Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

High Sierra Bug Provides Full Root Access

[Update: Apple quickly released Security Update 2017-001 to fix this bug. Read our current coverage at “Apple Pushes Updates to Block the Root Vulnerability Bug” (30 November 2017).]

You can expect a macOS 10.13 High Sierra update or security update in the next few days. That’s because developer Lemi Orhan Ergin has revealed a huge security vulnerability in High Sierra that anyone can exploit to gain full admin privileges and access to the root account on your Mac. 10.12 Sierra is not vulnerable to this bug, and I doubt earlier versions of OS X are either.


Many people have confirmed Ergin’s discovery, and if you’re running High Sierra, you can check it yourself. Just open System Preferences > Security & Privacy and click the lock button at the bottom of the window. In the User Name field, enter root and leave the password field blank. Press Return or click the Unlock button a few times — I’ve seen it both accept on the first try and require a couple of additional tries. But it will unlock eventually.


That’s not all. If your Mac displays the name and password fields on the login window, instead of a list of users, you can also log into the entire Mac as root, without a password. If you do that, High Sierra promptly sets up a new account called System Administrator and a home folder located in /private/var/root. That is the full Unix root account, which has superuser privileges that enable it to see and modify any file in any account.

Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world. I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.


The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.

The reason this shouldn’t work is that the root user isn’t supposed to be enabled. The workaround is to change the root password, which requires a few steps:

  1. Activate Spotlight by clicking the magnifying glass in the right corner of the menu bar or pressing Command-Space.

  2. Enter Directory Utility and press Return to launch it. (If you want to navigate to it manually, it’s in /System/Library/CoreServices/Applications.)

  3. Click the lock icon in Directory Utility’s window and authenticate. Yes, using root with no password works here too.


  4. Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first. In another lapse, Directory Utility lets you set the root password to blank — just leave both fields empty and click OK. Apple should at least prompt here to make sure that’s what you want.


  5. If you don’t need remote access, consider disabling Screen Sharing or Remote Management in the Sharing preference pane as well.

Apple has said it’s working on a fix, so setting a root password should be sufficient protection for now.

 

Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <https://www.backblaze.com/tb>
 

Comments about High Sierra Bug Provides Full Root Access

To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Receive comments via RSS
This bug was actually first reported on November 13 in a developer forum: https://forums.developer.apple.com/thread/79235 scroll down to the post by Chetan177 dated "Nov 13, 2017 12:48 PM" . Which raises the disturbing question: how is it possible that Apple was not aware of this until some other user tweeted it on November 28? Who knows how far the root access hole has been exploited in the two weeks time.
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2017-11-30 10:54
Apple doesn't necessarily monitor discussion forums at all, so I'm not terribly surprised about that.
Reply