
EDIT 11-29-2017 08:33:
APPLE has released a security update 2017-001. Your best bet is to go install that now.
https://support.apple.com/en-us/HT208315
On twitter today, a tweet came up talking about how you can login to a 10.13 machine, with the account root and no password. You can use this prompt at the Login Window, Screen Saver, System Preferences,a ARD session, and Screen Sharing. It does not affect the Filevault Login Window.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
This is confirmed on 10.13.0, 10.13.1, and 10.13.2b5. This does not affect 10.11, or 10.12
The above does not depend on what level of permissions the user has. It works on a standard account or an admin account.
There’s a few paths you can go to mitigate.
First if your users are admins, you could just create a loginless root that redirects it to a false shell. While this is not a whole fix, its a temp patch. This creates a backdoor that can be exploited.
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
This was first posted as a possible solution by: Graham Pugh
This can be reversed by
/usr/bin/dscl . -change /Users/root UserShell /usr/bin/false /bin/sh
To exploit this as pointed out by Jesse Peterson that a user may still elevate their privileges using a command like
osascript -e 'do shell script "id" user name "root" password "" with administrator privileges
The end all, would be to enable root with a user and password, and change the shell.
To enable Root with a random password.
Thanks to Matthew Warren for this solution
Further, Rich Trouton came up with a complete solution.
Rich also has this with a payload free package posted on github
If you use JamfPro, the above will also work for you, and will not affect your service accounts that JamfPro relies on.
Many thanks to everyone on #macadminslack for publishing solutions.
If the above confuses you and you’d like to fix it on your personal mac..
⚠️ Go fix the #MacOS #HighSierra root password vulnerability now!
1) open Directory Utility
2) Click 🔒 to make changes, log in as admin
2) Click Edit → Enable Root User
3) Click Edit → Change Root Password…
4) Set a password
5) Do NOT disable root user!/via @0xjomo pic.twitter.com/ZyoZzqyujT
— Chris Messina (@chrismessina) November 28, 2017