Our thinking

Deep dive into Apple’s recent High Sierra root authentication issue

Over on the highly-technical, and very informative, Objective-See blog, there is a great in-depth writeup on Apple’s recent High Sierra root access bug.

Why <blank> Gets You Root

What is happening is if you try to log in as a disabled account (there is no stored shadowhash for the password) then macOS will attempt to upgrade the account to use a shadowhash for the password. Old accounts created on previous versions of macOS used a less secure method of protecting the password (crypt), and High Sierra will only use the more secure shadowhash method.

During upgrading the password from crypt to shadowhash, an error is returned (as there’s no crypt password) however this error isn’t checked for or handled appropriately.

The new password that the user specified to log in with is upgraded to shadowhash encryption and saved as the password for the account.

So, root is the most obvious (and most useful!) of the disabled accounts to try and log in as, however this bug would have let anyone log in as any disabled account that exists on the system.

Leave a Reply