macOS Zero-Day Allows Root Login With No Password

Updated January 11, 2021 Posted by Arnon Erba in News on November 28, 2017.

Update 11/29/17: Apple has released an urgent security update patching this vulnerability. Please patch immediately through the App Store if you have a Mac with 10.13.1 High Sierra. See this Apple support article for more information about the patch.

A recently disclosed vulnerability, revealed a few hours ago on Twitter, allows anyone with unprivileged login access to gain root privileges on a Mac running MacOS 10.13 High Sierra. The bug does not appear to affect versions of MacOS released before High Sierra (e.g. 10.12 Sierra, 10.11 El Capitan, etc.).

Exploitation

Exploitation of the bug is dangerously simple. Normally, protected system settings in MacOS can only be “unlocked” by clicking on the padlock icon and entering an administrator password, as shown below:

However, if you enter “root” as the username and leave the password field blank, the current build of MacOS High Sierra will eventually unlock the System Preferences window after a few failed login attempts. In testing, it required two to three failed authentication attempts as root to trigger the bug.

Scarily enough, once the exploit has been performed, the root account can be used at the login screen as a normal MacOS account. Simply clicking “Other User” and entering “root” as the username with no password grants a full MacOS session with root privileges that is capable of modifying system settings, removing and installing software, and viewing all files with no restrictions. It also appears that the exploit can be used remotely if remote access is enabled, removing the need for an attacker to be physically present at the affected Mac.

Behind the Scenes

As mentioned on Twitter, it appears that the exploit enables the built-in root user account but does not set a password for it. This enables anyone on the system to use this newly activated account to gain root privileges.

Mitigation

Update (11/29/17)

Apple has released an urgent security update patching this vulnerability. Please patch immediately through the App Store if you have a Mac with 10.13.1 High Sierra. The patch will appear as “Security Update 2017-001”.

Original Response (11/28/17)

Until Apple releases a fix for the bug, the only current solution is to enable the root user yourself and set a password for it. This prevents exploitation of bug since the root user will not be re-enabled once it has already been set up.

To enable the root user and change the password, go to System Preferences > Users & Groups > Login Options and click “Join” next to “Network Account Server”. In the popup that opens, click “Open Directory Utility” and click “Edit” in the menu bar at the top. From the dropdown menu, select “Enable Root User” and then “Change Root Password”. Directory Utility can also be opened directly from Spotlight.

Important: Simply disabling the root user does not fix the bug, since it can be exploited again to re-enable the account with a blank password. Changing the root password is the only mitigation at this point. Ed: see above for the official patch.