Better lock down your root, this works as I just tried it.
EDIT: Following this video you can create an admin user with sudo access, so this is real.
I reported something not too dissimilar that is in every version of macOS I have tested that allows privilege escalation to run arbitrary code.
Apple product security, just keep saying they’re looking at it, please don’t put our customers at risk by sharing it publicly, so I am not but at the same time it’s a blindingly stupid mistake in their code and they’re doing nothing to fix it from my perspective.
I only figured out it was a security issue after several years of seeing it as a feature that made my life easier.
This is bad, no doubt - really, really bad. That said, it will mostly affect companies, as it requires local access to the machine (or an already established remote desktop link). Thus, most home users would only be able to gain root on their own machines they already are an admin of. For corporate and educational environments, however… this is nightmare-level stuff.
I’m in the process of testing the reports that VNC and ARD will login users with root and no password:
I don’t have a machine with High Sierra to connect to right yet, but I will let you know, however I’ve not found a login option in the operating system that this doesn’t work on.
Apple’s advice is to create a root password which requires an admin user, or you know… just typing root without a password… Jesus Apple.
Wow… wow… that just made this 100 times worse, if true.
I haven’t personally verified but theres a few articles out there such as from the register confirming this, and there’s no reason it wouldn’t Apple is setting the root password to be blank so anything which takes a username and password should work, except SSH because that doesn’t allow root login at all, and I am fairly sure doesn’t allow blank passwords either.
Basically the issue appears to be that by default Apple disables the root user, if you try to login as root it enables the user and incorrectly sets the password to nothing, this mean the second time you try it lets you in.
The issue is that the obvious thing to do is disable root, but it will be reenabled again by testing. You need to set a root password and not disable it. Like a really really really secure one.
This is… bad. Thankfully we have been a bit behind on upgrades and don’t have High Sierra widely deployed yet.
Time to set that root password on any existing machines tho.
Yup, it’s on my first thing tomorrow list… thanks for the heads-up, I wasn’t too concerned when I thought it needed local or a pre-existing remote desktop account.
Not quite the ‘end of the world’ that sensationalist reporting would have us believe. However, it is evidence that in Apple’s drive to be so cool and happening it has left its roots (no pun intended) far behind and serious interest in quality OS firmware is no longer mainstream. Apple cannot argue inability to afford to do due dilligence, it just thinks it has bigger fish to fry.
Reminds me of the old Windows 95 ESC button flaw!
Luckily I’ve only one High Sierra machine on my network at work, which I’ve now fixed.
Apple has released a patch for this in system update.
This patch has apparently knocks out file sharing so if it has just do the below:
Open the Terminal app, which is in the Utilities folder of your Applications folder.
Type sudo /usr/libexec/configureLocalKDC and press Return.
Enter your administrator password and press Return.
Quit the Terminal app.
Or better still download via Apple Support the combo update. Upgrades are always safer when done via this rout rather than via App Stor simply because the process ensures that all files, including system files are replaced.