Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

[lmjabreu]

It doesn't work for me after a dozen tries both in login and Users & Groups, both clicking immediately or waiting for 30 seconds or so. But see my post below.

You need to use the return key, not the Unlock button for the bug to manifest itself. Latest High Sierra beta released today is still vulnerable. Having root disabled/no password is the only other requirement besides hitting return with root:blank once or twice.

 

[dogslobber]

It's a feature.

 

[fairuz]

Ridiculously stupid. Reminds me of how I got into my locked Win98 laptop by clicking help, trying to print the help, choosing a print border, then opening the admin user's desktop to browse for the print border. Except that was in 1998.

 

[Defthand]

MacOS is one of the few mature products among Apple’s current offerings. I always considered it rock solid and reliable. When a new OSX version was released, I didn’t hesitate to upgrade. Given the company’s current ambitions and priorities, I postponed upgrading to High Sierra. Despite the public beta program, I don’t have the same faith in Apple's execution and quality control. Seems their software is a constant work-in-progress. One wonders how they managed to deliver an OS without beta testers before—and on discs!

Perhaps OS’s are reaching their limitations. Perhaps no OS or programming schema is capable of being the futuristic multi-tasker that we imagine; perhaps computers are not the Holy Grail after all.

 

[fairuz]

MacOS is one of the few mature products among Apple’s current offerings. I always considered it rock solid and reliable. When a new OSX version was released, I didn’t hesitate to upgrade. Given the company’s current ambitions and priorities, I postponed upgrading to High Sierra. Despite the public beta program, I don’t have the same faith in Apple's execution and quality control. Seems their software is a constant work-in-progress. One wonders how they managed to deliver an OS without beta testers before—and on discs!

Perhaps OS’s are reaching their limitations. Perhaps no OS or programming schema is capable of being the futuristic multi-tasker that we imagine; perhaps computers are not the Holy Grail after all.

I never update until either Xcode absolutely stops working on the old OS or there's a serious security bug in the old one. So I'm always on the most mature minor version. Can't trust Apple anymore.

 

[Glideslope]

Looks like we have a new 'wait at least this long before upgrading' guideline: at least two months.

I fear these occurrences will become even more frequent. IMO, it's from moving toward one OS for all devices. Say, "Apple OS?" The focus is being lost on the core security priorities of the OS. Too much emphasis on bells, and whistles. Plus the move to APFS is not helping.
iOS 11 clearly is the worst iOS roll out ever. Again a lack of focus on core requirements due to more bells and whistles. Just look at all who shelled out $1,100-1,500 for Animojis. Hairforce one needs to have a serious gut check.

 

[davcolley]

Does this exploit work if the main drive is encrypted?

 

[Geurt]

True things have change however we need to keep in mind Apple is innovating at a much faster pace than before. New hardware and OSes are released every year. In the past is wasn’t as frequent and I believe this allowed them to really focus on development more thoroughly.

I agree, but when it comes down to Security flaws like this there can not be any excuse. Cybercrime is everywhere, you must be able to trust your machine!

 

[zaphon]

Worked for me if I clicked the password field, then the unlock button, but if I tabbed to the password field, and then clicked unlock it didn't work. So a bit wonky.
[doublepost=1511908303][/doublepost]

Does this exploit work if the main drive is encrypted?

Yes, my drive is encrypted and I was able to reproduce.

 

[MallardDuck]

Unfortunately setting a root password can break things, and cause strange issues. Once you do it, it's a reinstall to fix.

The better option is to power off the machine when leaving it. Hello 1991.

 

[fairuz]

Does this exploit work if the main drive is encrypted?

If you can boot up a Mac and unlock it this way, it would mean the encryption key is stored, and insecurely.
[doublepost=1511908360][/doublepost]

Yes, my drive is encrypted and I was able to reproduce.

Does it work if you just booted up, or only from an already running machine?

 

[Glideslope]

10 years ago I started buying Apple products to avoid this kind of bugs.
Funny how things change

Should have seen this coming the day they went from Apple Computer Inc. to Apple Inc.

 

[zaphon]

Unfortunately setting a root password can break things, and cause strange issues. Once you do it, it's a reinstall to fix.

Better solution is just don't leave your mac unlocked. So then they have to get your password to get to the screen to add themselves an account.

 

[kemal]

Did not work for me on two Server 10.13.1 systems. Set a root password anyway.

 

[chama98]

Oh look another reason to stay on Sierra! I would love to know why Apple are so desperate to push out new software without even having a bit of breathing space from the last one! Apples line ‘upgrading to High Sierra is for security and compatibility reasons’ cobblers!

 

[farleysmaster]

Leaving aside how bad this bug may be, is this responsible disclosure?

 

[Glideslope]

Yep why I didnt upgrade. Apple is like Microsoft now, wait several releases for all the bugs to shake out.

It's so sad too. Thanks Tim.

 

[Feenician]

I don’t have the same faith in Apple's execution and quality control. Seems their software is a constant work-in-progress. One wonders how they managed to deliver an OS without beta testers before—and on discs!
.

Perhaps you just didn't realize that there are exploits every year and you were never as safe as you imagined.

10.3 and 10.4 could be rooted with bluetooth
http://tidbits.com/article/8729

10.5 and 10.6 had some nice rootkits
https://www.macrumors.com/2017/07/27/vault-7-wikileaks-older-macs/

10.7 through 10.10 were vulnerable to root pipe
https://www.exploit-db.com/exploits/36692/

10.11 had a SIP flaw
https://thehackernews.com/2016/03/system-integrity-protection.html

 

[Glideslope]

on my recently repaired mbp the name 'root' is already being used by another user

The NSA?

 

[fairuz]

Better solution is just don't leave your mac unlocked. So then they have to get your password to get to the screen to add themselves an account.

There are shared environments like schools where this isn't an option. But yeah, for a single user, root doesn't mean much. All the real damage can be done on my own user.

 

[pat500000]

I'm still on Sierra....hopefully they will fix a lot of bugs before their next update.

 

[MikeAnd]

Doesn't work for me. Can't replicate. Tried numerous times. Keeps asking for my password.

Yeah, I'm not vulnerable either. I may have set a root password many years ago when there was another vulnerability for which doing so was the recommended solution.

 

[Roadstar]

Better solution is just don't leave your mac unlocked. So then they have to get your password to get to the screen to add themselves an account.

Won't help. All they need to do is to click on "Switch user" in the lock screen, select Other, and input root as the user and leave the password blank.

 

[archvile]

Or open /System/Library/CoreServices/Applications/Directory Utility

Disable the root user in the Edit menu.

Doing a password-less root login after disabling the root user will automatically re-enable them again.

Alternatively, setting a password for the root user, then disabling the root user, and then using a password-less root login will re-enable the root user with no password again.

If you set a password for root user and leave it enabled, it does fix the problem, however now you have an additional possible threat vector into your system by having root active (even if it does have a password).

This is some major ****ery Apple, what the ever living hell.

 

[Glideslope]

Another Tim Cook quality control disaster. This man’s talent has no beginning.

Yup. Too busy trying to become a Movie Company. God I miss Steve.