The Root of Security Bugs

Even the giants can get it wrong. In November of 2017, Mac users running the then newest incarnation of Apple’s operating system — macOS High Sierra, which was released only a month before — were open to attack. The bug allowed anyone with access to the computer to log in as the “root” user without knowing the password. 

First Published 1st December 2017  |  Latest Refresh 14th May 2021

Ask an Australian about the challenges of "securing root".

4 min read  |  Reflare Research Team

A Significant Vulnerability 

Towards the end of 2017, a massive security issue in Apple’s then most recent iteration of the macOS “High Sierra” operating system was revealed. The issue allowed anyone with access to the computer to log in as the root user without knowing the password. At its core, High Sierra’s blank root account bug was a failure in the concept of “least privilege”.

In this research briefing, we will take a look at the bug, its implications and why such critical issues keep appearing in major products.

What is “root”?

On Unix-like operating systems such as macOS, Linux, Solaris and the various BSDs “root” is a user account with user ID 0. While the role of root is complex and has evolved over time, an adequate summary is that root is the ultimate administrator of a regular Unix-like system.

Gaining access to the root account on a machine means the attacker is able to do pretty much anything he/she wants including installing new Kernel modules and accessing any other user’s data. In offensive hacking, “rooting” a machine (getting root-level access to it) is distinctly separate from merely getting access to any other user account as it allows for much more devastating attacks and hard-to-trace backdoors.

In summary, any vulnerability allowing attackers to gain root on a system is about as critical as it gets.

What is Required for the Attack?

An attacker must have access to the graphical login window of macOS (either the primary login window or a prompt used to elevate privileges). This can be achieved by either having physical access to the machine or by using a graphical remote connection software such as VNC (“Virtual Network Computing”).

To our understanding at the time of the vulnerability being discovered, the vulnerability could not be exploited via SSH (“Secure Shell”) or the command line.

Even a company that prides itself on putting security at the centre of its products can get it wrong.

With access to the graphical login GUI (“Graphical User Interface”), all an attacker would have to have done is enter “root” as the username, leave the password blank and repeatedly click the “login” button. In most cases the system will log the user in on the second attempt however more attempts might be required.

Why Does This Work?

When the vulnerability was discovered, Apple did not immediately release details on the bug. However, judging from the regular operations of macOS, it was expected to be a bug in the GUI software handling the login. While macOS systems have a root account, it is not commonly used to log in.

Instead, macOS users can temporarily gain root privileges using the pseudo command. This likely means that under the hood, no password was set for the root account and log in as root was prohibited. A bug in the GUI software could ignore these restrictions and accidentally authenticate the root user with an empty password.

Whatever the actual mechanism might have been at the time, the takeaway is that even well-tested and understood security features such as authentication on Unix-like systems can be broken by careless programming and mistakes.

Ironically, this bug might have escaped detection by Apple precisely because the underlying technology is so well understood, and the exploit is so trivial: No one thought is necessary to test such an “obviously secure” part of the technology.

How Can I Protect Myself?

The bug only affected the 10.13 release of macOS High Sierra. Apple released the Security Update 2017-001 for macOS High Sierra 10.13 and macOS High Sierra 10.13.1 shortly after learning about the vulnerability. Should you still be running 10.13, applying this update will fix the issue. Furthermore, given further macOS developments since 10.13.1, High Sierra has now been superseded. You should assess your machine's compatibility to consider updating your macOS to the most recent version. 

But what if organisations chose not to wait for the likes of Apple, and take matters into their own hands? Perhaps an easier solution for a quick organisation-wide rollout would be administrators setting a strong password for the root account. Doing so would have been one highly effective approach to prevent the vulnerability from being exploited. However, how many administrators actually think like this, let alone act?

Administrators play a critical role in enforcing IT security practices that build an organisation’s resilience to vulnerability exploits like what happened with High Sierra. Not all business-critical systems have Apple’s capability or sheer muscle to fix such an issue, let alone even advise their users that they have a serious problem. The importance of having forward-thinking, mindful administrators be able to stay ahead of unforeseen issues and the latest threats cannot be overstated.

However, different types of vulnerabilities and hacking methods evolve constantly. To stay abreast of how you and your tech team can mitigate the risks associated with specific attacks, read our IT security research briefs on related topics.