Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
The market share has hardly changed globally in the last decade.
[doublepost=1511925664][/doublepost]
SIP does nothing to prevent the root user being activated and isn’t intended to AFAIK. Although it’s sometimes referred to as ”rootless” it never prevented a user activating root.
Best comment yet. High Sierra isn't high enough...
Pathetic. I blame these awful annual release cycles that pressure them to release this crap (same goes for iOS). Not everything was perfect under Steve, but I miss OSX releases that came out when the time was right.
Ya luckily Windows and Linux have no exploits.
I just tried this on my Active Directory Domain Joined Macbook Pro 13" on macOS 10.13.1 and this exploit gets worse!
Macbook has FileVault Turned ON
Brought up the lock screen and clicked switch user
Was able to bring up a Blank User ID and Password prompt
Username root
Manually clicked with the trackpad in the password field (left it blank)
Hit Enter key
System let me right in the "System Administrator" account. This so called account does not appear in the users section of the preference pane.
Also I am able to unlock any locked system preference with this root user and no password.
This is insanity. All a person needs is physical access to a machine and you are done. Not as big of a problem for the home but a massive issue for corporations like IBM or Google, both of which have thousands of Macs for their developers.
Macbook has FileVault Turned ON
Brought up the lock screen and clicked switch user
Was able to bring up a Blank User ID and Password prompt
Username root
Manually clicked with the trackpad in the password field (left it blank)
Hit Enter key
System let me right in the "System Administrator" account. This so called account does not appear in the users section of the preference pane.
Also I am able to unlock any locked system preference with this root user and no password.
This is insanity. All a person needs is physical access to a machine and you are done. Not as big of a problem for the home but a massive issue for corporations like IBM or Google, both of which have thousands of Macs for their developers.
WOW! I felt that all the way over here.
[doublepost=1511926696][/doublepost]
But laying off the weed would be strongly advised...
[doublepost=1511926726][/doublepost]
FTW!!!
Last edited by a moderator:
Actually, there’s something to be said for having a Guest account enabled. If the computer is stolen, many thieves would probably try to use the Guest account first (path of least resistance). If they do that and then get online, you’d potentially be able to use Find My Mac to track its location.
Has anyone tried setting a password on the root account?
1. Open terminal app
2. type: sudo su -
3. enter your password
4. You've not entered a REAL root shell (not sudo). be careful.
5. type: passwd
6. enter a new password for the root user
7. repeat it
8. type: exit
9. close the terminal app
After this, try getting elevated rights in settings again.
I'm not on High Sierra so I cannot test - I'd be interested to hear how it goes.
1. Open terminal app
2. type: sudo su -
3. enter your password
4. You've not entered a REAL root shell (not sudo). be careful.
5. type: passwd
6. enter a new password for the root user
7. repeat it
8. type: exit
9. close the terminal app
After this, try getting elevated rights in settings again.
I'm not on High Sierra so I cannot test - I'd be interested to hear how it goes.
Local access to a corporate workstation isn't that big of an issue if everything is locked out with other logins. Plus those developers are probably working on open source projects so any data stored locally is probably not that important. Not a big deal. Apple shouldn't even prioritize fixing this.
Solves the problem for the time being.
Guys correct me if I am wrong but isn't the root account on osx suppose to be disabled by default? Looks like someone left it enabled.
Yes, that’s the recommended course of action for now.
You’re correct. It’s disabled by default. The bug here enables it, blank password and all, when you input the first rejected attempt to use root.
[doublepost=1511928260][/doublepost]
By that token they never invested in any version of OS X, as they all had root escalation exploits, including the much touted Snow Leopard.
Not to take sides on this one, however..... My oldest left a large Fab in Upstate, NY. He was a Senior Engineer. He never complained about the color of peoples skin, or their cultures. But man the communication issues were insurmountable most of the time. Especially difficult when many are there on the H1-B and speak their native language to each other while working an issue. It led to many errors, scrapped wafers, and a toxic work environment with no team philosophy.
So, issues can arise without being a racist.
You’re clearly not a chief security officer or cio. It’s a very big deal.
1. This technically is not a root escalation exploit. This is a wide-open system with root being the same a guest login—no password required.
2. This is new in High Sierra, so trying to compare this unforgivable sloppiness to more sophisticated hacks is a false equivalent. Even Apple”s biggest apologists are hammering them tonight for this.
It”s amazing Apple doesn’t have automated testing suites to catch this stuff. Again, I think it goes back to they are just not focused on that Mac anymore. They had to back peddle on the Mac Pro, no Apple display, the reversed that decision ore-announce the iMac Pro because pros were leaving the platform, etc.
It’s so obvious now. Apple sold 3 year old Macs with outdated technology until it became a story. Then we saw rapid updates, except the mini which is still three years since an update.
If they are doing limited investment in the Mac hardware, why should we expect anything less for MacOS?
Last edited:
Saw some posts somewhere that said this was the worst lack of security in any OS ever. How about no password admin for windows forever. Boot into safe mode on pretty much anybody's machine and log in as admin and remove the users password and reboot and bam into their account. (People that knew better would give the admin a password but many did not.)
Read the article. The login screen can be fooled too. That means, anyone with physical access, have root access.
This level of "hack" requires the IQ of a potato to perform which means this is one of the worst security bugs to pop up in YEARS!
Well, if some stranger attempts this on my Mac Mini that's sitting here in my home, I've probably got larger issues than root access....
Um, yes it is. This is ascending from a non-root, non-admin user to root. By definition it is a root escalation exploit. The root user is not enabled at the outset and becomes enabled. The fact that is done by a trivial GUI operation does not make it otherwise
“Sophisticated hacks” like the one liner “fits in a tweet” rootpipe from a couple of years ago?
https://www.theregister.co.uk/2015/07/22/os_x_root_hole/
I’m not apologizing for Apple, for this issue or for anything else. This is a helluva hole. All I’m saying is that it’s not unique, not even terribly unusual and easily mitigated until it’s patched properly.
[doublepost=1511930412][/doublepost]
The login screen can only be “fooled” if you’ve already had access to an existing account and enabled root. Perhaps you should “read the article”. You cannot walk up to a random locked Mac and log in as root.
WOW....that makes me feel uneasy....Thanks for the Warning and the Bug-Fix-Discription. I was able to do this on my MacPro, however it was not needed on my MacMini Server. It seems if you have a directory Admin set, you also set the root password. But how many people run Mac server right ?
Windows effectively has no local security. If you have physical access you own the box.