Mac OS X bug allows user to reset password without knowing the original

On the Defence in depth blog, a researcher has recently revealed a flaw in Mac OS X 10.7 as a pair of permission problems. The MAC OS X’s password can be reset by an attacker without knowing the existing one!

The system gives an easy access to users’ shadow files which are meant for only to get accessed by those with a high-privilege level.

Researcher Patrick Dunstand commented that the redesign of OS X Lion’s authentication scheme has overlooked a critical step as non root users are unable to access the shadow files directly but, still provides the non root users to view password hash data. This is done by extracting the data straight from directory services.

He added that the major cracking tool doesn’t yet support OS X 10.7 hashes, one actually don’t even need to crack them as mentioned earlier as a major permission problem, which simply allows one to change the password. According to him when you are requesting a password change you will directly be prompted to enter the new password without the need to authenticate.

This flaw is particularly dangerous for anyone using Apple’s File Vault 2 disk encryption, according to Sophos’ Chester Wisniewski. If anyone left his Mac unlocked and in the meantime someone changes his password then he won’t be able to log into his PC potentially will lose access to his own data, as he commented in a blog post.

Wisniewski has also checked with people testing the OS X 10.7.2, and has found out that the flaw even exists in test builds.

Source(s)