Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

[TiggrToo]

Well bummer... I've tried all manner of ways and I can't seem to trigger this, not via the System app or by login.

Tried using the mouse and the return key to 'press' Return. No matter what all I get is the bouncing Dialog box.

High Sierra 10.13.1

What I do wrong (or, what did I do right when I first configured my Mac last year?)

 

[EricBlue]

You can get through the login screen by clicking guest and then open system preferences and unlock with root with blank password (for me "Root" but not "root" worked). When you logout you have a third option to login with username and password. Enter "Root"/"root" and blank and your in.

 

[archvile]

Enabled. I didn't try this myself, but I'm under the impression that disabling the account restores passwordless root.

See my reply above - even if you disable it, it is possible to exploit the bug again which automatically re-enables the account. Leave root enabled with a password.
[doublepost=1511908855][/doublepost]

Well bummer... I've tried all manner of ways and I can't seem to trigger this, not via the System app or by login.

Tried using the mouse and the return key to 'press' Return. No matter what all I get is the bouncing Dialog box.

High Sierra 10.13.1

What I do wrong (or, what did I do right when I first configured my Mac last year?)

Did you type root in the username, then click your mouse cursor into the password field (but not typing anything), and then hitting Unlock via mouse click? I tried it using the enter key and it wouldn't work that way.

 

[TheShadowKnows!]

clarification: you need to select (focus) the password field, but leave it blank

Nope. Does not work for me.

As a matter of background: I am the solo user of my Mac. No one else (not even Guest) Is listed as a user. Is that a pre-requisite? I wonder.

Update: Tried "Root" (as opposed to "root") and that did work.

Update^2: Ooops. Does work with either "Root" or "root" (as the username is always case insensitive).

The pre-requisite, as someone posted, is to click on the empty password, and then click on "UNLOCK".​

Update^3: And to eliminate the pesky "Other Users" from the login screen, when there is none, type from the Terminal window:

sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE​

"HoHoHo" /s

 

[MallardDuck]

Won't help. All they need to do is to click on "Switch user" in the lock screen, select Other, and input root as the user and leave the password blank.

Yep. Powering off completely is the other alternative. The fv2 unlock at boot doesn't appear to be impacted.

 

[kazmac]

Oy.

Also still on Sierra for a variety of reasons.

This what happens when you spread yourselves too thin, rush to get new OSes out each year, obsess on the bells, whistles, spaceship HQ, and $. Between this and iOS 11, I have to wonder what the heck is going on with Craig and his team?

This is a huge trip up and unacceptable. Sad.

 

[TiggrToo]

See my reply above - even if you disable it, it is possible to exploit the bug again which automatically re-enables the account. Leave root enabled with a password.
[doublepost=1511908855][/doublepost]

Did you type root in the username, then click your mouse cursor into the password field (but not typing anything), and then hitting Unlock via mouse click? I tried it using the enter key and it wouldn't work that way.

I did indeed. Got squat. Neither that nor the return key did anything more than bupkis other than bounce my dialog box.
[doublepost=1511909192][/doublepost]

Nope. Does not work for me.

As a matter of background: I am the solo user of my Mac. No one else (not even Guest) is listed as a user. is that a pre-requisite? I wonder.

I have second admin account on mine (wifey) and I can't exploit this either.

 

[Roadstar]

Yep. Powering off completely is the other alternative. The fv2 unlock at boot doesn't appear to be impacted.

Yep, the exploit doesn't seem to be possible before some valid user has decrypted fv2 first.

 

[CanadianGuy]

I suggest this issue be coined "#noGate".

Thanks, I'll be here all week.

 

[SeaFox]

The QA department must still be transitioning to Apple Park. I'm sure once everyone is settled in, attention to detail can resume.

Not sure if being sarcastic or not. If QA's unable to work because they are changing offices, the correct result is work gets delayed and then caught up later, and timelines slip. You don't just keep shipping software and skip steps for whoever is not there because it's inconvenient.

 

[Sedulous]

I just disabled the root superuser in terminal.

 

[project_2501]

How is it that open source community-developed Linux has better security QA than Apple with all its huge resources and wealth?

The only answers I can think of are

1. organisational dysfunction

2. arrogance

could there be another explanation?

 

[TheShadowKnows!]

I did indeed. Got squat. Neither that nor the return key did anything more than bupkis other than bounce my dialog box.
[doublepost=1511909192][/doublepost]

I have second admin account on mine (wifey) and I can't exploit this either.

Try "Root" rather than "root". That did work for me, even with a solo account.

 

[Ishayu]

Got in. Just have to try 4 times. On the 4th time, it lets you in. After that, you can go to the login screen, enter root in the user field, and then leave password blank. After a short wait, your mac will be set up "for the first time" and a few minutes later, you're logged in as "System Administrator". If you open a Terminal, you will be root#.

This is ****ing embarrassing. HOW?! Oh my god...

You don't need "Root" rather than root or anything like that. You have to try logging in 4 times, then it unlocks.

 

[jay47]

If you have only a single administrator account and disable automatic login you will only see the one account at boot . There will be no option to switch users or login as root . The root account is still enabled with no password but if someone has access when the screen is unlocked its game over anyway .

 

[pradeepbabloo]

Bend-gate, Touch-gate, whatever-gate are nothing before this root-gate!!!
Seriously, who is QA head? That person needs to be fired!

 

[Feenician]

How is it that open source community-developed Linux has better security QA than Apple with all its huge resources and wealth?

The only answers I can think of are

1. organisational dysfunction

2. arrogance

could there be another explanation?

Well, what actual facts do you have to back up the assertion that it is more secure?

This local root exploit for Linux was patched in 2016, after being present for 5 years. So much for many eyes making bugs shallow.

https://www.siteground.com/blog/linux-kernel-local-root-exploit-fixed/

People are losing perspective a bit in this thread.

 

[Princess Cake]

Oh no, this is awful! ....oh wait, I use an iMac and I'm the only one living at my house...

 

[nfl46]

Man, I’d love to be a fly on the wall and listen in on these meetings. I know Tim is probably furious with Craig’s team. Maybe the transition has been rough.

 

[TiggrToo]

Try "Root" rather than "root". That did work for me, even with a solo account.

Still can't make this happen, neither as root, nor Root, with mouse or with Enter.... Either I'm an idiot (quite possible) or I did something really smart last year when I set my MBP up...

 

[foxlet]

I'm more surprised you'd still have High Sierra Developer Beta 2 installed on multiple Macs. On my 2012 rMBP those early betas were a mess, but the release builds still start to lag way more than they should with just a few apps open.

Got to be honest, I think I can safely say I've had more issues with High Sierra post-release than with any other MacOS I've used. My 5K iMac is now formatted APFS on a fast PCIe SSD, and when I open up my Dock stacks the image thumbnails load as if I were using a mechanical drive. On MacOS Sierra it was almost instantaneous. Plus the wake from sleep is definitely slower compared to MacOS Sierra. And I sometimes have to restart to get back 30 GB of space on my drive (usually just put my iMac to sleep).

I've kept the installation packages and partitioned disks from multiple betas back when I was testing unsupported Mac functionality.

 

[chrfr]

Unfortunately setting a root password can break things...

This is not true. There's nothing in macOS that depends on having the root password being un-set. Now as far as being logged in as root and damaging things, that's a different story.

 

[Ishayu]

Oh no, this is awful! ....oh wait, I use an iMac and I'm the only one living at my house...

If someone knows the password of a user on your system, or your account is poorly protected, it is perfectly possible to do this remotely. You just have to remote into the macine, start a GUI shell with any user, go to preferences, and do the same steps in the news post. Then you can log in as root in the shell prompt, start a remote session from that, and you're good to go.

Any Mac with internet access and firewalls opened is vulnerable to this.

 

[ersan191]

This one is actually ridiculous, I usually defend Apple when bugs are discovered but this one is just stupid.

I'm also very surprised it took people so long to discover it.

 

[cambookpro]

This... is a pretty shocking bug. I'm not usually one to reminisce about the past (especially Apple's), but deary me, this isn't autocorrect not working, duplicated calendar events or such like.