10.13 Root Password Oh my! #iamroot

  • November 28, 2017

EDIT 11-29-2017 08:33:

APPLE has released a security update 2017-001. Your best bet is to go install that now.

https://support.apple.com/en-us/HT208315

 

On twitter today, a tweet came up talking about how you can login to a 10.13 machine, with the account root and no password. You can use this prompt at the Login Window, Screen Saver, System Preferences,a ARD session, and Screen Sharing. It does not affect the Filevault Login Window.

This is confirmed on 10.13.0, 10.13.1, and 10.13.2b5. This does not affect 10.11, or 10.12

The above does not depend on what level of permissions the user has. It works on a standard account or an admin account.

There’s a few paths you can go to mitigate.

First if your users are admins, you could just create a loginless root that redirects it to a false shell. While this is not a whole fix, its a temp patch. This creates a backdoor that can be exploited.
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

This was first posted as a possible solution by: Graham Pugh

This can be reversed by
/usr/bin/dscl . -change /Users/root UserShell /usr/bin/false /bin/sh

To exploit this as pointed out by Jesse Peterson that a user may still elevate their privileges using a command like
osascript -e 'do shell script "id" user name "root" password "" with administrator privileges

The end all, would be to enable root with a user and password, and change the shell.
To enable Root with a random password.

Thanks to Matthew Warren for this solution

Further, Rich Trouton came up with a complete solution.

Rich also has this with a payload free package posted on github

 

If you use JamfPro, the above will also work for you, and will not affect your service accounts that JamfPro relies on.

Many thanks to everyone on #macadminslack for publishing solutions.

If the above confuses you and you’d like to fix it on your personal mac..