macOS: root User Account Vulnerability

Yesterday it was revealed that macOS has a critical bug that allows any user with physical access to a device, to login as the root user with no password. I have tested this myself, via the process below:

  • Open System Preferences > Users & Groups
  • Select the lock [ 🔒 ] in the bottom left-hand corner of the window.
  • Clear the pre-filled username, & replace it with “root” & select [Unlock].
  • macOS Credential Screen
    Screenshot of using the root account with no password/
  • Once the attempt is rejected, try again with the same settings as above. I’ve read from a few different sources that say to do it a few times, before you are allowed in. During my testing, I just had to attempt it twice, & I was in.

In order to fix this issue, you must change the root password through the Directory Utility. Open the app, hit the lock [ 🔒 ] to enter your credentials (or use the root exploit again) then go to Edit > Change Root Password…
NOTE: You MUST choose to change the password. Simply disabling the root account does not correct the issue. If you disable the account, running through the same process for the exploit reactivates the root account without a password.

Bryan Krebs has made a post about this as well: Krebs on Security: MacOS High Sierra Users: Change Root Password Now.

And since creating pretty logos for exploit seems to be a thing now…:

macOS ro0t
macOS root Vulnerability exploit logo.

macOS ro0ted
macOS root Vulnerability exploit logo.
macOS root
macOS root Vulnerability exploit logo.

iOS 11.1 Activation Lock Bypass

Looks like iOS has yet another Activation Lock bypass… Seems like all you have to do is have a device that is Activation Locked with an account that has 2FA enabled. Once that is set, you enter the wrong passcode several times, until you are timed out for an hour. Wait for the timer to run down, doing it a few more times, & you should bypass the activation lock. See the attached video for a demonstration I found on YouTube.