This article originally appeared in TidBITS on 2017-11-28 at 5:52 p.m.
The permanent URL for this article is: http://tidbits.com/article/17650
Include images: Off

High Sierra Bug Provides Full Root Access

by Adam C. Engst

[Update: Apple quickly released Security Update 2017-001 to fix this bug. Read our current coverage at “Apple Pushes Updates to Block the Root Vulnerability Bug [1]” (30 November 2017).]

You can expect a macOS 10.13 High Sierra update or security update in the next few days. That’s because developer Lemi Orhan Ergin has revealed a huge security vulnerability in High Sierra that anyone can exploit to gain full admin privileges and access to the root account on your Mac. 10.12 Sierra is not vulnerable to this bug, and I doubt earlier versions of OS X are either.

[image link] [2]

Many people have confirmed Ergin’s discovery, and if you’re running High Sierra, you can check it yourself. Just open System Preferences > Security & Privacy and click the lock button at the bottom of the window. In the User Name field, enter root and leave the password field blank. Press Return or click the Unlock button a few times — I’ve seen it both accept on the first try and require a couple of additional tries. But it will unlock eventually.

[image link] [3]

That’s not all. If your Mac displays the name and password fields on the login window, instead of a list of users, you can also log into the entire Mac as root, without a password. If you do that, High Sierra promptly sets up a new account called System Administrator and a home folder located in /private/var/root. That is the full Unix root account, which has superuser privileges that enable it to see and modify any file in any account.

Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world. I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.

[image link] [4]

The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.

The reason this shouldn’t work is that the root user isn’t supposed to be enabled. The workaround is to change the root password, which requires a few steps:

  1. Activate Spotlight by clicking the magnifying glass in the right corner of the menu bar or pressing Command-Space.

  2. Enter Directory Utility and press Return to launch it. (If you want to navigate to it manually, it’s in /System/Library/CoreServices/Applications.)

  3. Click the lock icon in Directory Utility’s window and authenticate. Yes, using root with no password works here too.

  4. [image link] [5]

  5. Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first. In another lapse, Directory Utility lets you set the root password to blank — just leave both fields empty and click OK. Apple should at least prompt here to make sure that’s what you want.

  6. [image link] [6]

  7. If you don’t need remote access, consider disabling Screen Sharing or Remote Management in the Sharing preference pane as well.

Apple has said it’s working on a fix [7], so setting a root password should be sufficient protection for now.

[1]: http://tidbits.com/article/17655
[2]: http://tidbits.com/resources/2017-11/Root-bug-tweet.png
[3]: http://tidbits.com/resources/2017-11/Root-access-to-Security-prefs.png
[4]: http://tidbits.com/resources/2017-11/Root-access-via-Screen-Sharing.png
[5]: http://tidbits.com/resources/2017-11/Directory-Utility-authenticate.png
[6]: http://tidbits.com/resources/2017-11/Directory-Utility-Change-Root-Password.png
[7]: http://www.loopinsight.com/2017/11/28/apple-working-to-fix-root-password-issue/