OS X has no root account by default (which is probably a good thing), and the main (first created) user is a sudoer. This is no different from what is done in GNU/Linux distros like Ubuntu.

Exacly what I was trying to say, only shorter :)

0

Share this post


Link to post
Share on other sites

It's much like what's done in Ubuntu, as said above.

If you are an ADMIN (not a regular user), this command will do it:

macbook:/ nwbell$ sudo passwd root

password for nwbell:

Changing password for root.

New password:

Retype new password:

Regular users cannot sudo, and thus can't get root.

If you have physical access to the Mac, just reboot in single-user mode (Command-S while booting) and you'll get a root shell without any challenge if the root account is not enabled (and sometimes even if root IS enabled and has a password, but I don't recall what version it was that I saw that happen on). This is a bigger problem than the former, IMO.

0

Share this post


Link to post
Share on other sites

That isn't really a security hole because the root account is disabled by default, it isn't just set to have no password. If you know the password for an administrative account on the computer you should also presumably trusted to have root access. Setting a root password with a command such as sudo passwd automatically enables the account.

0

Share this post


Link to post
Share on other sites

Trust me it get much worse. I can gain root on any osx box within under 5 minutes, assuming I have physical access. (not modifying the password)

Edited by livinded
0

Share this post


Link to post
Share on other sites

Trust me it get much worse. I can gain root on any osx box within under 5 minutes, assuming I have physical access. (not modifying the password)

Using which technique?

0

Share this post


Link to post
Share on other sites

Trust me it get much worse. I can gain root on any osx box within under 5 minutes, assuming I have physical access. (not modifying the password)

Using which technique?

Booting into single user mode. Unless disabled from openfirmware/efi

And what you did can more easily be done via the netinfo manager in the Utilities folder. You authenticate (I.e. admin name and password) then you can enable root (meaning you can login with root, not just sudo su into root) and change root password.

And the OS x Admin account is similar to the Windows admin account except... the os x admin account can do whatever they want, but only after sudoing/authenticating. The windows admin is more like root. No prompting for safety. Just like any other *nix distro.

0

Share this post


Link to post
Share on other sites

I should state flat out that I'm a huge fan of OSX 10.4, BUT like any unix distribution, it is, as has been pointed out, only as secure as the person running it. I think proper precautions taken, mac osx can be astoundingly secure. Personally, I just try and rely on the idea that anyone who touches my computer will meet my fist at high velocity wearing riot gloves.

it's possible, though, that that particular security hole has been patched. apple releases an astonishing number of patches a month, and updates osx frequently. If you've done this method of attack and not had success, it could be the version of osx.

However, there are some really hysterical holes in dashboard. I was at an apple store and poking around, so I decided that since I wanted to jump into the irc, I'd load terminal. In the apple store, terminal.app is locked, and can't be accessed. Without having to root the box, you merely have to click on the dashboard icon, click the "+" sign icon to open options, go to "manage widgets" and when the control panel loads click the "more widgets..." button.

From there, you can select either networking and security or developer tools or whatever category you like and you're likely to find a handful of tiny well coded xterm applets that can be installed on dashboard through the apple website, run and open terminal. Kapow. You now have term access.

In addition, you can download a host of bluetooth utilities, crypto crackers, newtork watchers and wifi stumbler utilities. This allows you to essentially create your own shell over the desktop. If you just need certain features, this is a great way to get around pesky imaging security.

- alienbinary

0

Share this post


Link to post
Share on other sites
Okay, please tell me I'm wrong or something.

I found this while I was exploring my first Mac OS X box last week. I wanted to set the root account, so I opened a Terminal and did:

$ passwd root

Changing password for root.

password for aghaster:

New password:

Retype new password:

And that's it, I put a password on the root account, as it had none by default. So basically, everything that you need in order to get root access in a Mac OS X box where the root account wasn't set is a user account. I just disillusionned one of my mac fanatic friend who thought macs were very secure. Mac systems used by semi-competent admins surely have a password set for root (which would cause you to have to enter the old root password), but I guess there are tons of home computers like my friends' who don't have the root account set up yet.

This just looks like the default Administator account in Windows, which parents often forget to set in their home computer.

What you did effectively created a security problem.

You enabled the root account...

0

Share this post


Link to post
Share on other sites

ummm guys. so the deal is this. the root account exists, but the password in /etc/shadow or netinfo is set to something that nothing can ever hash to it. therefore you can never login as root directly. they prefer sudo. and your user that you created is automatically in the wheel group, thereby having sudo access. what you did was change the root password to something that you _can_ login to.

there is no security flaw here. everything is working the way it should.

-v

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now