back to article As Apple fixes macOS root password hole, here's what went wrong

Apple has emitted an emergency software patch to address the trivial to exploit vulnerability in macOS High Sierra, version 10.13.1, that allowed miscreants to log into Macs as administrators without passwords and let any app gain root privileges. The Cupertino iPhone giant kicked out the fix, Security Update 2017-001, today …

  1. djstardust Silver badge
    Joke

    Mistakes happen

    If they put their prices up a bit they may be able to afford a competent in-house OS testing team

    1. Sureo

      Re: Mistakes happen

      Isn't this the industry norm? Let the user do the testing.....

      1. Hans 1 Silver badge

        Re: Mistakes happen

        You have to try several times for the vuln to trigger, once is not enough. This means that this flaw can remain undetected, as it was, for months ...

        Glad to see Apple hasted with the patch.

        This is just a silly code blunder

        Next time I am in the head office, I will bring my laptop to IT, it runs WinDos 10, I will have a service running as System which will upgrade my account to domain and enterprise admin the second they log on ... let's see what they have to say about that ... I wonder, how long will it take for them to realize the feat ?

        I also wonder what will happen to me once they find out ... fun days ;-)

        1. Dan 55 Silver badge

          Re: Mistakes happen

          Twice is enough.

          The first time sets the root password to whatever's in the password box due to the logic fail meaning that a password entry for root is created in the new encryption format (really what this bit of code should be doing is updating a correct password stored in the old encryption format to the new encryption format).

          The second time gets you access as the root password entry now exists in the new encryption format and the password in the box was correct.

          Entering the same password twice for root is enough to do it. A blank password is easiest.

          Apple needs more code review and QA and less shiny and marketing need to back off and realise their yearly fixed deadline means more mistakes like this get through.

          1. CrazyOldCatMan Silver badge

            Re: Mistakes happen

            Twice is enough.

            Interestingly, I couldn't get the flaw to trigger on any of our AD-joined Macs (but could on ones that were not joined to the domain).

            As other people have said, it would be nice if Apple were to spend less time carefully designing more emoticons and more doing basic QA.

        2. Anonymous Coward
          Anonymous Coward

          Re: Mistakes happen

          Hopefully Hans1 they'll fire you for being a ridiculus Apple fanboy and a dick! :))

        3. FuzzyWuzzys Silver badge
          Facepalm

          Re: Mistakes happen

          "This is just a silly code blunder"

          The command "ls" displaying the wrong time is a coding error, allowing root access without authentication on an operating system used by hundreds of thousands of people around the world is career killing cock up of the highest order.

          "So why did you leave your last job?"

          "Oh, erm....I was the coder that maintained the system authentication code for OSX High Sierra. Yeah, not a great time in my life I must admit!"

      2. ps2os2

        Re: Mistakes happen

        I have been a MAC user for about 18 years. I pretty much start at OS9. After converting to OS X, I have been reluctant to say this, but the code quality has *REALLY* gone downhill.The last decent os X was 10.4.11. I have been noticing so many bugs it seems that Apple has finally caught up with Windows as far as bugs. I am on 10.12.6, and it is somewhat stable although there are still many software bugs. The one that costs me four extra hours a day is by MAIL.APP. It does not show emails that have attachments. My conversation with Apple was at first they were interested in it until High Sierra came out and they dropped the bug report and insisted I upgrade to HS before they talk to me. Now, here comes the fun part, since Apple has had *SO MANY* bugs that people are reluctant (except a few Apple fanboys) to upgrade as Apple in their infinite wisdom has made the upgrade dangerous as they force you to upgrade the internal drive to be their new "thing" and makes it very hard to go back without jumping through hoops for an average MAC user. Since I am not an advanced Mac user I will wait six months to a year to upgrade because I do not want to have a chance of losing data, the cure according to Apple is making a few copies of every HD. I have news for Apple we all do not have an empty pocket and simply cannot make all the copies to be safe.

        Color me an Apple person thas jaded eyes after all the bugs that Apple has come up with, Example: in 3 weeks Apple came up with an update each week.

        Bah Humbug.

    2. Mage Silver badge
      Happy

      Re: Mistakes happen

      Just as well you have a Joke Icon. Most people regular here know, but the general public doesn't know that Apple generally has a HUGE profit margin compared to others. At least on phones. But how important are Macs to Apple now? They dropped Computer from the name. The Mac doesn't generate the iTunes revenue that the 70% (??) profit margin iPhone makes.

      1. razorfishsl

        Re: Mistakes happen

        Mostly on those SHITTY BEAT headphones....

    3. David Shaw

      Re: Mistakes happen, part two

      seems (from Apple themselves) that fixing the root password bug introduces a file-sharing fail bug, more specifically a fail-to-ever-authenticate file sharing no-go between High Sierra machines, and sometimes apfs SMB, NAS permissions problems etc

      https://support.apple.com/en-us/HT208317

      SNAFU used to be the appropriate .mil term, how quickly will we get Security Update 2017-001b?

      1. Naselus

        Re: Mistakes happen, part two

        "seems (from Apple themselves) that fixing the root password bug introduces a file-sharing fail bug"

        Wonder how many other core functions in High Sierra are relying on a blank root password to function properly.

    4. Oblamo BinLyen

      Re: Mistakes happen

      Must have been one of their 'diverse' engineers. Celebrate 'diversity' at the cost of reliability and competence.

  2. DougS Silver badge

    Two stupid things happened

    1) Apple should have required a password on the root account or set it to a random password if the user didn't want to set one, not left it blank

    2) the researcher who found this decided to tell the world immediately instead of telling Apple privately and giving them the chance to fix it before it was made public - he's getting castigated in the security world for doing this, and rightly so

    Obviously all the blame belongs with Apple for allowing this to happen, and I hope their ultimate fix is to eliminate root accounts without a password - disabled or not - because if they simply fix this bug there's no guarantee there is another one lurking somewhere that allows the fact root has no password to be exploited. I'm sure hackers are looking for such cases very intently right now. No excuse for such stupidity.

    1. Midnight

      Re: Two stupid things happened

      It was actually found weeks ago and spread around the Apple developer forums. By the time it went big yesterday it was already well known to a large group of people. This wasn't a case of a careless security researcher dropping a zero-day publicly because he didn't feel like reporting it, it was a developer who wasn't aware of the full impact of a bug complaining that Apple had not even acknowledged that it existed let alone discussed the possibility of a fix.

      Was this the best way to handle the issue? Nah, not really. But is it "right" for one of the many people who discussed this issue publicly to be crucified for doing so, as you suggest? No, not that either.

      Also if you read the technical details, the "root account without a password" already was eliminated from the auth DB and should have been completely inaccessible. The root of the problem was that the authentication code wrongly decided that it was time to enable the disabled account by creating it anew, with the (blank) password which had been provided by the user.

      Sadly, things are never quite as simple as they look.

    2. Anonymous Coward
      Anonymous Coward

      Re: Two stupid things happened

      2) the researcher who found this decided to tell the world immediately instead of telling Apple privately and giving them the chance to fix it before it was made public - he's getting castigated in the security world for doing this, and rightly so

      Pretty sure the guy sent a message to Apple straight away. However, given the truly catastrophic and extremely simple nature of the fault (it later emerged than any program could pull off the same trick with command line calls), letting the whole world know was probably better than letting it fester until Apple got round to fixing it. Apple had 2 weeks to fix it before it became newsworthy, and only after all this publicity have they decided to get on with it.

      1. Anonymous Coward
        Anonymous Coward

        "he's getting castigated in the security world for doing this, and rightly so"

        Nope. Apple previously disclosed it into the public domain beforehand, as explained in the earlier post in this thread.

        The PR firm who released that fake statement couldn't do a worse job even if they had Theresa May or one of her Orange ex-friends as their clients.

      2. Aodhhan Bronze badge

        Re: Two stupid things happened

        Don't go around saying someone has upset the INFOSEC community when they haven't. This is just irresponsible nonsense; especially coming from someone who posts anonymously.

    3. Dan 55 Silver badge

      Re: Two stupid things happened

      The problem isn't that the default root password is blank, it isn't. The bug happens with disabled accounts which have no password. The bug sets the password entry for these accounts to whatever password you enter (which is probably blank).

      1. chuckufarley

        Re: Two stupid things happened

        I just wanted to add that any unused account on your system should be expired so that no one and nothing can use it to log in to your computer. In linux and MacOS account expiration is controlled by /etc/shadow. Try man shadow. If you are running linux also read the man page for usermod. On MacOS, I am told that usermod doesn't exist and you need to use a tool called dscl instead.

        One can only hope that part of the fix Apple has put into place was expiring the root account. If not you can do it manually and maybe avoid the next episode of "open mouth, insert root" from Apple.

    4. Gordon JC Pearce

      Re: Two stupid things happened

      How do you set a random password, without that being a huge hole itself?

  3. schafdog

    Bad but...

    It is an embarrassing bug and it will be exploited before all machines has been patched, but IMHO not as as big as the SSL error (GOTO FAIL). Requiring physical access to my machine would require break-in to my apartment.

    Anything that is remotely possible is scary: Browsers allowing remote code to run. My SMTP server having a hole (like exim).

    I have been hacked once due to a FTP bug in 2000. Prob. a script kiddie but still scary as hell.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bad but...

      You don't need physical access, just network access since this can be archived through vnc or even terminal if you're so include (I've tested this against my iMac which functions as a monitor at work over the network and sure enough it can be triggered. )

      Annon because I'm not telling you which network you need to be on.

      1. schafdog

        Re: Bad but...

        That does makes it worse. And yes in a corporate environment with many macs it is huge.

        I was looking at it from my home perspective.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bad but...

        "Annon because I'm not telling you which network you need to be on."

        No good, I know it's your internal network. You need to be more sneaky than that.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bad but...

          We have more than one to use. Still not saying though.

    2. CrazyOldCatMan Silver badge

      Re: Bad but...

      I have been hacked once due to a FTP bug in 2000

      I've only been hacked once (that I know of!) - I set up an account on one of my linux boxes for one of my brothers and he changed his password to be the same as his user name..

      Found someone busily trying (and failing) to install a rootkit the next day. Fortunately, it was a pretty stripped-down box and had a minimal attack surface (apart from squishy-meatbag induced ones).

  4. This post has been deleted by its author

  5. petef
  6. Anonymous Coward
    Anonymous Coward

    That was quick!

    Tell Apple secretly that they have a major hole and they will keep it secret for as long as they can. Tell the world Apple has a major hole and it gets fixed. Now tell me that dev guy did the wrong thing.

    1. Naselus

      Re: That was quick!

      Now that's hardly fair. EVERY vendor will try and keep quiet about a problem like this until it's fixed, because revealing it when no fix exists is a fantastically irresponsible thing to do.

      Of course, this had already been public domain for weeks and Apple weren't making any effort to do anything about it, which is the worst of all worlds. It was being bandied around by people on their own customer forum as a 'fix' for a locked account, and Apple still did not notice. Which isn't a great look.

      1. steelpillow Silver badge

        Re: That was quick!

        "Now that's hardly fair. EVERY vendor will try and keep quiet about a problem like this until it's fixed"

        No, that's hardly fair. There is a very big difference between vendors with a reputation for fixing holes asap and those with a reputation for sitting on them for years on end.

  7. Dr Mantis Toboggan

    allows anyone sitting at a Mac to gain administrator access

    'accessing it remotely via VNC, RDP, screen sharing, and so on"

    Apple protection force out in strength....

  8. stationtostation

    Wouldn't have happened if this were closed source

    ...oh hang on, a disassembler you say? Hmm, not with this EULA

  9. Brian Miller

    Oh good, auditing the process

    Testing code as it's built is a very old concept. They should have had a wakeup call after the SSL bug. There's a number of good C testing frameworks now. Maybe they'll use one instead of just yelling at the developers.

    1. TechnicalBen Silver badge

      Re: Oh good, auditing the process

      I have to laugh at the number of bugs that slip through. Often just pressing a button would have replicated it.

      Granted in this case "I wonder if I can login to root?" Would have to have been followed by hitting enter twice. But still would have been a few seconds every code revision.

      1. CrazyOldCatMan Silver badge

        Re: Oh good, auditing the process

        I have to laugh at the number of bugs that slip through.

        I'm reminded of the old phrase: "The enemy of security is complexity". And modern OS's are very complex indeed..

  10. gerdesj Silver badge
    Stop

    Bit of a pain

    This little number is rather more nasty than every bug (with a funky name) that has been touted for years. This is *root* with no password. This is: I can ssh or RDP into your box with no password.

    I don't have to mess about with anything fancy - your system has absolutely no protection against me: your root account has *****no fucking password *****.

    I suggest you set one yourself. Apple seems to have let you down.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bit of a pain

      "your system has absolutely no protection against me:"

      Well apart from you can't get to it.

  11. PhilipN Silver badge

    Emergency Patch

    Great! Except it has ckufed up my office system!

    I have to restore to the previous iteration of High Sierra.

    Admittedly I am running an ancient Mac Pro but You Hef Bin Varned!

  12. PC Paul

    It's a shame nobody seems to have posted the immediate 'make yourself safe' step which should be to create a root account with a strong password, avoiding the logic flaw completely.

    I don't have a Mac here to test, is there any reason this wouldn't work?

    1. Anonymous Coward
      Anonymous Coward

      No idea why you got a down vote....oh yes him.

      It does mitigate the issue and was Apples immediate response.

    2. Walter Bishop Silver badge
      Linux

      @PC Paul: "It's a shame nobody seems to have posted the immediate 'make yourself safe' step which should be to create a root account with a strong password, avoiding the logic flaw completely. I don't have a Mac here to test, is there any reason this wouldn't work?"

      At least two people here deemed that comment worthy of a down vote. Logging in as root through the GUI is disabled by default here and it does prompt for a root password at installation. Then you sudo or su to get root access, various distros have different restrictions on this.

  13. Tsurotu

    var true = false;

    1. PassiveSmoking

      #define false true // Good luck debugging, suckers!

  14. Anonymous Coward
    Anonymous Coward

    But it has rounded corners...

    ...and looks so pretty.

    Nothing this beautiful could be wrong.

    All hail at the temple of the expensive shiny tat.

  15. Chz

    Enterprise?

    "particularly in the enterprise market Apple is so keen to grab"

    They can't be all that keen, given their support offerings. My director's XPS13 dies at noon and Dell has someone on-site the same day. Another's Macbook Pro dies at roughly the same time and Apple show up 6pm the next day.

    1. trevorde

      Re: Enterprise?

      Apple don't care about backward compatibility, which is essential for enterprises :-(

      1. Naselus

        Re: Enterprise?

        "Apple don't care about backward compatibility, which is essential for enterprises"

        And aren't much interested in compatibility with other vendors, either, which doesn't help much. Honestly have no idea why Cook is trying to push the Enterprise angle, since it's completely at odds with Apple's existing (and undeniably successful) model.

      2. Anonymous Coward
        Anonymous Coward

        Re: Enterprise?

        Apple don't care

        FIFY

  16. Anonymous Coward
    Anonymous Coward

    AT&T UNIX security breach - 30 years on....

    Back in the mid 80's I used to work on AT&T 3B2-300 computers. When you forgot the root password you just hammered 'BREAK' during boot and you were prompted for a firmware password. That password was hard-coded as 'mcp'. I blame the interweb for making these security breaches available to everyone.

    1. GruntyMcPugh Silver badge

      Re: AT&T UNIX security breach - 30 years on....

      Similarly ~25 years ago, I had to hack our own VAXCluster. The star coupler had thrown a fit, and instead of making sure one copy of the system volume was available to at least one node, it crashed horribly and corrupted both.

      So, I called our DEC support people, and our nice engineer Paul, turned up with parts, I restored the OS, and we thought we'd cracked it. Except it turned out that my boss (who was on hols) has changed the SYSTEM account password when I'd been on holiday shortly before, and had forgotten to tell me.

      So, having physical access, I just took the system down again, did a conversational boot, renamed sysuaf.dat, rebooted, logged in as SYSTEM without a password, put sysuaf.dat back, and changed the SYSTEM password. Boom! I was in. (at least that's how I remember it, there was some swearing and multiple attempts to get this right)

  17. Walter Bishop Silver badge
    Terminator

    Security as part of the build/test/deploy process.

    Who is responsible at Apple for testing for basic security glitches such as above. Something like having an automated security testing framework in place that can run as part of the build/test/deploy process.

    1. Frank Gerlach #2

      Not

      The problem exists on the architecture/specification level. How can a sane engineer specify that a LOGIN routine should CREATE A NEW USER ???

      1. Naselus

        Re: Not

        "The problem exists on the architecture/specification level."

        Honestly, the problem exists on a cultural level at Apple. They keep everything secret even internally, so they have the complete opposite of the Open Source 'many eyes' approach. There's a presumption of security by obscurity minimizing problems, which is a really, really bad approach - and leads to having to rush out patches for bugs like this one when they get press attention.

        On top of that, there's a general insistence that they don't need to learn from or follow non-Apple ideas about security, leading to stupid things like the lack of 2FA on iCloud prior to the Fappening (until someone who has learned about these things takes advantage of it, resulting in a sudden acceptance of what everyone else knew was a good idea 20 years previously). These are just plain embarrassing for a major vendor and the kind of thing most of their rivals addressed in the early 2000s, but are sidelined at Apple because they 'damage the user experience'. Presumably, no-one considered how having all her nude photos leaked online would impact Jennifer Lawrence's experience until after the event.

        1. Frank Gerlach #2

          In Apple's Defence

          1.) They have very nice hardware. Not cheap, but that is probably a tautology...

          2.) Apple uses Sandboxing heavily, as far as I have read.

          3.) They picked up the idea for the memory safe Swift language from somebody externally.

  18. Troy Tempest

    Everyone hyping - slow down a little

    I tested the "problem" on my Mac (High Sierra) and .... NO root access using blank password.

    Again, trying to elevate my privileges (as described) from System Preferences - again NO root access.

    Granted Apple has rapidly pushed out a patch means it was a problem but ... not everywhere.

    Not denying it hasn't been witnessed - just not on EVERY machine.

    So relax from RANTING and foaming - please test your sources BEFORE jumping on the gloat / hate wagon.

    1. Frank Gerlach #2

      Re: Everyone hyping - slow down a little

      Even if in many cases the bug does not show (for whatever reason), the algorithm as outlined here sounds very, very dangerous. Create a new user if the requested one does not exist ? WTF ???

      1. The Mole

        Re: Everyone hyping - slow down a little

        This doesn't create a new user if the user doesn't exist. What this code is is migration code.

        First it checks the newest format password database, if the entry isn't there it checks the old password format database, and upgrades the account password to the new database.

        Unfortunately there is a bug that if the password wasn't in the old password database it still does the upgrade with whatever was passed in, which is rather stupid, but isn't the same as creating a new user.

        1. Frank Gerlach #2

          Re: Everyone hyping - slow down a little

          "and upgrades the account password to the new database."

          Scary stuff for LOGIN checking code...

    2. CrazyOldCatMan Silver badge

      Re: Everyone hyping - slow down a little

      Not denying it hasn't been witnessed - just not on EVERY machine.

      As I've posted previously, I can't get it to trigger on Macs joined to an active directory domain. I suspect that those are going to be a small minority though.

      1. KroSha

        Re: Everyone hyping - slow down a little

        I have, partially. I tried on my work iMac (10.13.1) and managed to get the System Prefs to unlock. I couldn't login as root at the login window or via the terminal.

  19. Frank Gerlach #2

    Looks Like Violation of the KISS Principle

    A password-checking routine has absolutely NO business in CREATING a new user on a Unix system. If the user does not exist, fail the login and that is it !

    But the IT sphere is actually plagued with feature-stuffed software, which in practice means bug-stuffed.

    Here are two more KISS Violations: http://altwissenschaft.ddnss.de/ViolationsOfKISSAndConsequences.html

    1. Frank Gerlach #2

      Re: Looks Like Violation of the KISS Principle

      So other commenters say it is "just" migrating one format of user database into another one. "one the fly" while checking credentials.

      Not sure whether this is even more dangerous or just on a similar level.

      If they really want to convert user databases, do it while pushing an upgrade to the computer, not on every login attempt.

    2. CrazyOldCatMan Silver badge

      Re: Looks Like Violation of the KISS Principle

      If the user does not exist, fail the login and that is it

      You seem slightly slow of comprehension so I'll use small words:

      A root user is created on every install but is marked as disabled and has no password. This has been the case for (pretty much) every version of OS X.

      This bug comes about because of a logic flaw that makes the root account active, even if it doesn't have a password. This is unacceptable. But it sure as hell ain't "CREATING" a new user..

  20. Fat-Boy-R-Dee
    Facepalm

    OFFS - it isn't creating a new user, OK?

    All it is doing is adding a password to an existing, disabled user without a password (NULL (UNDEF?) vs "blank" vs zero, fankids), and then enabling the user.

    Yep, serious hole, Apple blew it off until it got user-level publicity (shame on them). Sad part is it's like the gratuitous "hacker" scene in action movies where somebody taps a few keys and magically pwns the system - you know, the ones we all groan at. Well, truth appears to be stranger than fiction, once again.

    But it's NOT creating a new user (possibly with root privileges/sudoer/whatever). That's an entirely different level of stupid.

    1. Naselus

      Re: OFFS - it isn't creating a new user, OK?

      "ad part is it's like the gratuitous "hacker" scene in action movies where somebody taps a few keys and magically pwns the system - you know, the ones we all groan at. "

      Apple kit - so user friendly even hacking it just takers a couple of key presses.

  21. Triumphantape

    Here's what went wrong

    Nothing, it was intentional just as their SSH bug was a few years back.

    It's too hard to believe their coders and their code checking software wouldn't catch this.

  22. ColonelClaw

    That apology is... an actual apology.

    Makes a nice change.

  23. rmstock

    A Glitch by Apple ?

    "Latest release‎: ‎10.13.1 (17B48) (October 31, 2..."

    So hackers or related entrepreneurs had a possible four weeks of fun. Normally I would call this a glitch by Apple. But then again, the timing is interesting, where in other news it was reported that US Marines raided the CIA and the FBI was "neutralized" ...

  24. Sceptic Tank
    Paris Hilton

    That disassembly ... what does rsp = (rsp - 0x10) + 0x10 do?

  25. anthonyhegedus Silver badge

    I'm running a beta version of MacOS (10.13.2) and they obviously don't think it's important enough to release the fix for the beta software. I know it's beta software, but why not make the effort and release the patch for that too, seeing as they know about it.

    1. KroSha

      I think you'll find that it'll be rolled in to the next beta release.

  26. -tim

    Can this be used to set a password?

    Does this mean after a fixed number of tries, the password might be able to be set to something and then if the patch only works if the encrypted password hasn't been set, it means someone could have added a backdoor that won't be detected or fixed?

  27. FuzzyWuzzys Silver badge
    Facepalm

    “Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

    Read: Some uuterly stupid dev and his manager are getting shitcanned for the utter cock up!

  28. bpfh Bronze badge

    From my aulde C programming days...

    I thought that in C, returning 0 = success, and anything other was an error code that depended on the function, eg: 0 -> OK; 1 -> password invalid; 2 -> user not found...?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019