The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple's part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.
Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user's encrypted passwords. Ideally, they should be accessible only via high-privilege accounts.
According to Dunstan, Apple dropped the ball in terms of how Lion handles privilege. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data," Dunstan wrote. "This is accomplished by extracting the data straight from Directory Services."
Any user can accomplish this trick by simply invoking the directory services listing using the /Search/ path -- for example, $ dscl localhost -read /Search/Users/bob (where "bob" is the username). This causes Lion OS X to spew out the contents of Bob's shadow hash file, including data that can be used to crack Bob's password with a simple script, such as a Python script written by Dunstan.
Making matters worse, running such a script wouldn't necessarily be required to gain access to Bob's account. Using Directory Services, a user could change a logged-in user's password -- without requiring authentication -- using this command: $ dscl localhost -passwd /Search/Users/bob
Notably, the targeted user's account could just as easily include admin privileges.
In order to pull off this hack, the perpetrator would require local access, though an outsider using social engineering could dupe a user to surrender the information. Additionally, a malicious insider could use his or existing information and wreak havoc if an admin left a machine without first logging out. Further, the user would need to access Lion's Directory Services -- another feat that would not be overly difficult in an environment with relatively lackluster security.
MacFixIt blogger Topher Kessler offered advice on how organizations can avoid being subject to these vulnerabilities. They include disabling automatic log-ins in Mac OS X; enabling sleep and screensaver passwords; disabling guest accounts (as well as accounts not in use); and better managing user privileges, such as allowing no greater permissions than necessary.