UPDATE, 11/29/17: Apple has issued an update that removes the bug from High Sierra.
The original story can be found below.
A new flaw discovered in Apple’s MacOS gives users a remarkably easy way to gain root access on machines.
The bug, discovered Tuesday, allows people to bypass administrative accounts when trying to access various system preferences, such as network or privacy settings. When prompted to enter administrator credentials, a user can enter the username “root,” leave the password blank, and be granted access to the locked menus. The bug only activates after users attempt to sign in via the “root” name multiple times.
Lemi Orhan Emrin, a Turkish software engineer, first announced the bug in a tweet on Tuesday.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
CyberScoop editors reproduced the bug multiple times on their machines. Multiple security researchers CyberScoop reached out to also were able to replicate the bug on machines running High Sierra.
In order to exploit the bug, a user would need to have physical access to the machine. Multiple researchers told CyberScoop that until Apple patches the bug, users could set a password for an account named “root.”
“The only silver lining here is that thus far this appears to require local access to the system, so hackers across the world won’t be using it to break down your door,” said Ben Johnson, CTO of California-based Obsidian Security. “Still, anyone with a Mac needs to keep an eye on soon forthcoming updates and patches.”
It’s unknown if the bug exists on previous versions of MacOS.
The flaw is similar to one Apple patched earlier this year: If a user set up a password hint while creating an encrypted volume in Apple’s File System, the password itself was stored as the hint.
Apple released a statement Tuesday, saying it will issue a software update to remove the bug.
UPDATE: Shortly after this story published, Fidelis researcher John Bambenek confirmed that the root/no password combination could be used to access machines running High Sierra through Apple’s native screen sharing client.
I’ve verified that the High Sierra mac bug that creates passwordless root account works, that it can be used to acces VNC if screen sharing is turned on, and have pieces of a rudimentary exploit you could start phishing people with.
— John Bambenek (@bambenek) November 28, 2017
CyberScoop was able to replicate this sort of attack with a free VNC client and a local IP address.
According to a search on Shodan, there are over 84,000 machines openly running Apple’s native screen sharing app.
To turn it off: Go to “System Preferences” and select “Sharing” (its icon is blue folder with a yellow warning sign). In the left-hand column, turn screen sharing off by clicking the check mark next to “screen sharing.”