Limawi - Feed Fri, 09 Oct 2020 10:20:21 +0000 en What is Limawi ? Mon, 14 Jan 2019 13:19:59 +0000 Michée Lengronne urn:uuid:c541d16d-edf5-46f1-ab2d-7cffee709eba Limawi provides an IaaS/PaaS catalog of secure products.


We make modular products to complete an infrastructure or build one from scratch.

How to fix the root flaw in MacOS High Sierra Wed, 29 Nov 2017 11:46:22 +0000 Michée Lengronne urn:uuid:974f2923-97ab-49f0-a23d-178c969a51f8 A turkish researcher found a flaw allowing the access to root account without password on MacOS High Sierra.

This flaw is critical because easily executable. It can be used locally or remotely if the device has an active VNC protocol (screen sharing activated). This flaw grants access to all device’s permissions. The attacker can do whatever he wants.

Attack surface

The access to the authentication panel to tape the administrator password is the only thing needed. This panel is available from any account on the device (locally or remotely via VNC protocol).

The flaw comes from the mistakenly activated root account on MacOS High Sierra. This root account is an inheritance of the UNIX system from which MacOS is developed. It is present and used in the Linux world but normally is deactivated (available but deactivated) on Mac, replaced with administrator accounts that cannot access system files.

How to protect yourself

You just need to set a password for this root account. Never loose this password.

In command lines from whatever administrator account on the device

  1. Open the terminal. The application is available in the folder Applications > Utilities.
  2. Enter the following command line then press Enter: sudo passwd -u root
  3. A password will be asked, enter the password of your root account then press Enter.
  4. Enter the same password to confirm and press Enter again.
  5. Your root account is configured with a password.

With the graphic interface

  1. Go to the menu Apple > System Preferences.
  2. Click Users & Groups (or Accounts).
  3. Click the padlock, then enter an administrator name and password.
  4. Click Login Options.
  5. Click Join (or Edit).
  6. Click Open Directory Utility.
  7. Click the padlock in the Directory Utility window, then enter an administrator name and password.
  8. From the menu bar in Directory Utility, choose Edit > Change Root Password…
  9. Enter a root password when prompted.
Attacks & faults
SSL/TLS and HSTS, what is that ? Thu, 18 May 2017 13:07:01 +0000 Michée Lengronne urn:uuid:13dd75b8-27e9-4ca9-bfb8-4d586774d94e If you want the technical informations for Limawi, take a look here.

The running of SSL/TLS

SSL/TLS is a protocol that provides server identity verification (for instance a web server like Limawi, in that case we speak about https because the protocol to access a web server is called http). This identity verification works with a certificate sent from the server.

Here is the protocol step by step (technical terms are present in the graphs):

  • The client software asks the server its identity.
  • The server sends a certificate signed by the certification authority trusted by both the client software and the server to the client software.
  • The client software checks if the signature belongs to the certification authority it trusts.
  • It sends a request to this certification authority to check if it ensures that the certificate is still valid.
  • The client software and the server agree on a session key that will encrypt informations during a limited period (this time passed, another session key will take the place, the details for Limawi are explained in the graphs about the session key).
  • The client software and the server can communicate in a secure way.

The HSTS extension

The HSTS extension is a http protocol extension (the protocol that loads webpages) reinforcing the SSL/TLS use.

This extension forces the browser to load secure versions of a webpage and all the ressources this page holds (that is to say https versions) in a domain (the base address of a website) that implements it.

If the wanted webpage does not have any secure version, it is not loaded on the browser.

Once the browser accesses a website implementing this extension it keeps in memory that the next webpages wanted on that website must be secured. It can check it even before sending the first request to the website.

A HSTS extension is valid for a limited period and the browser must check at the end of this time if the website always uses this extension to start another period.

Domains (base address of a website) can be preloaded in a database available in your browser. That way the browser knows even before sending the first request of its history to a webpage that it must be secure otherwise it does not load it.

This base is available here: HSTS Preload

With Limawi

With Limawi, the certification authority is Let’s Encrypt.

The session key exchange between the client software and the server is done with the Diffie-Helman protocol that creates a symmetrical session key without exchanging secret elements (please refer to this article for another informations source on that subject).

Limawi uses HSTS. The HSTS validity period is 6 months.