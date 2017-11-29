Why <blank> Gets You Root

Background

In case you haven't heard the news there is a massive security flaw which affects the latest version of macOS (High Sierra). Essentially, bug allows anybody to log into the root account with a blank, or password of their choosing.Apparently this vulnerability was first posted , rather innocuously, to Apple's very own Developer Formums...in order to aid a user:However, the flaw only gained wider public attention, when Lemi Orhan Ergin ( @lemiorhan ) posted a tweet stating that, "we noticed a *HUGE* security issue at MacOS High Sierra...":I was quite intrigued by this bug, so decided to track down it's root cause!In this short blog post, I reveal my findings, and uncover the the underlying reason for the bug. So, without further adieu, let's dive right in!

Digging Deeper

First, let's look what's happening at a high level. When a user (or attacker) attempts to log into an account that is not currently enabled (i.e. root), the system will create that account with whatever password the user specifies...even if that password is blank. Then the user (or attacker) can readily log into that account:This two step process, explains why to perform this attack, one has to hit enter or click 'Unlock' twice:Of course, one should not be able to randomly enable accounts, especially the all powerful root account, without providing any sort of authentication. So, wtf is going on? Time to dig into macOS to see what's going on behind the scenes!When an user (or an attacker) tries to authenticate to an account, this is handled by the 'opendirectory' daemon (

opendirectoryd

). By debugging this daemon, we can view the sequence of function calls which occurs when the daemon recieves a mach XPC authentication message:

# ps aux | grep opendirectoryd

root 70 /usr/libexec/opendirectoryd



lldb -p 70

...



(lldb) bt

* frame #0: opendirectoryd`od_verify_crypt_password

frame #1: PlistFile`___lldb_unnamed_symbol26$$PlistFile

frame #2: PlistFile`odm_RecordVerifyPassword

frame #3: opendirectoryd`___lldb_unnamed_symbol37$$opendirectoryd

frame #4: opendirectoryd`___lldb_unnamed_symbol313$$opendirectoryd



We'll start at the

odm_RecordVerifyPassword

function. This function is implemented in the

PlistFile

binary. This bundle (library) is dynamically loaded from

/System/Library/OpenDirectory/Modules/PlistFile.bundle

(lldb) image list

[ 0] 50686B40-3B06-347D-B906-DCEF1D9F10E1 0x00000001041e5000 /usr/libexec/opendirectoryd

...



[188] A38BC5A0-67AA-3D75-89AD-57A7DF6D20BE 0x000000010447f000 /System/Library/OpenDirectory/Modules/PlistFile.bundle/Contents/MacOS/PlistFile

Setting a breakpoint on this function, we can dump it's arguments:

Process 70 stopped

* thread #15, stop reason = breakpoint 1.1

PlistFile`odm_RecordVerifyPassword:

-> 0x10448e50b: pushq %rbp



(lldb) po $rdi

<OS_od_module: 0x7fcb0dc29110>



(lldb) po $rsi

<OS_od_connection: 0x7fcb0dc26cb0>



(lldb) po $rdx

<OS_od_request: 0x7fcb0dc78d30>



(lldb) po $rcx

<OS_od_moduleconfig: 0x7fcb0dc203b0>



Looking at it's decompilation, we can see it invokes another function:

sub_18f1

sub_18f1(&var_818, odconnection_get_context(rbx), r13);

The final parameter passed to this function (

R13

), is a dictionary containing information about account the user (or attacker) is attempt to authenticate:

(lldb) po $r13

{

"dsAttrTypeStandard:AppleMetaNodeLocation" = (

"/Local/Default"

);

"dsAttrTypeStandard:GeneratedUID" = (

"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000"

);

"dsAttrTypeStandard:Password" = (

"*"

);

"dsAttrTypeStandard:RecordName" = (

root,

"BUILTIN\\Local System"

);

"dsAttrTypeStandard:RecordType" = (

"dsRecTypeStandard:Users"

);

"dsAttrTypeStandard:UniqueID" = (

0

);

}



Note the value for

dsAttrTypeStandard:Password

key:

*

. We'll see this value later!Next,

odm_RecordVerifyPassword

invokes another helper function:

sub_826b

. A string in the decompilation of this function, states it will "read shadowhash data" ...from the account that the user (or attacker) is trying to log in to. For enabled accounts (such as the user account) this read will succeed as this data exists. Note: this data can be viewed from the terminal via the

dscl . -read /Users/<user>

command or directly by reading it from

/private/var/db/dslocal/nodes/Default/users/<user>

For disabled accounts, (such as root account that is being targeted), this information is not present, so this function will fail! This is important :)

$ dscl . -read /Users/root

AppleMetaNodeLocation: /Local/Default

GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000

NFSHomeDirectory: /var/root

Password: *

PrimaryGroupID: 0

RealName:

System Administrator

RecordName:

root

BUILTIN\Local System

RecordType: dsRecTypeStandard:Users

SMBSID: S-1-5-18

UniqueID: 0

UserShell: /bin/sh



When hash/shadow hash information is not found, an 'else' clause is executed:After reading in the password, it invokes the

od_verify_crypt_password

function to verify that the password passed in by the user (or attacker) matches that password for the account. So for example if we try to log into the (disabled) root account with 'hunter2',

od_verify_crypt_password

is invoke with '*' and 'hunter2':If we step over the call, it returns 0x1 in

al

....interesting!Since a non-zero value was returned, execution continues with a call to various methods such as

sub_13d00

. As the debug log statements in the decompilation show, these will perform an upgrade from a crypt password to a shadowhash or securetoken:

"found crypt password in user-record - upgrading to shadowhash or securetoken"

However, if we look at what these 'upgrade' subroutines are called with, it's with the password we provided (i.e. 'hunter2')!This password (well actually the shadowhash/securetoken) is then saved for the account (i.e. for root). Thus the user (or attacker) can now log in! #fail

Conclusion

For accounts that are disabled (i.e. don't have 'shadowhash' data) macOS will attempt to perform an upgrade



During this upgrade, od_verify_crypt_password returns a non-zero value, and an error code which is not checked

returns a non-zero value, and an error code which is not checked

The user (or attacked) specified password is then 'upgraded' and saved for the account



Let's recap:It appears that

od_verify_crypt_password

should fail (update: it does and Apple just didn't check for this!). I'll continue to dig into this :)Apple has now patched the bug! Kudos to them for the quick turn around. They assigned it CVE-2017-13872, and state in the security release notes that the bug was "a logic error existed in the validation of credentials." Their patch "improved credential validation." Diffing the

PlistFile

binary, we can see they expanded error checking to detect invalid credentials (i.e. when an non-authenticated attacker tries to set the root password):