SecureMac, Inc.

Mac OS X Single User Mode Root Access – CodeSamurai

June 2, 2001

Mac OS X Single User Mode Root Access – CodeSamurai
Forward

There’s always the constant battle between user-friendliness and security. Apple has known about this vulnerability for some time now; and back in the days of OpenStep, a patch to that OS was released to fix this problem. Now is the era of Mac OS X, and even though that old OpenStep patch won’t work for OS X, Apple could still easily release a similar patch, or better yet, a permanent fix that will be forever installed by default.

It is argued that …

Mac OS X Single User Mode Root Access – CodeSamurai

Mac OS X Single User Mode Root Access – CodeSamurai

Forward

There’s always the constant battle between user-friendliness and security. Apple has known about this vulnerability for some time now; and back in the days of OpenStep, a patch to that OS was released to fix this problem. Now is the era of Mac OS X, and even though that old OpenStep patch won’t work for OS X, Apple could still easily release a similar patch, or better yet, a permanent fix that will be forever installed by default.

It is argued that Single User Mode should allow full root privileges to allow forgetful users to change their password. Yet, I believe this really won’t happen in practice with OS X. The average Mac user might forget his or her password, but they probably wouldn’t like going into the command line interface of Single User Mode. Rather, they’d boot from the Install CD and reset their password from within the nice, eye pleasing Aqua GUI. Besides, the sysadmins and power users (who might like the CLI more so than the average user) probably won’t forget their passwords and would also prefer the security advantage of not having root open as such. So I feel having the ability to reset the password without knowing the password to begin with in Single User Mode is an unnecessary risk and is unnecessary in general.

Moreover, the current granting of root privileges in Single User Mode gives the user the direct ability to not only change the password, but to dump the password hash and crack it. Somebody could easily just obtain the administrative password that way, therefore giving them administrative privileges without even generating anything that would alert the sysadmins of a breach. Whereas if somebody was forced to reset the password to gain root privileges (like the Install CD does), the fact that the administrative password was changed would be a key off to the sysadmins that somebody breached their system.

In conclusion, Apple should work something out to make the Single User Mode require the root or administrative password before granting access into root. Furthermore, the Install CD should be the only method to reset the passwords without knowing the passwords to begin with.

Situation

Somebody’s at a Mac running Mac OS X, and they’ve completely forgotten their user and/or administrative account password on it (or even worse, they never had an account to begin with and are trying to hack the system), so they can’t just login at the login screen. If it has a keyboard attached to it, and those keys can be pressed, here’s how someone can get into root access with just a couple taps of the keyboard and maybe the scribble of a pen.

Vulnerability

Single User Mode under Mac OS X gives root access privileges without requiring the root password. (Note: Single User Mode is not the vulnerability here; the vulnerability is the fact that root access is given without having to enter in any password whatsoever.)

Exploit

Step 1) Restart the computer (or turn it on if it’s already off) while holding down the command and s keys at the same time. (If the computer is running Mac OS Public Beta, just press the s key.) They have root privileges at this moment, but now it’s time to take advantage of these privileges.

Step 1.5) Type “/sbin/fsck -y”. (Type this without the quotes, of course.) (This step really isn’t necessary at all, but it just takes a second, and they might as well just do a quick check of the hard disk before mounting it.)

Step 2) Type “/sbin/mount -wu /” (This mounts the volume “/” with read/write access.)

Step 3) Type “/sbin/SystemStarter” (This starts the network services, which is necessary to gain access to NetInfo.)

Step 4) Here, one could now just type “passwd root” and override the existing root password with one of their own, or worse yet, someone could just get the current root password (and/or the administrative user account password) so the administrators of that computer don’t know that their security has been compromised. One of the easiest ways to do this is to just type “nidump passwd .” and write down the root account’s password hash. (The hash will be the text that looks like just a garbled mess of alphanumeric characters between two colons.)

Step 5) Now one can type up what they wrote down into a plain text file like the following example: “root:rQkFQ37SYveHw:0:0::0:0:System Administrator:/var/root:/bin/tcsh”.

Step 6) Finally, they’ll use a cracking program like John the Ripper for the PC, or the Meltino, a Classic Macintosh application, to crack the password hash.

And when it’s finally cracked it, they’ve got the password!

Solution

A good makeshift fix for this can be found at http://users.ez-net.com/~jasonb/secureit.html.
(Version 1.05 of SecureIt has been verified to work under Mac OS X Build 4K78)

Step 1) Download the file: http://users.ez-net.com/~jasonb/secureit.tar.gz

Step 2) Open a terminal window, type “su”, and type in the root password when prompted.

Step 3) Go to the directory to where you downloaded the secureit.tar.gz file to, and type “tar xvzf secureit.tar.gz”.

Step 4) Type “cd secureit1_05” and then type “./install”.

Step 5) You should now be prompted to type in the password that will be required for you to boot up into single user mode. This password does not have to be the same as your root password or any other password you might have, so you can be newly creative for this password.

Get the latest security news and deals