Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security flaw... kindda!

Hello people, here's something interesting I just found out and I wanted to get some comments from you all before I freak out. It seems to me like a security flaw from a first impression point of view... but well, anybody could claim I'm being paranoid! More than "finding out" all I did was put together some pieces of a puzzle which has been discussed here extensively.

Today I realized I had forgotten root's password in my PowerBook OS X 10.2.5 client install so as I didn't feel like rebooting from CD I fired up John the Ripper to crack it for me. After a long time and a lot of CPU consumed (and after saying "Gee, that must have been a **good** password"!) I started thinking about alternatives and just before reaching the CDs it occurred to me to think in terms of the traditional ways in which UNIX has done things: what defines an "inactive" account? a "*" in the password field of the /etc/passwd file, right? Well, what happens if I replace the password entry in the NetInfo database with a "*"? Will that "deactivate" the account? Indeed!!!

{07:20:23}[juan@PowerBook: run](0)% niutil -read . /users/root
name: root
passwd: fsIDuNvUtuNGM
uid: 0
gid: 0
change: 0
expire: 0
realname: System Administrator
home: /var/root
shell: /bin/bash
_writers_passwd: root

{07:20:27}[juan@PowerBook: run](0)% sudo niutil -createprop . /users/root passwd "*"
Password:

{07:21:18}[juan@PowerBook: run](0)% niutil -read . /users/root
name: root
passwd: *
uid: 0
gid: 0
change: 0
expire: 0
realname: System Administrator
home: /var/root
shell: /bin/bash
_writers_passwd: root

How do you like **that**? Hold on, the beauty doesn't end there! Why did I do this, some of you may ask. The one thing in my mind all the time was "NetInfo Managger.app". Indeed when I opened it the root account was deactivated, just as if the system were a fresh install, and all it took was to enter my administrator password to enable root and enter a password of my choosing, no previous password knowledge required! How's **that** for security?!!

What this means is that anyone with administrator access in a system with a stock sudores file can go in and claim ownership of root with that simple hack. What do the wise and knowledgeable people of this forum have to say about that? Should we freak out just now or...? I'll try to hold my breath until I've read some of the opinions I'll, hopefully, get in reply!

Thanks for listening, or rather, reading! Regards,...


Juan.


- What about love...?
- Overrated! Biochemically no different than large quantities of chocolate.
-- Keanu Reeves & Al Pacino, "Devil's Advocate".
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.