x
advertisement
Filtered By: Scitech
SciTech

OSX Lion flaw allows unauthorized password changes


Users of Apple's Mac OS X Lion, beware: An apparent flaw in the operating system may allow an unauthorized change of the password - or worse, potentially lock out a legitimate user from his or her account. Researchers at the Defense in Depth blog said Lion allows "non-root" users —or those who do not have special administrative privileges— to extract password data from its Directory Services. "It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services," they said. The blog noted root privileges are not required to extract the data, allowing all users on the system, regardless of privilege, to access the ShadowHashData attribute from any other user's profile. Worse, the blog said Lion allows a user to "just change the password directly." "It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user," it said. Entering the command "$ dscl localhost -passwd /Search/Users/(username)" will lead to a prompt to enter a new password, without the need to authenticate. Computer security firm Sophos said an attacker can change the password if he or she has access to a logged-in Mac "locally, over VNC/RDC, SSH, etc." "This is particularly dangerous if you are using Apple's new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," Sophos' Chester Wisniewski said in a blog post. Wisniewski advised Mac users to take the following steps at least until Apple makes a fix available:

  • Use a secure password to prevent brute force attacks against your account using stolen hashes.
  • Enable the screensaver and set it to prompt you for your password.
  • Disable automatic logon.
  • Never leave your Mac logged in and unattended. Use a "Hot Corner" or the Keychain lock to lock your screen.
— TJD, GMA News
Tags: apple, appleosx, osxlion, password
Most Popular