• Great articles on other sites
  • RSS Great articles on other sites

  • News - Written by on Monday, September 26, 2011 12:36 - 29 Comments

    Aussie researcher cracks OS X Lion passwords

    news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.

    According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.

    In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.

    In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.

    “So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”

    This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.

    Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.

    The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.

    However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.

    opinion/analysis
    As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.

    Image credit: Apple

    submit to reddit

    29 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. Posted 27/09/2011 at 12:01 am | Permalink |

      It seems they have more hipster user interface folks working at Apple than security folks because security is the core at most UNIX operating systems. Seems like the hipsters have gutted UNIX because they didn’t understand it and built a stinking dog pile mess then sold it as “Macs don’t get viruses” but ask Charlie Miller who pwns a Mac each time he gets his hands on it.

      • Posted 27/09/2011 at 12:10 am | Permalink |

        Anyone can break any system if they “get their hands on it.” Nice try, though.

        • Posted 27/09/2011 at 10:47 pm | Permalink |

          Yeah but not every product is marketed with billions of dollars of advertisements and false sense of security such as “Macs don’t get viruses”. $10 says you wrote that comment on an iPad but wait until the iPad 4 comes out with DUAL SCREENS!!!

      • Anonymous
        Posted 27/09/2011 at 12:41 pm | Permalink |

        Wow, you managed to use “hipster” twice when writing a post about Apple. I’m impressed!

        Can you manage to work it into something about Microsoft or AT&T for double points?

    2. Anonymous
      Posted 27/09/2011 at 12:17 am | Permalink |

      There are a lot of if’s before an attacker can actually get to your password. By the time it is actually cracked (I hope the article headline is fixed), Apple will have time to address the issue through a security fix. One thing for sure, this exploit is not obvious.

    3. Posted 27/09/2011 at 12:41 am | Permalink |

      Lots of FUD, very little substance. Finding the hash file isn’t the same as “cracking”.

      • Jon Do
        Posted 27/09/2011 at 1:09 am | Permalink |

        Nah, the guy reverses the hash system so that he can brute force it. It’s not cracking the passwords, but it enables it.

      • Posted 27/09/2011 at 3:08 am | Permalink |

        You need to find the hash file, in order to have something to crack. If you don’t know what you are talking about, maybe you should refrain from posting about FUD.

        • Posted 27/09/2011 at 5:43 am | Permalink |

          See, the problem is: the article says he cracked them. So until he does, and can reproduce it, its FUD. On my Lion box the permissions in question remain tight. Only root has access to the Default tree mentioned in the post.

          The only way I can duplicate the methods mentioned in the article are by assuming a root shell manually, or using sudo. So not only is the cracking thing misleading, but so is the methodology he’s depicting. The comments seem to show others having similar responses.

          So the point still stands. FUD, link-bait, however you want to describe it.

          • Posted 27/09/2011 at 5:48 am | Permalink |

            If you get the contents of the shadow file, cracking the password of that user is simply a matter of clock cycles.
            As I described here: http://www.appfail.com/read/55/WebCT-fails-at-password-hashing/ it is quite trivial to crack a password has once it is exposed. We saw this happen when Gawker’s database was compromised, with a database containing all of the users, email addresses and hashed passwords, the attackers were able to crack 1000s of passwords in a matter of days. This is a serious flaw, it just takes a bit of understanding. The research is valid, the reporting may be a little off, but that does not make this FUD at all. If you don’t understand hashing, read this: http://geekrt.com/read/91/What-is-a-Hash/

            • Posted 27/09/2011 at 5:53 am | Permalink |

              Except that nobody but him seems to be able to duplicate it. As I pointed out, I can’t. The permissions on my machine appear to be such that it is secure (or at least not suffering from the same vulnerability), insofar as I can test (i’m not foolish enough to say anything is for certain).

              I tend to take ANY of these kinds of announcements with a truckload of salt, simply because 9 times out of 10 they end up being attention grabs based on soft data or misinterpreted results. This is especially true when the announcements revolve around Macs, because of the collective dementia that is induced anytime Mac vs PC security is brought up.

              • PeterA
                Posted 27/09/2011 at 12:41 pm | Permalink |

                Many people on his blog reported they could reproduce it.
                Many others mis-understood his comment about changing passwords and couldn’t replicate it.

                What you can do: with a non-authenticated user you can get the password hash.
                (this is step 1 for cracking a password – ie the getting the thing to crack)

                What you can also do is change the password of the current user without knowing the current users password
                Many people misunderstood his statement to mean you could change ANY users password at ANY time.
                You cant, you can only change the *current* users password (WITHOUT sudo and WITHOUT their old password)

              • Posted 28/09/2011 at 1:40 am | Permalink |

                As PeterA is saying, when you are dealing with access to the password database, you always have two options. 1) take the hashed password, go away, crack it, and return with the known password and compromise the system. 2) overwrite the hash with a new one for a known password, and compromise the system. The disadvantage to the second option is that it becomes immediately obvious to the user that they have been compromised, because their old password no longer works. Of course, after you have gotten in to the system, you could add your self a separate user account, and return the original password to the compromised account.

              • Posted 28/09/2011 at 1:52 am | Permalink |

                The bottom line is that the article is misinterpreting and misrepresenting what has happened. The article implies that you can RETRIEVE a user’s password. Not just change it. If i change a user’s password on one system, great. I can now run amok on that system, and that’s bad. If I can REVERSE the salted hash, I can potentially get access to many more systems, if the user uses the same password in multiple locations.

                The former situation is bad for the Everyman. The latter is incredibly bad for network managers, system admins, etc.

                I don’t contest that what the BLOG POST reports is bad. But the RE-Reporting being done here is disingenuous link bait, plain and simple.

    4. Posted 27/09/2011 at 12:43 am | Permalink |

      He found a way to get the hash/salt data. The password then still needs to be cracked with brute force. Which is very hard. The title of this article is kinda misleading.

      • Posted 27/09/2011 at 3:06 am | Permalink |

        It really isn’t that hard. and with GPU powered password cracking, it is remarkably fast. I happen to own a cluster of GPUs that I use for bitcoin mining, but I could easily redirect that error to cracking billions of password combinations per second.

        • jtc
          Posted 28/09/2011 at 12:17 am | Permalink |

          And how will you copy the shadow file off of any (OS X Lion) computer you desire to your fancy GPU cluster for cracking, pray tell?

          Any issue here is a “local” weakness. Your fancy GPU the other side of the world is nuetered.

          So you need Physical Access (e.g. get on a plane to go and physically interactive with your chosen OS X Lion machine), or allegedly trick the user to download and run an application of some sort that apparently allows it to see the shadow file by default (note: Java is not installed by default in Lion; another hurdle to to a Java based app).

          How is this different from any other local vulnerability? And *basically* having to revert to social engineering to do *anything* useful as an exploit.

          This article is pure link bait, esp. given the title.

          (p.s. Not coming here again and I life in Oz.)

          • Posted 28/09/2011 at 12:26 am | Permalink |

            As I wrote in the article, I’m aware of the exploit;s limitations:

            “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user.”

            However, the permission change in Lion which Dunstan demonstrated was worth reporting, and it does open up the possibility of more automated attacks on Mac OS X. In addition, any attack on a users’ password — as opposed to just getting access to a machine in general — is broadly interesting.

            I also thought the exploit was worth reporting because it was a Mac OS X/Unix exploit. It seems clear that Windows has been the subject of vastly greater attacks than Unix, and certainly Mac OS X, in the past. So even “less dangerous” attacks on Mac OS X are of interest.

            I hope I can convince you to come back to Delimiter by writing better articles in future — let me know what sort of articles you’re interested in! :) I take requests.

          • Posted 28/09/2011 at 1:36 am | Permalink |

            Each of the last 5 Adobe Flash vulnerabilities (all if which applied to Mac and Linux as well), allowed for this type of exploit, so it is not as impossible as you seem to imply.

            But the real master.passwd or shadow file on a Unix or Linux machine is protected such that no one with user access can view or modify the file. To compromise the file on linux, would require physical access and rebooting in to single user mode, or removing the hard drive for inspection. Some configuration beyond the default would close this loop hole by requiring the root password to access single user mode as well. Mac OS X has broken this traditional model by using separate shadow files per user, and not adequately protecting them.

    5. Rashkae
      Posted 27/09/2011 at 1:17 am | Permalink |

      People have been cracking Unix Hash passwords for decades.. It’s not hard at all, unless all the passwords are “secure”. Letting non-root users read the password hash cmpletely breaks the Unix password security model.

    6. Posted 27/09/2011 at 1:58 am | Permalink |

      Hi everyone, I’ve deleted a couple of abusive comments from this article; please keep things polite as per our site comments policy:

      http://delimiter.com.au/comments-policy/

      Otherwise your comment will be deleted.

      Cheers,

      Renai
      Delimiter Editor

    7. Laughingskeptic
      Posted 27/09/2011 at 3:13 am | Permalink |

      This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions. This is not true. The Windows OS provides for much more fine grained control of permissions. “ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”.

      • Doctor Velvetear
        Posted 27/09/2011 at 4:03 am | Permalink |

        Yes and Apple use an ACL system as well as posix if you use ls -lae
        on a mac you will see the extended access levels.

        • Posted 28/09/2011 at 12:28 am | Permalink |

          “This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions.”

          Interesting; you’re perhaps right technically, but as a user I’ve never actually had to tinker with my Windows permissions; while I tinker with Linux permissions all the time. It seems to me that the Unix permission structure is much more baked into everyday use of the operating system than it is in Windows (certainly in Windows XP and below etc).

    8. Anonymous
      Posted 27/09/2011 at 9:00 am | Permalink |

      “its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”

      As already stated, the Windows permissions model is much much “finer-grained” than *nix, this has nothing to do with it. Windows uses Access Control lists, which are groups of ACE’s(access control entries).Even linux and Mac zealots agree with this.

      Windows is still a bigger and more profitable target for Malware.
      Windows attracts more security un-aware users, the majority of whom are members of the Administrator group (IMO the biggest blunder of all)
      There are always and always will be flaws in all Operating Systems.
      The user is the biggest risk.

      • Posted 28/09/2011 at 12:28 am | Permalink |

        Hmm see my comments above about Windows permissions.

    9. Posted 27/09/2011 at 11:42 am | Permalink |

      “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches”

      As we all know, end users are one of the biggest security holes. Just ask the RSA accounts department about Excel files that have been quarantined.

      Now Mac OS X Lion users, think first before opening that fish in a blender Java app that your friend email you. :)

    10. MJ
      Posted 27/09/2011 at 12:29 pm | Permalink |

      This hardly sounds serious. Yes it needs to be fixed but I won’t be losing any sleep over it. It’s pretty hard to secure a system with users who are silly enough to run unsafe programs from untrusted sources.

      -MJ




    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:


  • Enterprise IT stories

    • Super funds close to dumping $250m IT revamp facepalm2

      If you have even a skin deep awareness of the structure of Australia’s superannuation industry, you’ll be aware that much of the underlying infrastructure used by many of the nation’s major funds is provided by a centralised group, Superpartners. One of the group’s main projects in recent years has been to dramatically update and modernise its IT platform — its version of a core banking platform overhaul. Unfortunately, the $250 million project has not precisely been going well.

    • Qld’s Grant joins analyst firm IBRS peter-grant

      This week it emerged that Peter Grant, the two-time former Queensland Whole of Government CIO (pictured), has joined well-regarded analyst firm Intelligent Business Research Services (IBRS). We’ve long had a high regard for IBRS, and so it’s fantastic to see such an experienced executive join its ranks.

    • Westpac dumps desk phones for Samsung Android mobiles samsung-galaxy-ace-3

      The era of troublesome desk phones tied to physical locations is gradually coming to an end in many workplaces, with mobile phones becoming increasingly popular as organisations’ main method of voice telecommunications. But some groups are more advanced than others when it comes to adoption of the trend. One of those is Westpac.

    • Ministers’ cloud approval lasted just a year reverse

      Remember how twelve months ago, the Federal Government released a new cloud computing security and privacy directive which required departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information could be stored in offshore facilities? Remember how the policy was strongly criticised by Microsoft, Government CIOs and Delimiter? Well, it looks like the policy is about to be reversed.

    • WA Govt can’t fund school IT upgrades oops key

      In news from The Department of Disturbing Facts, iTNews revealed late last week that Western Australia’s Department of Education has run out of money halfway through the deployment of new fundamental IT infrastructure to the state’s schools.

    • Turnbull outlines Govt ICT vision turnbull-5

      Communications Minister Malcolm Turnbull has published an extensive article arguing that the Federal Government needed to do a better job of connecting with Australians via digital channels and that public sector IT projects needn’t cost the huge amounts that some have in the past.

    • NZ Govt pushes hard into cloud zealand

      New Zealand’s national Government announced a whole of government contract this morning for what it terms ‘Office Productivity as a Service’ services. This includes email and calendaring services, as well as file-sharing, mobility, instant messaging and collaboration services. The contract complements two existing contracts — Desktop as a Service and Enterprise Content Management as a Service.

    • CommBank reveals Harte’s replacement whiteing

      The Commonwealth Bank of Australia has promoted an internal executive who joined the bank in September after a lengthy career at petroleum giant VP and IT services group Accenture to replace its outgoing chief information officer Michael Harte, who announced in early May that he would leave the bank.

    • Jeff Smith quits Suncorp for IBM jeffsmith4

      Second-tier Australian bank and financial services group Suncorp today announced that its long-serving top technology executive Jeff Smith would leave to take up a senior role with IBM in the United States, in an announcement which marks the end of an era for the nation’s banking IT sector.

    • Small business missing the mobile, social, cloud revolution iphone-stock

      Most companies that live and breathe the online revolution are not tech startups, but smart smaller firms that use online tools to run their core business better: to cut costs, reach customers and suppliers, innovate and get more control. Many others, however, are falling behind, according to a new Grattan Institute discussion paper.

  • Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments

    Super funds close to dumping $250m IT revamp

    More In Enterprise IT


    Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments

    What should the ACCC’s role be in guiding infrastructure spending?

    More In Telecommunications


    Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments

    ‘Google Schmoogle’ – how Yellow Pages got it so wrong

    More In Industry


    Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments

    Will Netflix launch in Australia, or not?

    More In Digital Rights