Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
An Adelaide security researcher has blown the lid on an explosive Apple OS Lion flaw that allows passwords to be accessed and changed by anyone.
The flaw exists in the way passwords are stored and accessed as encrypted shadow files.
These files are accessible due to flaws in the file permission structure that is designed to allow only authorised local users and administrators access to the shadow files.
But the oversight allows anyone to skirt the permissions by looking up password hashes for all users that were stored in directory services.
Passwords can then be brute forced, or simply changed.
Security researcher Patrick Dunstan, a senior security information specialist at the University of Adelaide revealed on his Defence in Depth blog that the flaw allows OS X user password hashes and salts to be parsed.
“It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked,” Dunstan said.
“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user… or at least it should be.
“Obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file.”
The holes go beyond vulnerabilities revealed by Dunstan in 2009 that allowed passwords to be cracked only via administrative accounts on pre- OS X 10.7 systems.
Dunstan created a Python script to assist in cracking the SHA512 + 4-byte salt OS X Lion hashes.
He said users can mitigate the attacks by limiting standard access to the command line DSCL utility using:
$ sudo chmod 100 /usr/bin/dscl
$ sudo chmod 100 /usr/bin/dscl
Sophos senior consultant Chester Wisniewski recommened users change passwords, enable a screensaver password prompt, and disable automatic logon.
He said the capability to change passwords was "particularly dangerous" if Apple's FileVault 2 disk encryption was used.
"If your Mac were left unlocked and someone changed your password, you would no longer be able to boot your computer and potentially would lose access to all of your data."
More information is available on Dunstan's blog.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.