Skip to content

A turkish researcher found a flaw allowing the access to root account without password on MacOS High Sierra.

This flaw is critical because easily executable. It can be used locally or remotely if the device has an active VNC protocol (screen sharing activated). This flaw grants access to all device’s permissions. The attacker can do whatever he wants.

Attack surface

The access to the authentication panel to tape the administrator password is the only thing needed. This panel is available from any account on the device (locally or remotely via VNC protocol).

The flaw comes from the mistakenly activated root account on MacOS High Sierra. This root account is an inheritance of the UNIX system from which MacOS is developed. It is present and used in the Linux world but normally is deactivated (available but deactivated) on Mac, replaced with administrator accounts that cannot access system files.

How to protect yourself

You just need to set a password for this root account. Never loose this password.

In command lines from whatever administrator account on the device

  1. Open the terminal. The application is available in the folder Applications > Utilities.
  2. Enter the following command line then press Enter: sudo passwd -u root
  3. A password will be asked, enter the password of your root account then press Enter.
  4. Enter the same password to confirm and press Enter again.
  5. Your root account is configured with a password.

With the graphic interface

  1. Go to the menu Apple > System Preferences.
  2. Click Users & Groups (or Accounts).
  3. Click the padlock, then enter an administrator name and password.
  4. Click Login Options.
  5. Click Join (or Edit).
  6. Click Open Directory Utility.
  7. Click the padlock in the Directory Utility window, then enter an administrator name and password.
  8. From the menu bar in Directory Utility, choose Edit > Change Root Password…
  9. Enter a root password when prompted.
Published on
Modified on
Our websites are made safe with https. That means that we use SSL/TLS. But what is that ? And what is the HSTS extension ?
Published on
Modified on
MyCrypNet uses OpenVPN. OpenVPN is an open source project that encrypts communications at the level 3 of the OSI model. Here ...
Published on
Modified on

Help

Security Vulnerability Reporting Policy

If you think you have found a security vulnerability on limawi or on any of our services, we invite you to contact us immediately. If you wish to contact us for anything else, please use the general contact page. Thanks.

We are committed to working with the community to verify, reproduce, and respond to legitimate reported vulnerabilities.

We encourage the community to participate in our responsible reporting process.

If you would like to report a security vulnerability, please contact us on the DPO contact page. Here is the DPO’s PGP/GPG key. You may use it to mail him directly your report. Please provide your name, contact information(s), and company name (if applicable) with each report. If you use the DPO’s PGP/GPG key, don’t forget to include your PGP/GPG public key with such reports, if you have one.

Responsible Disclosure Guidelines

We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will never take legal action against you or ask law enforcement to investigate you, if you completely comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC);
  • Make good faith efforts to avoid privacy violations, destruction of data and interruption or degradation of our services;
  • Do not modify, delete or access data that does not belong to you;
  • Give us a reasonable time to correct the issue before making any information public.

We will attempt to respond to your report within 1 or 2 business days.

Published on
Modified on
Technical informations about the website and the service.
Published on
Sessions in Limawi are used across Limawi subdomains and can be revoked via a centralized interface.
Published on
Modified on
The Limawi password policy is checked using an entropy library.
Published on
Modified on
To activate the two-factor authentication, go on the Limawi site to “Your profile”, “Security”, “two-factor Authentication”.
Published on
Modified on
If your device is lost or stolen, you have to act quickly to avoid anyone accessing your MyCrypNet network.
Published on
Modified on
Follow us
© 2018 Coppint Market Place Ltd, All rights reserved.