• Great articles on other sites
  • RSS Great articles on other sites

  • Renai's other site: Sci-fi + fantasy book news and reviews
  • RSS Renai LeMay

  • News - Written by on Monday, September 26, 2011 12:36 - 29 Comments

    Aussie researcher cracks OS X Lion passwords

    news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.

    According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.

    In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.

    In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.

    “So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”

    This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.

    Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.

    The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.

    However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.

    As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.

    Image credit: Apple

    Print Friendly


    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. Posted 27/09/2011 at 12:01 am | Permalink |

      It seems they have more hipster user interface folks working at Apple than security folks because security is the core at most UNIX operating systems. Seems like the hipsters have gutted UNIX because they didn’t understand it and built a stinking dog pile mess then sold it as “Macs don’t get viruses” but ask Charlie Miller who pwns a Mac each time he gets his hands on it.

      • Posted 27/09/2011 at 12:10 am | Permalink |

        Anyone can break any system if they “get their hands on it.” Nice try, though.

        • Posted 27/09/2011 at 10:47 pm | Permalink |

          Yeah but not every product is marketed with billions of dollars of advertisements and false sense of security such as “Macs don’t get viruses”. $10 says you wrote that comment on an iPad but wait until the iPad 4 comes out with DUAL SCREENS!!!

      • Anonymous
        Posted 27/09/2011 at 12:41 pm | Permalink |

        Wow, you managed to use “hipster” twice when writing a post about Apple. I’m impressed!

        Can you manage to work it into something about Microsoft or AT&T for double points?

    2. Anonymous
      Posted 27/09/2011 at 12:17 am | Permalink |

      There are a lot of if’s before an attacker can actually get to your password. By the time it is actually cracked (I hope the article headline is fixed), Apple will have time to address the issue through a security fix. One thing for sure, this exploit is not obvious.

    3. Posted 27/09/2011 at 12:41 am | Permalink |

      Lots of FUD, very little substance. Finding the hash file isn’t the same as “cracking”.

      • Jon Do
        Posted 27/09/2011 at 1:09 am | Permalink |

        Nah, the guy reverses the hash system so that he can brute force it. It’s not cracking the passwords, but it enables it.

      • Posted 27/09/2011 at 3:08 am | Permalink |

        You need to find the hash file, in order to have something to crack. If you don’t know what you are talking about, maybe you should refrain from posting about FUD.

        • Posted 27/09/2011 at 5:43 am | Permalink |

          See, the problem is: the article says he cracked them. So until he does, and can reproduce it, its FUD. On my Lion box the permissions in question remain tight. Only root has access to the Default tree mentioned in the post.

          The only way I can duplicate the methods mentioned in the article are by assuming a root shell manually, or using sudo. So not only is the cracking thing misleading, but so is the methodology he’s depicting. The comments seem to show others having similar responses.

          So the point still stands. FUD, link-bait, however you want to describe it.

          • Posted 27/09/2011 at 5:48 am | Permalink |

            If you get the contents of the shadow file, cracking the password of that user is simply a matter of clock cycles.
            As I described here: http://www.appfail.com/read/55/WebCT-fails-at-password-hashing/ it is quite trivial to crack a password has once it is exposed. We saw this happen when Gawker’s database was compromised, with a database containing all of the users, email addresses and hashed passwords, the attackers were able to crack 1000s of passwords in a matter of days. This is a serious flaw, it just takes a bit of understanding. The research is valid, the reporting may be a little off, but that does not make this FUD at all. If you don’t understand hashing, read this: http://geekrt.com/read/91/What-is-a-Hash/

            • Posted 27/09/2011 at 5:53 am | Permalink |

              Except that nobody but him seems to be able to duplicate it. As I pointed out, I can’t. The permissions on my machine appear to be such that it is secure (or at least not suffering from the same vulnerability), insofar as I can test (i’m not foolish enough to say anything is for certain).

              I tend to take ANY of these kinds of announcements with a truckload of salt, simply because 9 times out of 10 they end up being attention grabs based on soft data or misinterpreted results. This is especially true when the announcements revolve around Macs, because of the collective dementia that is induced anytime Mac vs PC security is brought up.

              • PeterA
                Posted 27/09/2011 at 12:41 pm | Permalink |

                Many people on his blog reported they could reproduce it.
                Many others mis-understood his comment about changing passwords and couldn’t replicate it.

                What you can do: with a non-authenticated user you can get the password hash.
                (this is step 1 for cracking a password – ie the getting the thing to crack)

                What you can also do is change the password of the current user without knowing the current users password
                Many people misunderstood his statement to mean you could change ANY users password at ANY time.
                You cant, you can only change the *current* users password (WITHOUT sudo and WITHOUT their old password)

              • Posted 28/09/2011 at 1:40 am | Permalink |

                As PeterA is saying, when you are dealing with access to the password database, you always have two options. 1) take the hashed password, go away, crack it, and return with the known password and compromise the system. 2) overwrite the hash with a new one for a known password, and compromise the system. The disadvantage to the second option is that it becomes immediately obvious to the user that they have been compromised, because their old password no longer works. Of course, after you have gotten in to the system, you could add your self a separate user account, and return the original password to the compromised account.

              • Posted 28/09/2011 at 1:52 am | Permalink |

                The bottom line is that the article is misinterpreting and misrepresenting what has happened. The article implies that you can RETRIEVE a user’s password. Not just change it. If i change a user’s password on one system, great. I can now run amok on that system, and that’s bad. If I can REVERSE the salted hash, I can potentially get access to many more systems, if the user uses the same password in multiple locations.

                The former situation is bad for the Everyman. The latter is incredibly bad for network managers, system admins, etc.

                I don’t contest that what the BLOG POST reports is bad. But the RE-Reporting being done here is disingenuous link bait, plain and simple.

    4. Posted 27/09/2011 at 12:43 am | Permalink |

      He found a way to get the hash/salt data. The password then still needs to be cracked with brute force. Which is very hard. The title of this article is kinda misleading.

      • Posted 27/09/2011 at 3:06 am | Permalink |

        It really isn’t that hard. and with GPU powered password cracking, it is remarkably fast. I happen to own a cluster of GPUs that I use for bitcoin mining, but I could easily redirect that error to cracking billions of password combinations per second.

        • jtc
          Posted 28/09/2011 at 12:17 am | Permalink |

          And how will you copy the shadow file off of any (OS X Lion) computer you desire to your fancy GPU cluster for cracking, pray tell?

          Any issue here is a “local” weakness. Your fancy GPU the other side of the world is nuetered.

          So you need Physical Access (e.g. get on a plane to go and physically interactive with your chosen OS X Lion machine), or allegedly trick the user to download and run an application of some sort that apparently allows it to see the shadow file by default (note: Java is not installed by default in Lion; another hurdle to to a Java based app).

          How is this different from any other local vulnerability? And *basically* having to revert to social engineering to do *anything* useful as an exploit.

          This article is pure link bait, esp. given the title.

          (p.s. Not coming here again and I life in Oz.)

          • Posted 28/09/2011 at 12:26 am | Permalink |

            As I wrote in the article, I’m aware of the exploit;s limitations:

            “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user.”

            However, the permission change in Lion which Dunstan demonstrated was worth reporting, and it does open up the possibility of more automated attacks on Mac OS X. In addition, any attack on a users’ password — as opposed to just getting access to a machine in general — is broadly interesting.

            I also thought the exploit was worth reporting because it was a Mac OS X/Unix exploit. It seems clear that Windows has been the subject of vastly greater attacks than Unix, and certainly Mac OS X, in the past. So even “less dangerous” attacks on Mac OS X are of interest.

            I hope I can convince you to come back to Delimiter by writing better articles in future — let me know what sort of articles you’re interested in! :) I take requests.

          • Posted 28/09/2011 at 1:36 am | Permalink |

            Each of the last 5 Adobe Flash vulnerabilities (all if which applied to Mac and Linux as well), allowed for this type of exploit, so it is not as impossible as you seem to imply.

            But the real master.passwd or shadow file on a Unix or Linux machine is protected such that no one with user access can view or modify the file. To compromise the file on linux, would require physical access and rebooting in to single user mode, or removing the hard drive for inspection. Some configuration beyond the default would close this loop hole by requiring the root password to access single user mode as well. Mac OS X has broken this traditional model by using separate shadow files per user, and not adequately protecting them.

    5. Rashkae
      Posted 27/09/2011 at 1:17 am | Permalink |

      People have been cracking Unix Hash passwords for decades.. It’s not hard at all, unless all the passwords are “secure”. Letting non-root users read the password hash cmpletely breaks the Unix password security model.

    6. Posted 27/09/2011 at 1:58 am | Permalink |

      Hi everyone, I’ve deleted a couple of abusive comments from this article; please keep things polite as per our site comments policy:


      Otherwise your comment will be deleted.


      Delimiter Editor

    7. Laughingskeptic
      Posted 27/09/2011 at 3:13 am | Permalink |

      This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions. This is not true. The Windows OS provides for much more fine grained control of permissions. “ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”.

      • Doctor Velvetear
        Posted 27/09/2011 at 4:03 am | Permalink |

        Yes and Apple use an ACL system as well as posix if you use ls -lae
        on a mac you will see the extended access levels.

        • Posted 28/09/2011 at 12:28 am | Permalink |

          “This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions.”

          Interesting; you’re perhaps right technically, but as a user I’ve never actually had to tinker with my Windows permissions; while I tinker with Linux permissions all the time. It seems to me that the Unix permission structure is much more baked into everyday use of the operating system than it is in Windows (certainly in Windows XP and below etc).

    8. Anonymous
      Posted 27/09/2011 at 9:00 am | Permalink |

      “its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”

      As already stated, the Windows permissions model is much much “finer-grained” than *nix, this has nothing to do with it. Windows uses Access Control lists, which are groups of ACE’s(access control entries).Even linux and Mac zealots agree with this.

      Windows is still a bigger and more profitable target for Malware.
      Windows attracts more security un-aware users, the majority of whom are members of the Administrator group (IMO the biggest blunder of all)
      There are always and always will be flaws in all Operating Systems.
      The user is the biggest risk.

      • Posted 28/09/2011 at 12:28 am | Permalink |

        Hmm see my comments above about Windows permissions.

    9. Posted 27/09/2011 at 11:42 am | Permalink |

      “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches”

      As we all know, end users are one of the biggest security holes. Just ask the RSA accounts department about Excel files that have been quarantined.

      Now Mac OS X Lion users, think first before opening that fish in a blender Java app that your friend email you. :)

    10. MJ
      Posted 27/09/2011 at 12:29 pm | Permalink |

      This hardly sounds serious. Yes it needs to be fixed but I won’t be losing any sleep over it. It’s pretty hard to secure a system with users who are silly enough to run unsafe programs from untrusted sources.


  • Get our weekly newsletter

    All our stories, just one email a week.

    Email address:

    Follow us on social media

    Use your RSS reader to subscribe to our articles feed or to our comments feed.

  • Most Popular Content

  • Enterprise IT stories

    • Legacy health software lands SA Govt in court doctor

      In which the South Australian Government comes up with complex legal arguments as to why it should be able to continue to use a 1980’s software package.

    • Microsoft wants to win you back with Windows 10 windows-10

      The latest version of Microsoft’s Windows operating system will begin rolling out from Wednesday (July 29). And remarkably, Windows 10 will be offered as a free upgrade to those users who already have Windows 7 and 8.1 installed.

    • Qld Govt Depts have no disaster recovery plan brisvegas2

      Two sizable Queensland Government departments have no central disaster recovery plan, the state’s Auditor-General has found, despite the region’s ongoing struggles with extreme weather conditions that have previously knocked out telecommunications and data centre infrastructure.

    • ASD releases Windows 8 hardening guide windows-8-1

      The Australian Signals Directorate appears to have released a guide to hardening Microsoft’s Windows 8 operating system, three years after the software was released for use by corporate customers, and as Microsoft is slated to release its next upgrade, Windows 10.

    • ASG picks up $35m CIMIC IT services deal money

      Perth-headquartered IT services group ASG this week revealed it had picked up a deal worth at least $35 million over five years with CIMIC Group — the massive construction and contracting group previously known as Leighton Holdings.

  • Blog, Policy + Politics - Jul 31, 2015 12:43 - 0 Comments

    Google ploughs $1m into Australian tech education

    More In Policy + Politics

    Blog, Enterprise IT - Jul 31, 2015 14:16 - 1 Comment

    Legacy health software lands SA Govt in court

    More In Enterprise IT

    Industry, News - Jul 28, 2015 12:37 - 0 Comments

    ICAC to investigate NSW TAFE ICT manager

    More In Industry

    Consumer Tech, News - Jul 29, 2015 17:14 - 11 Comments

    Telstra integrates Netflix, Stan, Presto into re-badged Roku box

    More In Consumer Tech