Mac OS X Lion makes it unnecessarily easy for password crackers - update

Security specialist Patrick Dunstan reports that Mac OS X 10.7 "Lion" allows standard non-root users to access other users' password hashes. Under Mac OS X, users' password hashes are stored in shadow files that can usually only be accessed by root users. Dunstan said that, with Lion, Apple changed the authentication procedure and introduced a flaw that allows non-root users to read the password hashes from the shadow files via the directory services.

Using hashes, attackers can establish the original password via an automated brute-force attack. However, depending on password complexity, such an attack may take some time. As the passwords are salted when they are hashed, rainbow table attacks are very time-consuming.

Dunstan has released a Python script that carries out a dictionary attack on Lion passwords. The vulnerability is relatively insignificant for home users, as the likely benefits rarely justify the effort involved in cracking a password. The issue is only potentially relevant on multi-user systems where strictly separating individual user accounts is a priority. Apple has not announced a patch yet.

The specialist also said that the currently logged on user's password can be changed without knowing the user's password using the "dscl localhost -passwd /Search/Users/user_name" command. For an attacker who is already logged into the account, there is little benefit to being able to change the password; the legitimate user would no longer be able to log in and the attack would be immediately uncovered.

Update: The last paragraph of the story incorrectly described the effect of the command. This has been corrected.

See also:

• Storing passwords in uncrackable form, a feature from The H.

(ehe)