Aussie Researcher Cracks OS X Lion Passwords 165
daria42 writes "Thought your Mac was secure running Apple's latest operating system? Think again. Turns out that in some respects Lion is actually less secure than previous version of Mac OS X, due to some permission-tweaking by Apple that has opened up a way for an attacker to crack your password on your Lion box. The flaw was discovered by an Australian researcher who has previously published a guide to cracking Mac OS X passwords. Sounds like Apple had better get a patch out for this."
Not really cracking the passwords. (Score:4, Informative)
Re:Not really cracking the passwords. (Score:5, Interesting)
But your basic point is right...he's figured out a way to capture hash/salt data, which he still should not be able to do. Since Lion uses SHA-256 hashes for its shadow file, that cracking attempt is still going to be quite difficult.
The more important part of this article is that under some circumstances, you can change the password of the logged in user without entering the current password. Now, *that* is a big deal (the degree of which is subject to valid debate).
Re: (Score:2)
Also it does make the brute forcing process many times faster. Generally speaking a system won't let you remotely connect to it and get a password wrong too many times before it locks you out for a bit. Also authentication isn't immediate, so even if it doesn't lock you out, there is a limit to how fast you can test passwords. 1/second would probably be a reasonable upper limit. Get a hash file, and you can do a few orders of magnitude better.
Now for a good password this doesn't matter. It is the difference
Re: (Score:3)
SHA-512, according to the article.
It's definitely an oversight, but should be fixed pretty quickly. The one line fix at the end of the article (restricting permissions on dscl) seems reasonable.
Re: (Score:2)
Re: (Score:2)
Addendum (also, this problem is not just bad because of the password hash exposure):
You could argue that brute forcing passwords is not the most common approach. For example, harvesting a million accounts and walking away with the passwords that can be cracked through an efficient "smart dictionary" attack, and abandoning the other ones, is probably bar far the most common harvesting strategy.
It's sort of like putting a club on your car.. It's not that they can't steal your car... but there's an easy to
Re: (Score:2)
Re: (Score:2)
The more important part of this article is that under some circumstances, you can change the password of the logged in user without entering the current password.
Could you change it back by replacing the original hash after you've done whatever you wanted to do to their system?
Now, *that* is a big deal (the degree of which is subject to valid debate).
Of epic proportions, I'd say.
Re: (Score:2)
The more important part of this article is that under some circumstances, you can change the password of the logged in user without entering the current password.
Could you change it back by replacing the original hash after you've done whatever you wanted to do to their system?
Why bother? Just install a back door and leave only one sign of tampering rather than fucking with their password. You already HAVE ACCESS TO THEIR ACCOUNT at that stage, don't don't need their password to do anything.
Now, *that* is a big deal (the degree of which is subject to valid debate).
Of epic proportions, I'd say.
Again, why? Or by epic do you mean not really a big deal?
If I find an open console, unless I'm trying to teach you a lesson about leaving your console unlocked, the last thing I'm going to do is change your password. Only a moron makes it obvious they've owned the account. You leave the p
Re: (Score:2)
The dscl command might not allow you to change other users' passwords, but if dscl can modify the shadow file without the root password, what prevents something else from doing the same thing but allowing you to change any password?
Re: (Score:2)
Maybe they want root for tradition's sake? I don't know why, but let's just assume that OK?
So they need to enter the user's password for sudo.
They do not have the user's password but apparently they can read the hashed version AND they can change the user's password without entering it.
So they back up the original password, change it, get root do whatever they want as root, then restore the password, and so it won't be obvious to the user that the machine has been pwned.
Get it now?
Re: (Score:3, Insightful)
Actually, the fact that OSX uses SHA512 makes it easy to crack the password (compared to the alternatives).
OSX uses SHA512(salt+password) to generate it's hashes. SHA2 was specifically designed to be highly parallelizable and fast on modern processors, which means brute force attacks are going to proceed very quickly. And as time goes on, and average processor speed increases, that amount of time per cpu (and per $) keeps dropping.
There are four modern password hashing schemes worthy of note: SHA512-Crypt (
anyone with physical access (Score:2)
could get the 'hash' and the 'salt'. then you add the pepper, and your goose is cooked.
Re: (Score:2)
Changing password without any challenge (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
If the user is already running your applet ... oh why do I bother trying to explain basic reality to slashdotters
Re: (Score:2)
Re: (Score:2)
That *is* what password cracking is....
Re: (Score:2)
Re:Not really cracking the passwords. (Score:4, Informative)
for this to work, a particular java app must be installed and run on a website which is run on the Mac OS X computer. .
No, that's just one attack vector suggested in the article to illustrate how this could be abused.
This is all possible, but basically FUD
ANY application which runs with a regular user permission CAN access the hashes for ALL the user passwords on the system.
That's not FUD. Also, the method described is not just possible, that's exactly how many infections occur these days.
Re: (Score:2, Redundant)
Yeah, once you get to the point of waving your hands and saying, "And then all that has to be done it to trick the user into running some arbitrary code," the exploit goes from "serious" to "surprised if it didn't work".
Re: (Score:2)
Why exactly did your mother's doctor allow you to be born?
Re: (Score:2)
So, which are you...the first of the second? [slashdot.org]
Re: (Score:2)
I know the Dept. of Homeland Security is serious enough that they damn near reverse engineer their desktop and workstation computers during inspection to make sure that they are as secure as they can be. Some organizations take security very serious. If they don't, people die. THEIR PEOPLE.
When China hacked Google, they were looking for political dissidents, among other things. I'm pretty sure that both Google and China take data security pretty fucking seriously, too.
Re: (Score:2)
I think it's a safe bet that this guy doesn't work for DHS or Google.
Re: (Score:2)
Re: (Score:2)
Thats true until about 15 years old.
Then until 21-25, they do it just to be assholes and show off.
After 25, its generally about the money.
Here's the full details. (Score:5, Informative)
Re:Here's the full details. (Score:5, Informative)
Even better is the researchers' own blog post [defenceindepth.net]
Re: (Score:2)
Or, you know, instead of better you could go for accurate:
http://mcaf.ee/3h8mg [mcaf.ee]
-dZ.
Not good, but not a panic situation (Score:4, Informative)
So looking at it, basically what it comes down to is you can effectively get at the shadow file as any user. That does indeed mean you can get the hashes to attempt to crack passwords. This isn't a good situation, and isn't how it should be. On any UNIX you should have to be root to get at the shadow file, on Windows you must be an administrator (and running elevated, if UAC is on) to get at the SAM file.
However, do note that it is just a set of hashes. So you still have to crack the password. So long as the passwords are good, this really doesn't get you anywhere. If you've ever messed with this you find that things quickly get impossible so long as passwords are reasonably long. As such, if you have good passwords, this isn't a huge problem.
That said, I think we'll want to send out a warning to our Mac types today since they seem to think Macs make them immune to security issues and as such are prone to bad passwords. Perhaps this can help convince them to adopt better password standards since, really, that is one of the big keys to good security these days.
Re: (Score:3)
If you don't value your job too highly, you could even do a demonstration by deliberately exploiting the exploit to get their hashes, cracking their passwords, and email each of them an archive encrypted with their own password. When they unlock it they find a text file saying "CHANGE YOUR PASSWORD YOU MORON". Depending on your bosses you may well get fired for this, but it would help convince people that actually they're not as safe as all that.
Re: (Score:2)
If they have accounts on your local machine, especially if it is a laptop, then just send a note to IT, why do I have a user "jimjones" with password "jimj0nes" with access to my laptop... I basically did this to my IT dept a few years back. They pushed out a update that installed VNC in a hidden mode on all PC's. When I found it on my PC, I cracked the password (very week rot-13 type of storage mechanism) emailed one of them a message, "why is vnc installed on my machine with password "hex0515." They
Re: (Score:2)
Re: (Score:2)
Re:Not good, but not a panic situation (Score:4, Informative)
Re:Not good, but not a panic situation (Score:4, Insightful)
The SAM file on Windows is impossible to retrieve while the Windows kernel is running. The kernel has an exclusive read/write lock on the file and any attempt to access it will be denied. It is possible to read an NTFS file-system outside of the OS even while the OS is running but we're talking about deep-file system inspection.
You meant any attempt by a user without admin privileges of course. VSS solved the backup-open-files problems a long time ago.
You can still get at it (Score:2)
L0phtcrack can nab a SAM file from a a running system. I am not sure how it goes about doing that, but it works. I presume it dumps the in-memory copy.
However, as I said, you have to be an administrator to do it and on UAC enabled systems, you must escalate. As such it is fairly hard to get at.
Re: (Score:2)
The SAM file on Windows is impossible to retrieve while the Windows kernel is running. The kernel has an exclusive read/write lock on the file and any attempt to access it will be denied. It is possible to read an NTFS file-system outside of the OS even while the OS is running but we're talking about deep-file system inspection.
What the ... ?
What are you smoking?
The ultimate unguessable Apple password (Score:2)
Re: (Score:2)
TFA and TFS of course again destroyed all the important parts of the original work [defenceindepth.net]
The critical part is about half way down. The WTF isn't that the hashes are extractable allowing you to brute force the password at your leisure, it's that there's no challenge to CHANGING the password. There isn't even a need to crack the password in this case and that most definitely IS a panic situation.
at least the Lion firewall is on (Score:1)
Unlike Snow Leopard
Re: (Score:2)
There still isn't' one today.
There are a few vulnerabilities, but no malware that exploits them. Yet.
Re: (Score:2)
Brilliant reasoning, I am sure it will never cause any problems for you.
Extremely Serious (Score:5, Insightful)
People have posted "they're still hashes so you still have to break them" which is of course true, but if you keep reading down he shows you how to reset the other user's password without ever having to know them.
Re:Extremely Serious (Score:5, Funny)
Worst?! XP had that flaw that let you install Vista.
Re: (Score:2)
Re: (Score:3, Interesting)
Password reset doesn't work for my OS X installation. . .
$ dscl localhost -passwd
New Password:
Permission denied. Please enter user's old password:
passwd: DS error: eDSAuthFailed
DS Error: -14090 (eDSAuthFailed)
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.7.1
BuildVersion: 11B26
Re: (Score:2)
e.g.
dscl localhost -passwd
Where bob is the current user.
Re:Extremely Serious (Score:4, Informative)
According to the FTFA, you can only reset passwords for the currently logged in user. It doesn't say anything about resetting other user's passwords:
Still not good, but not nearly as bad as you suggest. Now, all that said, I don't have a Lion system on which to test resetting another using password using dscl. I can only hope it doesn't work.
Re: (Score:2)
Re: (Score:2)
For the typical Mac user (think Hello Kitty stickers covering their MacBook), the proposed attack vector is a non-issue. In order for a Java applet to run, the attacker needs Java installed on the target system. Lion ships without Java. So, beyond getting the user to run the applet, and beyond having to brute force the passwords, the attacker somehow has to install Java on the target Lion system.
1. Wait for user to install your infected Hello Kitty screensaver for Mac.
2. Tell user to install Java (or bundle it, after all if you're installing a virus, why care about Oracle's license agreement).
3. ?????
4. Profit, erm, I mean infection... no wait, I mean profit.
Same old method that has been used on other OS's for decades. No-one has managed to create an effective technological defence for social vectors and likely never will.
Does sound kind of serious, maybe (Score:4, Informative)
Here is a bit from TFA-
"This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible."
It's not exactly a 1-2-3 step action. Also, the article never said he actually cracked any passwords, though he claims-
"Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. "
Little bit more backup would be a good thing, here.
Cue the script (Score:2)
Ok, now it's time for a bunch of people to complain about how snide and awful Mac users are, how they think that they're immune to security problems. We'll get a string of posts about how some study indicated that OSX was less secure than Windows, maybe some anecdotal evidence that some slashdotter knew a guy who was a Mac user, and he was an asshole and said something stupid about computers once.
When we've gotten enough of those, we'll see a backlash of posts rehashing old complaints about Windows and Li
Re: (Score:2)
Whilst i am posting this from my Mac, and have administered Linux and BSD boxes for about 15 years+...
To be fair, part of the reason for that is that Linux boxes are more often used to run high-value machines than OS X.
If i hack your workstation (that is likely behind an egress filtering firewall if the admin has a clue), woohoo. However, if i hack a linux (or any unix) box, which is typically well-connected network wise with lots of bandwidth and often has a C compiler installed already, well, thats
So not serious (Score:2)
Re:So not serious (Score:5, Insightful)
You can change the root password on a Mac box without ANY credentials, provided you have physical access, Seems we have forgotten this while everyone is fear-mongering about what someone can do over the 'net.
Sorry for the sarcasm, but basically once someone has physical access to your computer you're basically boned unless you've encrypted your drive. It's Macs I know best, and it's trivial: boot to single user mode (command+S at start), mount in the file system as read/write (it even gives onscreen instructions for doing this) and then change the root password. I imagine something very similar can be done in Linux if there's an easy way to get it into single-user mode. Besides, on any machine to which you have physical access you can always boot a live distro and at the very least access the hashes if not easily take full control of the system.
Re: (Score:2)
Re: (Score:2)
Sorry for the sarcasm, but basically once someone has physical access to your computer you're basically boned unless you've encrypted your drive. It's Macs I know best, ...
If it's Macs you know best, then you also know Lion makes it quite simple to encrypt your hard drive.
It was the first thing I did after I installed Lion, actually.
Re: (Score:2)
Just because it's simple to do doesn't mean everyone will have done it... Maybe this kind of thing will help them wake up and start encrypting everything.
Re: (Score:2)
An old rule: "If you don't have physical security, you don't have security." You can also set a firmware password [apple.com] so people can't use this trick, or Option to choose another boot device, or T to enter target disk mode, etc. They can still pull the drive out, but short of that, you're more covered.
Re: (Score:3)
Re: (Score:2)
I just tested on an Ubuntu LTS release I had handy:
Script started on Tue 27 Sep 2011 13:24:02 BST /etc/shadow /etc/shadow
root@hostname:~# uname -a
Linux hostname 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:40:53 UTC 2011 i686 GNU/Linux
root@hostname:~# wc -l
42
root@hostname:~# exit
Script done on Tue 27 Sep 2011 13:24:10 BST
So starting in single user mode gave me enough permissions to write to /root (that's where the typescript was saved), and to read /etc/shadow. (I didn't try writing /etc/shadow,
Re: (Score:2)
Yes, I agree - I'd mod you up except I've been involved in this. The original post started talking about physical access and WIndows (though he claims he meant for anything) so I added that that scuppers you on a Mac too. And evidently Linux, from what ais523 says just below.
Re: (Score:2)
1 - Compromise system
2 - Replace OS code with some that allows access to said file
OR
1 - Compromise system
2 - Install something like the WinPE layer that allows access to said file
OR
1 - Compromise system
2 - Perform complicated SQL injection and Javascript hack that allows access to said file
Notice how the first step is always 'compromise system'? Whether that involves standing in front of it or breaking RSA... suddenly it's like, "Oh noes, I can see teh
Re: (Score:2)
Local is easy, If the disk isn't encrypted just reinstall the OS - no matter what OS you're using - now you ha
Re: (Score:2)
Actually, that's not true. My laptop has BitLocker applies (required by work, but if you have a TPM you may as well use it). The whole drive, including the credential store, is encrypted. Explain to me how you're going to change the credentials on that, please?
Also, my local Administrator account is password-protected, so Safe Mode isn't going to help you here even if you get that far.
Re: (Score:3)
Just for reference, booting in single user mode to reset a password is not 'hacking'.
Interesting contrast I notice here (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Has anyone discovered a good BeOS or OS/2 hack recently?
No, but I can quickly own any Commodore 64 system I might come across...
Re: (Score:2)
Re: (Score:2)
It's easier in windows for the same reason everything is easier in windows. There is a metric shit ton of hacking tools designed to hack that specific platform. Just off the top of my head I can think of at least three 'password recovery' floppy/CD images for windows that will just boot up and reset or grab the password off a windows machine, and I don't have to know how to do anything more than insert the disk and press the power button. I'm sure disks like this have been or will be made for any OS, but
Re:Interesting contrast I notice here (Score:5, Interesting)
What's interesting is how every time Apple screws something up or does something unpopular, some clever guy pops in to post the requisite "now if this were Microsoft, you'd all be up in arms" post. Nevermind the same comment has been posted eleventy billion times before on this blog for more than 10 years.
Case in point: the iCon 'book banning' story [slashdot.org] from 6 1/2 years ago, where publishing house Wiley had their books pulled after they wrote what Jobs obviously viewed as an unflattering biography:
Or:
Nevermind the many highly rated comments suggesting Jobs back off [slashdot.org], recounted how Jobs screwed Woz [slashdot.org] over a petty amount of money, or called Jobs an unbelievable asshole [slashdot.org].
So clever.
Linux and Windows are just as bad. (Score:3, Insightful)
Re: (Score:2)
You'll never get anywhere on Slashdot with that kind of measured attitude.
Re: (Score:2, Insightful)
I quote you. /Search/Users/. I tested it on two Lion installs, and it did not work (well it actually asked for current password, as it should do). At the same time, dscl localhost -read /Search/Users/ | grep ShadowHashData returns 0 bytes, on build 11C62.
It is interesting, though, that not all of us succeed in changing current user's password with dscl localhost -passwd
This somehow makes the anti-Apple FUD theory a lil bit stronger, IMHO. Before blindly quoting what people writes on their blog, sometime doi
Re: (Score:2)
e.g.
dscl localhost -passwd
Replace bob with the username of your current logged in user.
Re: (Score:2)
You aren't talking about 'breaking the password'.
You're talking about wiping it out or resetting it, which is far different than cracking it.
Re: (Score:2)
Re: (Score:2)
You're right, any OS by definition has the same problem -- if passwords are stored hashed on the machine and the attacker has physical access, it's game over. But there is a difference here: from what I'm reading, the OS X attacker does not require physical access. So on Linux and Windows, the two ways to get the password hashes is if you are a) the root user, or b) have physical access (boot into a Live CD, etc). On OS X, this exploit can apparently be performed by a non-root user, which means any hacker t
Re: (Score:2)
You're welcome to take a shot at mine. First step: get past the BitLocker drive encryption. Even if you guess the PIN you still can't boot anything but the installed OS - if you want to boot another OS you either have to first log into Windows and suspend the BitLocker protection, enter a ridiculously long recovery key, or have the full hard drive be encrypted. The last case isn't terribly useful for your goal, unless your plan is to wipe the OS entirely and install a new one on there.
Well there's your problem... (Score:2)
Re: (Score:2)
I just checked, dscl is not a daemon and the suid bit is also not set. This issue seems to be at a lower level.
Re: (Score:2)
I just checked, dscl is not a daemon
Correct - as man dscl will tell you, it's the "Directory Service command line utility".
While it's possible... (Score:5, Interesting)
Either it's already been patched, as I'm running the developer builds of 10.7.2, or there's an issue in his particular setup vs. a normal install that's allowing this to happen.
Stepping through the information on his own blog at: http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html [defenceindepth.net]
When performing his "dscl localhost -read /Search/Users/" I do NOT get the dsAttrTypeNative:ShadowHashData result UNLESS I have root privileges through sudo. Not even for my own user.
How many ways can a system be made insecure... (Score:2)
...through an unsuspecting update or upgrade?
Face Palm (Score:2)
I knew some Australian hacked my mac (Score:3)
Re: (Score:2)
when the screen started displaying everything upside down
If only /. supported unicode, I'd have a very witty response, mate.
Doesn't Work (Score:2)
10002$ dscl localhost -passwd /Search/Users/konohitowa
New Password:
Permission denied. Please enter user's old password:
Re: (Score:1)
The only complaints would be from people incited by you deliberately trying to troll.
Could those with mod points wipe this jerk down to -1?
Re: (Score:2)
I suspect that a lot of people are sticking with Snow Leopard at the minute, for a variety of reasons.
Re: (Score:2)
Like being on a Hackintosh and being concerned that the original version of Final Cut Studio and Adobe CS3 will work and also the trouble of making the OS X drivers work with your hardware.
Re: (Score:2)
That would be one reason, yes. Using programs that require any PPC code would be another (and for some reason quite a few programs still use(d) PPC installers and plug-ins even if the actual program was all Intel. That either has or will change quickly, of course). Not liking the way Lion forces an inflexible revision system onto you is another. Personally I just don't really see the need to move from Snow Leopard.
Anyway, this is all a bit off-topic, except that Snow Leopard at least doesn't have this vulne
Re: (Score:2)
The blog post has the patch. Lower the privs:
sudo chmod 100 /usr/bin/dscl
Re: (Score:2)
Re: (Score:2)
You call this a tabloid? think again.