MacOS Zero-Day Allows Root Login With No Password
Update 11/29/17: Apple has released an urgent security update patching this vulnerability. Please patch immediately through the App Store if you have a Mac with 10.13.1 High Sierra. See this Apple support article for more information about the patch.
A recently disclosed vulnerability, revealed a few hours ago on Twitter, allows anyone with unprivileged login access to gain root privileges on a Mac running MacOS 10.13 High Sierra. The bug does not appear to affect versions of MacOS released before High Sierra (e.g. 10.12 Sierra, 10.11 El Capitan, etc.).
Exploitation of the bug is dangerously simple. Normally, protected system settings in MacOS can only be “unlocked” by clicking on the padlock icon and entering an administrator password, as shown below:
However, if you enter “root” as the username and leave the password field blank, the current build of MacOS High Sierra will eventually unlock the System Preferences window after a few failed login attempts. In testing, it required two to three failed authentication attempts as root to trigger the bug.
Scarily enough, once the exploit has been performed, the root account can be used at the login screen as a normal MacOS account. Simply clicking “Other User” and entering “root” as the username with no password grants a full MacOS session with root privileges that is capable of modifying system settings, removing and installing software, and viewing all files with no restrictions. It also appears that the exploit can be used remotely if remote access is enabled, removing the need for an attacker to be physically present at the affected Mac.
Behind the Scenes
As mentioned on Twitter, it appears that the exploit enables the built-in root user account but does not set a password for it. This enables anyone on the system to use this newly activated account to gain root privileges.
Apple has released an urgent security update patching this vulnerability. Please patch immediately through the App Store if you have a Mac with 10.13.1 High Sierra. The patch will appear as “Security Update 2017-001”.
Original Response (11/28/17)
Until Apple releases a fix for the bug, the only current solution is to enable the root user yourself and set a password for it. This prevents exploitation of bug since the root user will not be re-enabled once it has already been set up.
To enable the root user and change the password, go to System Preferences > Users & Groups > Login Options and click “Join” next to “Network Account Server”. In the popup that opens, click “Open Directory Utility” and click “Edit” in the menu bar at the top. From the dropdown menu, select “Enable Root User” and then “Change Root Password”. Directory Utility can also be opened directly from Spotlight.
Important: Simply disabling the root user does not fix the bug, since it can be exploited again to re-enable the account with a blank password. Changing the root password is the only mitigation at this point. Ed: see above for the official patch.
- The Register: Pro tip: You can log into macOS High Sierra as root with no password
- MacRumors: Here’s How to Temporarily Fix the macOS High Sierra Bug
- The Verge: Major Apple security flaw grants admin access on macOS High Sierra without password
- How-To Geek: Huge macOS Bug Allows Root Login Without a Password. Here’s the Fix