The “root” of Security Bugs


Earlier this week, a massive security issue in Apple’s most recent iteration of the macOS operating system called “High Sierra” was revealed. The issue allows anyone with access to the computer to log in as the root user without knowing the password.

In this briefing we will take a look at the bug, its implications and why such critical issues keep appearing in major products.


What is “root”?

On Unix-like operating systems such as macOS, Linux, Solaris and the various BSDs “root” is a user account with user ID 0. While the role of root is complex and has evolved over time, an adequate summary is that root is the ultimate administrator of regular Unix-like system. Gaining access to the root account on a machine means the attacker is able to do pretty much anything he/she wants including installing new Kernel modules and accessing any other user’s data. In offensive hacking, “rooting” a machine (getting root level access to it) is distinctly separate from merely getting access to any other user account as it allows for much more devastating attacks and hard to trace backdoors.

In summary, any vulnerability allowing attackers to gain root on a system is about as critical as it gets.


What is required for the attack?

An attacker must have access to the graphical login window of macOS (either the primary login window or a prompt used to elevate privileges). This can be achieved by either having physical access to the machine or by using a graphical remote connection software such as VNC (“Virtual Network Computing”). To our understanding at the time of publishing this briefing, the vulnerability can not be exploited via SSH (“Secure Shell”) or the command line.

With access to the graphical login GUI (“Graphical User Interface”), all an attacker has to do is enter “root” as the username, leave the password blank and repeatedly click the “login” button. In most cases the system will log the user in on the second attempt however more attempts might be required.


Why does this work?

Apple has not released details on the bug. However judging from the regular operations of macOS, we expect this to be a bug in the GUI software handling the login. While macOS systems have a root account, it is not commonly used to login. Instead, macOS users can temporarily gain root privileges using the sudo command. This likely means that under the hood, no password is set for the root account and login as root is prohibited. A bug in the GUI software could ignore these restrictions and accidentally authenticate the root user with the empty password.

If confirmed information on the internals of the attack should become available, we will update you.

Whatever the actual mechanism might be, the takeaway is that even well tested and understood security features such as authentication on Unix-like systems can be broken by careless programming and mistakes. Ironically, this bug might have escaped detection by Apple precisely because the underlying technology is so well understood and the exploit is so trivial: No-one thought is necessary to test such an “obviously secure” part of the technology.


How can I protect myself?

The bug only affects the latest release of macOS “High Sierra”. Apple has released a security update. Applying it will fix the issue. Alternatively, and perhaps easier for a quick organization-wide rollout by administrators, setting a strong password for the root account also seems to prevent the attack.