Apple's Lion OS At Risk To Password Vulnerability

A flaw in Apple OS X 10.7, aka Lion, would enable an attacker to change a user's system password without having to know the previous password. As a result, an attacker--albeit with physical access to the machine--would be able to change the boot password, as well as the password used by Apple's full-disk encryption tool, FileVault2.

The vulnerability appears to stem from a change in Lion's security model. Previous versions of OS X--back to 10.4--gave each operating system user a shadow file, or hash database (using SHA512 plus a 4-byte salt)--which could only be accessed by a user with admin-level privileges.

"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," according to a blog post from security researcher Patrick Dunstan, who discovered the new password vulnerability. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services." Dunstan has also released a Python script to simplify the password hash cracking process.

Read the full article here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.