How the macOS root user vulnerability happened

Mac security specialist Patrick Wardle digs into the root cause (pun intended) behind why a blank password gave you root permissions:

* For accounts that are disabled (i.e. don’t have ‘shadowhash’ data) macOS will attempt to perform an upgrade

* During this upgrade, od_verify_crypt_password returns a non-zero value, and an error code which is not checked

* The user (or attacked) specified password is then ‘upgraded’ and saved for the account

It appears that od_verify_crypt_password should fail (update: it does and Apple just didn’t check for this!).

It might be an oversimplification, but what I gather from the post is that proper handling of the function’s return value (error code) could have prevented this on hindsight.

Now I’m pondering about all those times we ignore the error codes returned by the OS for file I/O operations and whatnot.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Your email address will not be published.