SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Mac OS X Single User Mode Root Access - CodeSamurai

Forward

There's always the constant battle between user-friendliness and security. Apple has known about this vulnerability for some time now; and back in the days of OpenStep, a patch to that OS was released to fix this problem. Now is the era of Mac OS X, and even though that old OpenStep patch won't work for OS X, Apple could still easily release a similar patch, or better yet, a permanent fix that will be forever installed by default.

It is argued that Single User Mode should allow full root privileges to allow forgetful users to change their password. Yet, I believe this really won't happen in practice with OS X. The average Mac user might forget his or her password, but they probably wouldn't like going into the command line interface of Single User Mode. Rather, they'd boot from the Install CD and reset their password from within the nice, eye pleasing Aqua GUI. Besides, the sysadmins and power users (who might like the CLI more so than the average user) probably won't forget their passwords and would also prefer the security advantage of not having root open as such. So I feel having the ability to reset the password without knowing the password to begin with in Single User Mode is an unnecessary risk and is unnecessary in general.

Moreover, the current granting of root privileges in Single User Mode gives the user the direct ability to not only change the password, but to dump the password hash and crack it. Somebody could easily just obtain the administrative password that way, therefore giving them administrative privileges without even generating anything that would alert the sysadmins of a breach. Whereas if somebody was forced to reset the password to gain root privileges (like the Install CD does), the fact that the administrative password was changed would be a key off to the sysadmins that somebody breached their system.

In conclusion, Apple should work something out to make the Single User Mode require the root or administrative password before granting access into root. Furthermore, the Install CD should be the only method to reset the passwords without knowing the passwords to begin with.


Situation

Somebody's at a Mac running Mac OS X, and they've completely forgotten their user and/or administrative account password on it (or even worse, they never had an account to begin with and are trying to hack the system), so they can't just login at the login screen. If it has a keyboard attached to it, and those keys can be pressed, here's how someone can get into root access with just a couple taps of the keyboard and maybe the scribble of a pen.


Vulnerability

Single User Mode under Mac OS X gives root access privileges without requiring the root password. (Note: Single User Mode is not the vulnerability here; the vulnerability is the fact that root access is given without having to enter in any password whatsoever.)


Exploit

Step 1) Restart the computer (or turn it on if it's already off) while holding down the command and s keys at the same time. (If the computer is running Mac OS Public Beta, just press the s key.) They have root privileges at this moment, but now it's time to take advantage of these privileges.

Step 1.5) Type "/sbin/fsck -y". (Type this without the quotes, of course.) (This step really isn't necessary at all, but it just takes a second, and they might as well just do a quick check of the hard disk before mounting it.)

Step 2) Type "/sbin/mount -wu /" (This mounts the volume "/" with read/write access.)

Step 3) Type "/sbin/SystemStarter" (This starts the network services, which is necessary to gain access to NetInfo.)

Step 4) Here, one could now just type "passwd root" and override the existing root password with one of their own, or worse yet, someone could just get the current root password (and/or the administrative user account password) so the administrators of that computer don't know that their security has been compromised. One of the easiest ways to do this is to just type "nidump passwd ." and write down the root account's password hash. (The hash will be the text that looks like just a garbled mess of alphanumeric characters between two colons.)

Step 5) Now one can type up what they wrote down into a plain text file like the following example: "root:rQkFQ37SYveHw:0:0::0:0:System Administrator:/var/root:/bin/tcsh".

Step 6) Finally, they'll use a cracking program like John the Ripper for the PC, or the Meltino, a Classic Macintosh application, to crack the password hash.

And when it's finally cracked it, they've got the password!


Solution

A good makeshift fix for this can be found at http://users.ez-net.com/~jasonb/secureit.html.
(Version 1.05 of SecureIt has been verified to work under Mac OS X Build 4K78)

Step 1) Download the file: http://users.ez-net.com/~jasonb/secureit.tar.gz

Step 2) Open a terminal window, type "su", and type in the root password when prompted.

Step 3) Go to the directory to where you downloaded the secureit.tar.gz file to, and type "tar xvzf secureit.tar.gz".

Step 4) Type "cd secureit1_05" and then type "./install".

Step 5) You should now be prompted to type in the password that will be required for you to boot up into single user mode. This password does not have to be the same as your root password or any other password you might have, so you can be newly creative for this password.


Links

Information about NetInfo

The SecureIt 1.05 FAQ



FEEDBACK TIME!


Enter Email Address:

Enter your message:


Select Either of These Two Buttons


Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners