Bugcrowd Blog

MacOS High Sierra: Getting to the Root of the Problem

Posted by Keith Hoodlet on Nov 28, 2017 2:49:41 PM

What we know so far

Earlier today it was publicly disclosed that Apple’s MacOS High Sierra contains a trivially-exploitable flaw, which allows malicious individuals to generate a persistent root access account to your system. It is not readily apparent whether or not this vulnerability is remotely exploitable, but out an of abundance of caution there are several steps you can take immediately to protect your system.

Don’t try this at home!

By testing this vulnerability on your own computer, you'll end-up creating (or modifying) a persistent root user account on your system. The danger here is that, by creating such an account, it will affect remotely accessible services - such as Remote Desktop. By testing this vulnerability on your own system, you remove existing safeguards around the root (i.e. God-mode) user - enabling passwordless root access. Given the level of access the root account has, it has many (and wide-ranging) potential security impacts, including remote access through various services. We have internally confirmed that it adversely affects the Screen Sharing service.

Simply put, if you run MacOS High Sierra the best way to protect yourself here is to avoid testing this vulnerability on your own system, and lock your computer when you are not using it. Again, it’s unclear if this vulnerability is remotely exploitable, so you may not be out of the woods yet - keep an eye on this blog post as events unfold, as we will update accordingly on recommended workarounds as they become apparent.

You can further protect yourself with the following set of instructions.

twitter image 1.png

If you’ve tested this vulnerability on your own system…

Congratulations - you’ve just created a permanent root access account on your system, without a password! As a work-around (while we wait for a patch from Apple), you should first-and-foremost change the root password. You can also set the root user’s shell to /usr/bin/false.

Secondly, you might consider blocking remote services through System Preferences > Sharing. A word of caution: disabling remote services may break certain applications that you, or your organization uses. Either way, if you tried this on your work MacBook - you should reach out to your Security Team to let them know, and follow their guidance accordingly.

What this means for You / Your organization

Unless you / your users are in the habit of leaving their system unlocked around strangers, this vulnerability is not known to be remotely exploitable. For the time being, we have internally tested the following script and found that it works as intended. We will continue to update this post as further information becomes available.

Update 08:47 EDT, 11/29/2017:

Overnight, we began receiving reports that this vulnerability can be exploited from the lock screen for MacOS High Sierra users with multiple accounts - including guest accounts - on their system. This behavior was also reported via the Risky Business podcast - which went on to state that this lock screen vulnerability can also be exploited against systems with Remote Desktop enabled. At this time we have not been able to replicate this behavior internally - but if you’re running MacOS High Sierra, we strongly encourage you to implement the security measures recommended by Apple while they continue to develop a patch.

Update 11:29 EDT, 11/29/2017:

Apple has pushed a security update to address this issue. Whether or not you tried this on your own system, we strongly encourage you to apply this patch. Please note that if you are using a device provided by your employer, you should check in with your security team to ask if you should apply the patch yourself - or if they will be pushing this patch out on their end.

Interesting, Thought leadership, Cybersecurity News
Keith Hoodlet

Written by Keith Hoodlet

Trust & Security Engineer