扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
## Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235 "Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?" ## Proof: https://twitter.com/patrickwardle/status/935608904377077761 ## Mitigation/Detection/Forensic: https://news.ycombinator.com/item?id=15800676 - Can be mitigated by enabling the root user with a strong password - Can be detected with <code>osquery</code> using <code>SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;"; - You can see what time the root account was enabled using <code>SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";</code> then base 64 decoding that into a file and then running <code>plutil -convert xml1</code> and looking at the <code>passwordLastSetTime</code> field. _Note: osquery needs to be running with <code>sudo</code> but if you have it deployed across a fleet of macs as a daemon then it will be running with <code>sudo</code> anyway._ _Note: You can get the same info with plutil(1): <code>$ sudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist</code>_ ## Security Advisory: https://support.apple.com/en-gb/HT208315 |
体验盒子
