undefined | Better HN

0 pointsAdamJacobMuller8y ago0 comments

Enables root access in what way?

0 comments

Mac OS X doesn't have a real root account, it uses sudo exclusively. This enables a true root user shell.

The root account always exists.

Playing around with disable/enable and the exploit: Root always has a /bin/sh shell "Disable root user" removes the ShadowHashData from the directory services entry for root The bug sets ShadowHashData to the hash of an empty string.

Now, ShadowHashData is a complex DS entry. I've never seen passwords represented this way in other OSX versions. I think this password storage format is new.

I strongly suspect the bug here is one related to OSX attempting to upgrade the password to the new storage format and when it does that, it inadvertently stores the password with a hash of null.

This should be very trivial for Apple to fix that (and thus "disable" the root user) by just removing any ShadowHashData that is solvable by an empty string.

arghwhat8y ago

Your comment suggests that it is related to users with older, pre-High Sierra directory entries. That is, upgraded rather than freshly installed machines that leave older, pre-ShadowHashData intact. Is this correct?

3 more replies

j / k navigate · click thread line to collapse