Apple password gaffe revealed by Adelaide Uni researcher

By on
Apple password gaffe revealed by Adelaide Uni researcher

An Adelaide security researcher has blown the lid on an explosive Apple OS Lion flaw that allows passwords to be accessed and changed by anyone.

The flaw exists in the way passwords are stored and accessed as encrypted shadow files.

These files are accessible due to flaws in the file permission structure that is designed to allow only authorised local users and administrators access to the shadow files.

But the oversight allows anyone to skirt the permissions by looking up password hashes for all users that were stored in directory services.

Passwords can then be brute forced, or simply changed.

Security researcher Patrick Dunstan, a senior security information specialist at the University of Adelaide revealed on his Defence in Depth blog that the flaw allows OS X user password hashes and salts to be parsed.

“It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked,” Dunstan said.

“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user… or at least it should be.

“Obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file.”

The holes go beyond vulnerabilities revealed by Dunstan in 2009 that allowed passwords to be cracked only via administrative accounts on pre- OS X 10.7 systems.

Dunstan created a Python script to assist in cracking the SHA512 + 4-byte salt OS X Lion hashes.

He said users can mitigate the attacks by limiting standard access to the command line DSCL utility using:

$ sudo chmod 100 /usr/bin/dscl

Sophos senior consultant Chester Wisniewski recommened users change passwords, enable a screensaver password prompt, and disable automatic logon.

He said the capability to change passwords was "particularly dangerous" if Apple's FileVault 2 disk encryption was used.

"If your Mac were left unlocked and someone changed your password, you would no longer be able to boot your computer and potentially would lose access to all of your data."

More information is available on Dunstan's blog.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
apple exploits hacking mac os x passwords security vulnerabilities

Partner Content

Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report

Log in

Email:
Password:
  |  Forgot your password?