Stories
Slash Boxes
Comments

SoylentNews is people

Breaking News
posted by martyb on Thursday November 30 2017, @07:56AM   Printer-friendly
from the Security?-We-don't-need-no-steenkin-security! dept.

You can log in as root on the latest version of MacOS by pressing enter on the login prompt a few times. Just type in root as the user and press enter. There you go no password required.

Not sure what else to say; is this the stupidest massive security hole ever?

From Extreme Tech:

Reproing the bug is simple (at least until Apple fixes it): Type the login "root," then move the cursor into the password field and hit enter several times. It also apparently works if you simply hit the "login" button several times rather than using the keyboard, though a few tries may be necessary.

This was also reported at Ars Technica. Beware that the behavior seems to be that if you do not already have a root account with a (preferably strong) password, this bug essentially creates a root account with an empty password. Attempting this on your own system should be followed up by ensuring that any root a count has a strong password.

There is a patch that has just been made available; again according to Ars Technica:

Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in "root" as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.

Apple's brief notes for this security update (Security Update 2017-001) explain the bug by saying, "A logic error existed in the validation of credentials," and claims the problem has been addressed "with improved credential validation."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Interesting) by Anonymous Coward on Thursday November 30 2017, @08:08AM (3 children)

    by Anonymous Coward on Thursday November 30 2017, @08:08AM (#603366)

    That sounds like a backdoor.

    • (Score: 3, Insightful) by aristarchus on Thursday November 30 2017, @08:41AM

      by aristarchus (2645) on Thursday November 30 2017, @08:41AM (#603368) Journal

      No, sounds like a Front door. Heads, roll, Apple, will. I am master of all I survey, or log in as root.

    • (Score: 1) by ElizabethGreene on Thursday November 30 2017, @08:36PM (1 child)

      by ElizabethGreene (6748) Subscriber Badge on Thursday November 30 2017, @08:36PM (#603632) Journal

      Can we blame it on systemd?

      • (Score: 2) by Thexalon on Thursday November 30 2017, @08:54PM

        by Thexalon (636) on Thursday November 30 2017, @08:54PM (#603644)

        No, because MacOS is based on BSD, not Linux, so it's systemd-free.

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 5, Funny) by inertnet on Thursday November 30 2017, @09:51AM (1 child)

    by inertnet (4071) on Thursday November 30 2017, @09:51AM (#603373) Journal

    It's a feature and you're holding it wrong.

    • (Score: 2) by JoeMerchant on Thursday November 30 2017, @01:01PM

      by JoeMerchant (3937) on Thursday November 30 2017, @01:01PM (#603410)

      Absolutely. Also, is this remote exploitable? I suppose it has to be if you do VNC style screen sharing, but... otherwise?

      If this can be accessed via default-open ports on network interfaces, this is MASSIVE. If you have to be sitting at the keyboard... meh, could just pick up the machine and walk away anyway.

      --
      🌻🌻 [google.com]
  • (Score: 5, Informative) by LAV8.ORg on Thursday November 30 2017, @10:07AM (6 children)

    by LAV8.ORg (6653) on Thursday November 30 2017, @10:07AM (#603379)

    is this the stupidest massive security hole ever?

    Perhaps, but the remote root vuln in DD-WRT's httpd server is stiff competition. You know, the one that allows any command to be run just by telling the router to run the command. What really gives it an edge is that it persists to this day, nearly a decade later, ready to pants any user who makes the reasonable choice to use the latest stable release instead of the clearly marked beta firmware. DD-WRT's site happily serves the critically insecure firmware without any warning. https://www.dd-wrt.com/site/support/other-downloads?path=stable/ [dd-wrt.com]

    • (Score: 3, Interesting) by JoeMerchant on Thursday November 30 2017, @01:04PM (4 children)

      by JoeMerchant (3937) on Thursday November 30 2017, @01:04PM (#603411)

      Thanks for the heads-up... have considered dd-wrt many times over the years but never taken the plunge.

      I did discover (a few days ago, after years of installation) that my Linksys router conspired with my PoE camera to have uPnP enabled by default, advertising my camera to the open internet without my knowledge. Figured it out when I found random accesses to the camera from all over the web in my logs - couldn't get them to stop with service blocking on the camera's IP which really concerned me - but then I finally found the uPnP page and the camera was the only thing on it - disabled that and the accesses have stopped.

      --
      🌻🌻 [google.com]
      • (Score: 2) by JoeMerchant on Thursday November 30 2017, @01:10PM

        by JoeMerchant (3937) on Thursday November 30 2017, @01:10PM (#603412)

        Sorry - not Linksys - NETGEAR WNR3500L
        RangeMax Wireless-N Gigabit Router with USB

        wouldn't be shocked if Linksys does it too... for "feature" parity.

        --
        🌻🌻 [google.com]
      • (Score: 3, Insightful) by Knowledge Troll on Thursday November 30 2017, @02:23PM (2 children)

        by Knowledge Troll (5948) on Thursday November 30 2017, @02:23PM (#603427) Homepage Journal

        Your camera used UPnP to open up a port forward on the router all on it's own? Holy shit what a nightmare.

        • (Score: 2, Touché) by Anonymous Coward on Thursday November 30 2017, @03:30PM

          by Anonymous Coward on Thursday November 30 2017, @03:30PM (#603462)

          You can't expect people to deal with technical mumbo-jumbo when they bought a shiny new camera to spy on their pets and kids when they are at work.

        • (Score: 1, Interesting) by Anonymous Coward on Thursday November 30 2017, @05:49PM

          by Anonymous Coward on Thursday November 30 2017, @05:49PM (#603543)

          Yep, and UPnP is the default state for most consumer routers. My parents followed the suggestion they saw online of using a three router setup. They called me when their internet stopped working and "tech support" called and said they wouldn't be reconnected until they fixed something or had one of their techs fix it. My parents balked as they thought it was a scam, but the internet didn't work anymore. Turns out they had an Internet of Insecure Things PoS used UPnP to punch holes through both routers it was connected to expose itself to the Internet on multiple ports. Thankfully, the ISP caught it while scanning their own network and the open ports (http, https, SAMBA, FTP, and something else I'm forgetting) would have been filtered by their firewall so no risk of infection.

    • (Score: 2) by bob_super on Thursday November 30 2017, @07:06PM

      by bob_super (1357) on Thursday November 30 2017, @07:06PM (#603589)

      > > is this the stupidest massive security hole ever?
      > Perhaps, but the remote root vuln in DD-WRT's httpd server is stiff competition.

      People spent a couple decades booting billions of PCs to desktop as root with no password, and therefore Microsoft would like to kindly remind you that their insecurity throne is not up for grabs.

  • (Score: 5, Informative) by rob_on_earth on Thursday November 30 2017, @11:11AM

    by rob_on_earth (5485) on Thursday November 30 2017, @11:11AM (#603384) Homepage

    Before you rush to download the fix beware the official patch breaks file sharing in some circumstances.
    https://www.macrumors.com/2017/11/29/apple-macos-high-sierra-file-sharing-fix/ [macrumors.com]

    Your best bet seems to be to activate the root account and give it a strong password. If you have installed the patch then follow the link above to fix the fix.

  • (Score: 3, Funny) by Bot on Thursday November 30 2017, @11:28AM

    by Bot (3902) on Thursday November 30 2017, @11:28AM (#603386) Journal

    has any systemd dev transitioned to apple recently? my AI wants to know, I am not sure why.

    --
    Account abandoned.
  • (Score: 2, Funny) by Anonymous Coward on Thursday November 30 2017, @11:35AM (2 children)

    by Anonymous Coward on Thursday November 30 2017, @11:35AM (#603388)

    Siri make me a sandwich, make me a sandwich, make me a sandwich..... - Ok.

    • (Score: 0) by Anonymous Coward on Thursday November 30 2017, @04:32PM

      by Anonymous Coward on Thursday November 30 2017, @04:32PM (#603501)

      "Siri make me a shit sandwich, make me a shit sandwich, make me a shit sandwich..... - Ok."

      There, FTFY.

    • (Score: 2) by maxwell demon on Thursday November 30 2017, @08:35PM

      by maxwell demon (1608) on Thursday November 30 2017, @08:35PM (#603629) Journal

      You misspelled sudo.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 1, Funny) by Anonymous Coward on Thursday November 30 2017, @11:46AM

    by Anonymous Coward on Thursday November 30 2017, @11:46AM (#603392)

     

  • (Score: 0) by Anonymous Coward on Thursday November 30 2017, @03:23PM (1 child)

    by Anonymous Coward on Thursday November 30 2017, @03:23PM (#603459)

    Typical bullshit cover up excuse. Perhaps they hired someone from Equifux that worked on security.

    • (Score: 0) by Anonymous Coward on Thursday November 30 2017, @03:33PM

      by Anonymous Coward on Thursday November 30 2017, @03:33PM (#603465)

      It's pretty clear. Logic errors give a result opposite of intent.

  • (Score: 3, Touché) by arslan on Thursday November 30 2017, @11:58PM

    by arslan (3462) on Thursday November 30 2017, @11:58PM (#603731)

    Apple PR rep: This is because the user have not completed the installation process! Continue with the process to get in as root and setup a strong password! We will update our install guide.

  • (Score: 0) by Anonymous Coward on Friday December 01 2017, @03:22PM

    by Anonymous Coward on Friday December 01 2017, @03:22PM (#603927)

    "trust me" [topdesignmag.com]

(1)