Welcome, Guest. Please login or register.

Login with username, password and session length

 
Advanced search

1092751 Posts in 72323 Topics- by 19429 Members - Latest Member: 17williarw
Jump to:  
The Trombone ForumHorns, Gear, and EquipmentTechnology(Moderator: john sandhagen) Anyone can unlock your Mac by typing "root"
Pages: [1]   Go Down
Print
Author Topic: Anyone can unlock your Mac by typing "root"  (Read 548 times)
0 Members and 1 Guest are viewing this topic.
robcat2075

*
Offline Offline

Location: Dallas, Texas
Joined: Apr 19, 2009
Posts: 6635

View Profile
« on: Nov 28, 2017, 05:09PM »

Unbelievable oversight or most unhidden backdoor ever?

Anyone Can Hack MacOS High Sierra Just by Typing "Root"

Quote
Anyone who hits a prompt in High Sierra asking for a username and password before logging into a machine with multiple users, they can simply type "root" as a username, leave the password field blank, click "unlock" twice, and immediately gain full access.

In other words, the bug allows any rogue user that gets the slightest foothold on a target computer to gain the deepest level of access to a computer, known as "root" privileges.

Quote
...however—and other researchers confirm—that it's possible to block the attack by either setting a password for the root user, or disabling root access altogether. If you've installed High Sierra and haven't set a root password or disabled root access, you should do it now.
Logged

Robert Holmén

Hear me as I Play My Horn


Get your Popper, Dotzauer, or Kummer play-alongs!
Matt K

*
*
Offline Offline

Location:
Joined: May 6, 2010
Posts: 7252

View Profile
« Reply #1 on: Nov 28, 2017, 10:30PM »

Interesting. Mac is an UNIX and that's *sort of* the standard for other UNIX machines. Except when you setup those operating systems, normally you are required to set a password for root and cannot continue unless you set one or go through a mildly tedious process to disable the password. I've never even tried to not set a root password on any machine I've setup but I imagine if you went through the process, you'd end up with a 'null' password, and have the same 'bug' even though it is technically intended in that circumstance.
Logged

What's in a name? that which we call a tenor-bass posaune
By any other name would smell as sweet;
RabidDolphin
*
Offline Offline

Location: Wisconsin
Joined: Jul 21, 2006
Posts: 382

View Profile
« Reply #2 on: Nov 30, 2017, 02:38PM »

It's already patched.
Logged
M.R.Tenor

*
Offline Offline

Location: Northeast Ohio
Joined: May 21, 2011
Posts: 91

View Profile
« Reply #3 on: Dec 02, 2017, 05:49PM »

It's already patched.

If everyone's done the updates...
Logged
Todd Jonz
Department of Redundancy Department

*
Offline Offline

Location: Vermont
Joined: Sep 13, 2003
Posts: 3667
"Do not taunt Happy Fun Ball."


View Profile
« Reply #4 on: Dec 03, 2017, 06:16AM »


sudo passwd root
Logged

Have you registered at TromboneChat.com yet?
SilverBone
Put the Cool in "Coulisse!"

*
Offline Offline

Location: Portland, OR
Joined: Sep 16, 2006
Posts: 3848

View Profile
« Reply #5 on: Dec 03, 2017, 10:08PM »

sudo passwd root

Nooooooooooooo.............

sudo is supposed to be a secret reserved for computer high priests.

 Evil
Logged

-Howard

The nastiest fellow I've known
Smashed his trombone and ruined its tone.
There's a simple excuse
For his slush pump abuse:
He was born to be bad to the bone.
Todd Jonz
Department of Redundancy Department

*
Offline Offline

Location: Vermont
Joined: Sep 13, 2003
Posts: 3667
"Do not taunt Happy Fun Ball."


View Profile
« Reply #6 on: Dec 04, 2017, 07:59AM »


robcat2075 writes:

> Unbelievable oversight or most unhidden backdoor ever?

Apple reached new heights of sheer sloppiness last week.  I suspect there were some personnel changes in Apple's release management group.  Let's review:

1. A bad macOS release goes out allowing anyone to login as root without a password.

2.  Apple releases a patch without adequate testing and unwisely decides to have Software Update install it on customer devices without user intervention.  The patch fixes the root login problem but breaks File Sharing.  Apple develops and releases yet another patch.

3.  A crash loop reported by numerous iOS 11.1.x users does not appear to affect 11.2 beta testers, so Apple decides to rush 12.2 out the door.  The release notes announce the availability of Apple Pay Cash (person-to-person transfers) but it doesn't work because the backend won't be turned on for another week.

Logged

Have you registered at TromboneChat.com yet?
BGuttman
Mad Chemist

*
*
Offline Offline

Location: Londonderry, NH, USA
Joined: Dec 12, 2000
Posts: 51526
"Almost Professional"


View Profile
« Reply #7 on: Dec 04, 2017, 08:04AM »

Wonder if this applies to Linux as well...
Logged

Bruce Guttman
Solo Trombone, Hollis Town Band
Merrimack Valley Philharmonic Orch. President 2017-2018
Todd Jonz
Department of Redundancy Department

*
Offline Offline

Location: Vermont
Joined: Sep 13, 2003
Posts: 3667
"Do not taunt Happy Fun Ball."


View Profile
« Reply #8 on: Dec 04, 2017, 08:30AM »


Bruce writes:

> Wonder if this applies to Linux as well.

No.


Logged

Have you registered at TromboneChat.com yet?
Pages: [1]   Go Up
Print
Jump to: