unix identity management: OSX Lion Passwords CRACKABLE!

“Cracking Lion Passwords” might be a somewhat sensationalist headline but Patrick at www.defenceindepth.net has found an interesting weakness in OSX Lion. With access to a console, you can reset passwords for other users without even having to be an admin / su / guy with those powers.

Using “dscl” (Directory Service Command Line utility) you can access the hashed passwords of other user accounts and change a password. Now if you could do this remotely, THAT would an awesome sensationalist headline.

Some choice extracts:

It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

Due to Lions relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes (SHA512 + 4-byte salt). To simplify the cracking of these hashes I have created a simple python script which can be downloaded here.

Now, if the password is not found by the dictionary file you’re out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

 

Here’s the full article:

http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html

And I’ve saved you a google for “dscl”:

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/dscl.1.html

What’s this page about? unix identity management

Leave a Reply