Aussie researcher cracks OS X Lion passwords

29

news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.

According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.

In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.

In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.

“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”

This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.

Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.

The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.

However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.

opinion/analysis
As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.

Image credit: Apple

29 COMMENTS

  1. It seems they have more hipster user interface folks working at Apple than security folks because security is the core at most UNIX operating systems. Seems like the hipsters have gutted UNIX because they didn’t understand it and built a stinking dog pile mess then sold it as “Macs don’t get viruses” but ask Charlie Miller who pwns a Mac each time he gets his hands on it.

      • Yeah but not every product is marketed with billions of dollars of advertisements and false sense of security such as “Macs don’t get viruses”. $10 says you wrote that comment on an iPad but wait until the iPad 4 comes out with DUAL SCREENS!!!

    • Wow, you managed to use “hipster” twice when writing a post about Apple. I’m impressed!

      Can you manage to work it into something about Microsoft or AT&T for double points?

  2. There are a lot of if’s before an attacker can actually get to your password. By the time it is actually cracked (I hope the article headline is fixed), Apple will have time to address the issue through a security fix. One thing for sure, this exploit is not obvious.

    • Nah, the guy reverses the hash system so that he can brute force it. It’s not cracking the passwords, but it enables it.

    • You need to find the hash file, in order to have something to crack. If you don’t know what you are talking about, maybe you should refrain from posting about FUD.

      • See, the problem is: the article says he cracked them. So until he does, and can reproduce it, its FUD. On my Lion box the permissions in question remain tight. Only root has access to the Default tree mentioned in the post.

        The only way I can duplicate the methods mentioned in the article are by assuming a root shell manually, or using sudo. So not only is the cracking thing misleading, but so is the methodology he’s depicting. The comments seem to show others having similar responses.

        So the point still stands. FUD, link-bait, however you want to describe it.

        • If you get the contents of the shadow file, cracking the password of that user is simply a matter of clock cycles.
          As I described here: http://www.appfail.com/read/55/WebCT-fails-at-password-hashing/ it is quite trivial to crack a password has once it is exposed. We saw this happen when Gawker’s database was compromised, with a database containing all of the users, email addresses and hashed passwords, the attackers were able to crack 1000s of passwords in a matter of days. This is a serious flaw, it just takes a bit of understanding. The research is valid, the reporting may be a little off, but that does not make this FUD at all. If you don’t understand hashing, read this: http://geekrt.com/read/91/What-is-a-Hash/

          • Except that nobody but him seems to be able to duplicate it. As I pointed out, I can’t. The permissions on my machine appear to be such that it is secure (or at least not suffering from the same vulnerability), insofar as I can test (i’m not foolish enough to say anything is for certain).

            I tend to take ANY of these kinds of announcements with a truckload of salt, simply because 9 times out of 10 they end up being attention grabs based on soft data or misinterpreted results. This is especially true when the announcements revolve around Macs, because of the collective dementia that is induced anytime Mac vs PC security is brought up.

          • Many people on his blog reported they could reproduce it.
            Many others mis-understood his comment about changing passwords and couldn’t replicate it.

            What you can do: with a non-authenticated user you can get the password hash.
            (this is step 1 for cracking a password – ie the getting the thing to crack)

            What you can also do is change the password of the current user without knowing the current users password
            Many people misunderstood his statement to mean you could change ANY users password at ANY time.
            You cant, you can only change the *current* users password (WITHOUT sudo and WITHOUT their old password)

          • As PeterA is saying, when you are dealing with access to the password database, you always have two options. 1) take the hashed password, go away, crack it, and return with the known password and compromise the system. 2) overwrite the hash with a new one for a known password, and compromise the system. The disadvantage to the second option is that it becomes immediately obvious to the user that they have been compromised, because their old password no longer works. Of course, after you have gotten in to the system, you could add your self a separate user account, and return the original password to the compromised account.

          • The bottom line is that the article is misinterpreting and misrepresenting what has happened. The article implies that you can RETRIEVE a user’s password. Not just change it. If i change a user’s password on one system, great. I can now run amok on that system, and that’s bad. If I can REVERSE the salted hash, I can potentially get access to many more systems, if the user uses the same password in multiple locations.

            The former situation is bad for the Everyman. The latter is incredibly bad for network managers, system admins, etc.

            I don’t contest that what the BLOG POST reports is bad. But the RE-Reporting being done here is disingenuous link bait, plain and simple.

  3. He found a way to get the hash/salt data. The password then still needs to be cracked with brute force. Which is very hard. The title of this article is kinda misleading.

    • It really isn’t that hard. and with GPU powered password cracking, it is remarkably fast. I happen to own a cluster of GPUs that I use for bitcoin mining, but I could easily redirect that error to cracking billions of password combinations per second.

      • And how will you copy the shadow file off of any (OS X Lion) computer you desire to your fancy GPU cluster for cracking, pray tell?

        Any issue here is a “local” weakness. Your fancy GPU the other side of the world is nuetered.

        So you need Physical Access (e.g. get on a plane to go and physically interactive with your chosen OS X Lion machine), or allegedly trick the user to download and run an application of some sort that apparently allows it to see the shadow file by default (note: Java is not installed by default in Lion; another hurdle to to a Java based app).

        How is this different from any other local vulnerability? And *basically* having to revert to social engineering to do *anything* useful as an exploit.

        This article is pure link bait, esp. given the title.

        (p.s. Not coming here again and I life in Oz.)

        • As I wrote in the article, I’m aware of the exploit;s limitations:

          “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user.”

          However, the permission change in Lion which Dunstan demonstrated was worth reporting, and it does open up the possibility of more automated attacks on Mac OS X. In addition, any attack on a users’ password — as opposed to just getting access to a machine in general — is broadly interesting.

          I also thought the exploit was worth reporting because it was a Mac OS X/Unix exploit. It seems clear that Windows has been the subject of vastly greater attacks than Unix, and certainly Mac OS X, in the past. So even “less dangerous” attacks on Mac OS X are of interest.

          I hope I can convince you to come back to Delimiter by writing better articles in future — let me know what sort of articles you’re interested in! :) I take requests.

        • Each of the last 5 Adobe Flash vulnerabilities (all if which applied to Mac and Linux as well), allowed for this type of exploit, so it is not as impossible as you seem to imply.

          But the real master.passwd or shadow file on a Unix or Linux machine is protected such that no one with user access can view or modify the file. To compromise the file on linux, would require physical access and rebooting in to single user mode, or removing the hard drive for inspection. Some configuration beyond the default would close this loop hole by requiring the root password to access single user mode as well. Mac OS X has broken this traditional model by using separate shadow files per user, and not adequately protecting them.

  4. People have been cracking Unix Hash passwords for decades.. It’s not hard at all, unless all the passwords are “secure”. Letting non-root users read the password hash cmpletely breaks the Unix password security model.

  5. This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions. This is not true. The Windows OS provides for much more fine grained control of permissions. “ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”.

    • Yes and Apple use an ACL system as well as posix if you use ls -lae
      on a mac you will see the extended access levels.

      • “This statement erroneously implies that Unix OS level permissions are more fine grained than Windows permissions.”

        Interesting; you’re perhaps right technically, but as a user I’ve never actually had to tinker with my Windows permissions; while I tinker with Linux permissions all the time. It seems to me that the Unix permission structure is much more baked into everyday use of the operating system than it is in Windows (certainly in Windows XP and below etc).

  6. “its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications”

    As already stated, the Windows permissions model is much much “finer-grained” than *nix, this has nothing to do with it. Windows uses Access Control lists, which are groups of ACE’s(access control entries).Even linux and Mac zealots agree with this.

    Windows is still a bigger and more profitable target for Malware.
    Windows attracts more security un-aware users, the majority of whom are members of the Administrator group (IMO the biggest blunder of all)
    There are always and always will be flaws in all Operating Systems.
    The user is the biggest risk.

  7. “As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches”

    As we all know, end users are one of the biggest security holes. Just ask the RSA accounts department about Excel files that have been quarantined.

    Now Mac OS X Lion users, think first before opening that fish in a blender Java app that your friend email you. :)

  8. This hardly sounds serious. Yes it needs to be fixed but I won’t be losing any sleep over it. It’s pretty hard to secure a system with users who are silly enough to run unsafe programs from untrusted sources.

    -MJ

Comments are closed.