undefined | Better HN

0 pointsCrendKing8y ago0 comments

This bug exists regardless of user reproducing it or not. If there is anything good, reproducing it actually brings awareness to the user (make them change the password maybe). Hacker will "enable" the root user anyway.

What should be done is that Apple releases fix to this problem.

0 comments

Jedd8y ago

Not the case.

Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

GP is right - don't encourage people to test this, as there's nothing to gain from it. If you're on a shared machine you need to mitigate. If you're on your own dedicated machine you need to not share it until this is fixed.

thomastjeffery8y ago

> others can remotely & silently access the system as root.

They already can:

https://gfycat.com/gifs/detail/sentimentalnaiveantelopegroun...

sitharus8y ago

This does not work if the root user has not been enabled locally.

Source: Just tried it myself.

tekacs8y ago

Even if you're on a dedicated machine, this vulnerability enables a local user to bypass the authentication prompt on things like System Preferences or other auth checks.

I'm advising folks (incl. non-tech) to set a root password and then re-disable the account (specifically via shell), which prevents this from re-occuring:

https://www.facebook.com/amar.sood/posts/10209545863036116

ztjio8y ago

Uh I tested redisabling the root account and it reenabled the flaw. You have to keep the root account enabled.

1 more reply

biktor_gj8y ago

No, root is root and has always been there. It's the super user account and cannot be removed, I think, from any modern unix like os (well, you can rename it to whatever you want in linux but UID 0 will always be there). The difference might be that if you do log in for the first time you will have lots of stuff on /private/var/root (talking from memory but it was something like that in OSX) and lots of preferences will be set, maybe even a /Users/root folder I hope that the SSH server, which is disabled by default, will also handle root login in a sensible way, but given the size of the f* up, I'm not so sure.

Really bad stuff

ztjio8y ago

Root can absolutely be disabled. OS X normally runs rootless. This vulnerability actually both gives access AND enables that disabled root account in one action. From that point on, root is active with no password regardless of how you authenticate whereas the initial issue is only on password GUI screens.

1 more reply

djrogers8y ago

> Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

That's not accurate. The user appears to be there either way, but attempting to log in to a machine remotely using 'root' and no password does not work - even after doing the preference pane thing...

Jedd8y ago

I don't have access to a vulnerable machine -- just going by comments in the other HN thread.

root account is 'there' all the time, yes. This process enables the account proper (rather than just sudo). Evidently some remote mechanisms using root work after the account is enabled.

geoelectric8y ago

Wonder if people tried screen share/vnc with that theory. I'd suspect anything gui-driven.

devindotcom8y ago

Yeah that was my thought initially too but there may be invisible ways to leverage an existing root user that we're not aware of. After all, this bug exists...

stingraycharles8y ago

The issue is that the bug leaves a password-less root account available through other means as well. Once you try to reproduce the bug, an attacker could potentially do a remote root login without password.

As such, it's very dangerous for people to try to verify and should be strongly discouraged.

jldugger8y ago

On most systems, root without password isn't available remotely. Is this not true on OSX?

1 more reply

mcintyre19948y ago

If you have remote login enabled does root/no password not work already because of the bug? It apparently does from the login screen if you have username/password mode on, so I wouldn't be surprised if it worked over remote login by default.

2 more replies

arghwhat8y ago

This vulnerability lets users activate the root user without using their password.

Once done, you have opened for root without password globally. That's bad.

What they should do, as responsible disclosure dictates, is report it in secret to apple, and at most publicize a workaround (activate root user, set password) without reporting the details of the vulnerability.

EDIT: It does not appear to be limited to admin users. It appears to be related to disabled root accounts of older origin, such as through upgrades. I cannot reproduce on a fresh High Sierra install, but I reproduced on an upgraded install.

throwaway20488y ago

"responsible disclosure" isn't some morally unassailable high ground, but companies like apple sure want you to believe it is.

arghwhat8y ago

Care to explain the comment about Apple? I can think of a few companies (DJI, for example) that try to screw over security researchers, but big IT companies usually don't go on the list.

1 more reply

jmuguy8y ago

I run as a standard user and was able to reproduce the bug.

arghwhat8y ago

Updated. I was unable to reproduce on another machine as a standard user, but it appears to be related to it being a fresh install of High Sierra, not an upgraded install with old disabled root user entries.

sounds8y ago

I agree that we need more responsible disclosure. But as https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-w... explains, blame the DMCA.

Somebody in Turkey has no expectation that they will be treated with respect. It's much more likely they will be attacked as in "shoot the messenger." (So, please don't attack the person who brought this to our attention.)

I think they made a reasonable decision, due to the critical nature of this bug, and tweeted about it.

arghwhat8y ago

But throwing it on twitter doesn't stop you from using the DMCA, and having the DMCA used against you doesn't stop you from posting it on Twitter as counter-measure (which might make the company retract the use of DMCA to avoid publicity about suing "messengers"). If you're afraid of DMCA, keep your mouth shut and stay away from the US.

The DMCA is a disgusting and absurd set of laws that can always make me angry. Its existence alone proves very much how big companies can rule with money, placing capitalism over democracy.

j / k navigate · click thread line to collapse

0 comments

Jedd8y ago

Not the case.

Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

thomastjeffery8y ago

> others can remotely & silently access the system as root.

They already can:

https://gfycat.com/gifs/detail/sentimentalnaiveantelopegroun...

sitharus8y ago

This does not work if the root user has not been enabled locally.

Source: Just tried it myself.

tekacs8y ago

Even if you're on a dedicated machine, this vulnerability enables a local user to bypass the authentication prompt on things like System Preferences or other auth checks.

I'm advising folks (incl. non-tech) to set a root password and then re-disable the account (specifically via shell), which prevents this from re-occuring:

https://www.facebook.com/amar.sood/posts/10209545863036116

ztjio8y ago

Uh I tested redisabling the root account and it reenabled the flaw. You have to keep the root account enabled.

1 more reply

biktor_gj8y ago

Really bad stuff

ztjio8y ago

1 more reply

djrogers8y ago

> Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

That's not accurate. The user appears to be there either way, but attempting to log in to a machine remotely using 'root' and no password does not work - even after doing the preference pane thing...

Jedd8y ago

I don't have access to a vulnerable machine -- just going by comments in the other HN thread.

root account is 'there' all the time, yes. This process enables the account proper (rather than just sudo). Evidently some remote mechanisms using root work after the account is enabled.

geoelectric8y ago

Wonder if people tried screen share/vnc with that theory. I'd suspect anything gui-driven.

devindotcom8y ago

Yeah that was my thought initially too but there may be invisible ways to leverage an existing root user that we're not aware of. After all, this bug exists...

stingraycharles8y ago

As such, it's very dangerous for people to try to verify and should be strongly discouraged.

jldugger8y ago

On most systems, root without password isn't available remotely. Is this not true on OSX?

1 more reply

mcintyre19948y ago

2 more replies

arghwhat8y ago

This vulnerability lets users activate the root user without using their password.

Once done, you have opened for root without password globally. That's bad.

throwaway20488y ago

"responsible disclosure" isn't some morally unassailable high ground, but companies like apple sure want you to believe it is.

arghwhat8y ago

Care to explain the comment about Apple? I can think of a few companies (DJI, for example) that try to screw over security researchers, but big IT companies usually don't go on the list.

1 more reply

jmuguy8y ago

I run as a standard user and was able to reproduce the bug.

arghwhat8y ago

sounds8y ago

I agree that we need more responsible disclosure. But as https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-w... explains, blame the DMCA.

I think they made a reasonable decision, due to the critical nature of this bug, and tweeted about it.

arghwhat8y ago

The DMCA is a disgusting and absurd set of laws that can always make me angry. Its existence alone proves very much how big companies can rule with money, placing capitalism over democracy.

j / k navigate · click thread line to collapse