This Null Byte is a doozey.

On Sunday, September 19th, an exploit for the latest Mac OS X 10.7 "Lion" was discovered by Patrick Dunstan. This exploit allows for an attacker, even remotely, to request to have the root user's password changed without knowing the password to the system beforehand. This would lead to the legitimate owner of the system getting locked out, as well as all of their files being compromised (unless disc encryption was in place). Let's go over why this happens, and how to stop it until a patch comes out.

A Byte of Info

The way a Mac system stores its user passwords is similar to Linux, as they are both built off of the Unix kernel. A user creates an account, and then the encrypted hash of the user's password file, their "Shadow" file, is saved in a .plist file located in /var/db/dslocal/nodes/Default/users. The normal way a user would crack this, is to obtain a users Generated User ID (GID) and find it in the shadow file. This flaw is averted by only allowing the root user to view the shadow file.
This still holds true in Lion. However, one major flaw was overlooked. Non-root users cannot directly view hash data, but rather, they can extract it from Directory Services.

Step 1 How to Extract the Hashes

Normally, to see profile information about a user, you invoke this command in a terminal:
    $ dscl localhost -read /Local/Default/Users/<root user>
To see hash data, we just invoke Directory Services using the /Search/ path like so:
    $ dscl localhost -read /Search/Users/<root user>
Now, in the terminal output you should see a line in there that says:
    dsAttrTypeNative:ShadowHashData:
Look at the bytes below it. Bytes 28-32 are the password salt (4 bytes are in each octet), and bytes 32-96 are the SHA512 hash. From there, the user wanting privilege escalation can then load the hash into a password cracker for SHA512 hashes with 4 byte salts. There is one made by the author of the exploit here written in python (brownie points for that, good sir).

Step 2 

  • Copy > paste the code in a text document and name it "hack.py".
  • Get a password list to run against the file - you can find good ones at Packet Storm.
  • In a terminal, change to the directory "hack.py" is in and issue the command with this syntax:
    $ python hack.py <username> <path/to/dictionary/file>
  • Wait until it completes and retrieves your password.

What if it Can't Crack the Password?

That's simple, not only did Mac slip up on being able to read password hashes, any user can issue the "passwd" command to change any user's passwords. Feel safe still, Mac users?
Here's an example:
    $ dscl localhost -passwd /Search/Users/<root user>
You will then be prompted to enter a new password for the user. There it is, easier than denying your teenage daughter a brand new car, a user can change your password.

How Do I Keep Myself Safe from This?

  • Keep a REALLY long password, that isn't in a dictionary (full ASCII jumbles are preferred).
  • Never leave your computer unattended, and do not enable remote access. This is disabled by default, so don't worry if you're unsure.
Written By Alex Long

Post a Comment