|
It works on a locked mac. After the trick has been enabled. Sooooo, don't leave your mac unlocked and you're fine?
|
# ? Nov 28, 2017 23:06 |
|
|
# ? May 28, 2024 06:42 |
|
Avenging_Mikon posted:It works on a locked mac. After the trick has been enabled. "After the trick has been enabled" means if a root account is not created and the login screen allows for arbitrary usernames instead of selecting a profile icon as far as i can tell.
|
# ? Nov 28, 2017 23:09 |
|
I'm out with the flu. I finally surface for some soup and to feed the animals, and this is blowing up my Twitts. https://twitter.com/lemiorhan/status/935581020774117381 On the plus (sorta) side, for most people it requires physical access. HOWEVER, if screen sharing is enabled, welp. The fix is easy, just set a god drat password for 'root' in terminal.
|
# ? Nov 28, 2017 23:21 |
|
Wait 2 hours. Someone on Twitter will RCE it through VNC or whatnot.
|
# ? Nov 28, 2017 23:28 |
|
Diva Cupcake posted:Wait 2 hours. Someone on Twitter will RCE it through VNC or whatnot. The yospos thread is already working on scripting it.
|
# ? Nov 28, 2017 23:32 |
|
Diva Cupcake posted:Wait 2 hours. Someone on Twitter will RCE it through VNC or whatnot. Pretty sure VNC was already confirmed on twitter.
|
# ? Nov 28, 2017 23:40 |
|
Yeah, if you have screen sharing on, it will work. A few more details I've found: If you already enabled a root account and it has a password you're fine. You have to do the initial exploit in System Prefs>Users It actually creates the password-less root account. So everyone rushing to test this has already self-owned. System Prefs is the only place macOS will actually create the account if it's missing. However user level of the account trying this doesn't matter. It will work on the logon screen if you have it set to force entering a User ID. If you just use the account picker 'root' won't be an option. Setting a password will fix the issue. EDIT: code:
NVM. I are stupid with the user list. Root will still show up if it's disabled. Just give it a password. Use this to set one: code:
Proteus Jones fucked around with this message at 01:59 on Nov 29, 2017 |
# ? Nov 28, 2017 23:48 |
|
Apple just released this: https://support.apple.com/en-us/HT204012
|
# ? Nov 29, 2017 00:24 |
|
Proteus Jones posted:Apple just released this: "Apple, anybody can access the root account in your operating system" "You're using it wrong"
|
# ? Nov 29, 2017 01:14 |
|
mewse posted:
Are you really surprised, it's Apple
|
# ? Nov 29, 2017 01:21 |
|
mewse posted:
That's not a "you're using it wrong" response. That's a "there's a bug and this is how to mitigate until we release a patch". Really this is for all the people who self-owned by "testing" the exploit like idiots without thinking through the consequences. There's almost no need to enable root, so Apple had to release this KB for everyone who did this today. However the fact Root can access macOS remotely via VNC/Screen Share is asinine. If you have "Remote Access" enabled for ssh/sftp, make sure this line is in your /etc/ssh/ssh_config under the "Host *" section toward the bottom. code:
Proteus Jones fucked around with this message at 01:27 on Nov 29, 2017 |
# ? Nov 29, 2017 01:22 |
|
Proteus Jones posted:That's not a "you're using it wrong" response. That's a "there's a bug and this is how to mitigate until we release a patch". Especially this: quote:You should disable the root user after completing your task.
|
# ? Nov 29, 2017 01:39 |
|
You're right it doesn't. I just saw today's date for the publication. I have a feeling the inset text at the top is an edit and they gave it a new KB ID. I'm not trying a defend them specifically, because this is a bonehead bug. But trying to conflate with "you're holding it wrong" is a little weird. In terms of UNIX/Linux you absolutely are doing it wrong if root is enabled. That being said, Apple completely hosed up re: the root account in general long before this was found. The root account exists (and has to) before this bug was found, and as is standard practice disabled. The idiocy from Apple is they left the loving password blank. So even if that Pref Pane exploit was done, root should have already had a randomly generated password in place. Dylan16807 posted:Especially this: EDIT AGAIN: I just re-enabled it going through the Directory Utility and it prompts me to set a password when I enable. That tells me when you disable root, it clears the password back to NULL. So you are absolutely correct, Dylan. WHAT THE loving poo poo, APPLE. Proteus Jones fucked around with this message at 03:22 on Nov 29, 2017 |
# ? Nov 29, 2017 01:50 |
|
Proteus Jones posted:this is for all the people who self-owned by "testing" the exploit like idiots without thinking through the consequences. Security is hard enough without giving users more reasons to dislike/distrust us wonk types! quote:However the fact Root can access macOS remotely via VNC/Screen Share is asinine. If you have "Remote Access" enabled for ssh/sftp, make sure this line is in your /etc/ssh/ssh_config under the "Host *" section toward the bottom. Presumably you meant to modify /etc/ssh/sshd_config, but at least as of my Sierra system, PermitRootLogin defaults to prohibit-password which should mean users are not at risk for this problem via SSH unless they manually edited the file to say yes, in which case I rescind my "for the users!" spiel above and that person probably is an idiot
|
# ? Nov 29, 2017 07:12 |
|
bitprophet posted:Casting folks just trying to determine whether they're susceptible to an exploit as "idiots" for not realizing the nature of the problem is kind of mean-spirited. Most of the time exploits are a binary, it works and you're at risk or it doesn't and you're not, situation. No you're right, idiot was too strong. I did typo the config file and looked in the wrong one. I just looked at the last entry and told everyone to append that at the bottom. The file it should have been is as bitprophet said. I'm not a fan of leaving any root access, but the default setting will guard against ssh being susceptible to root. I do recommend setting it to 'no'. There's zero reason to ever log in remotely as root. If you need to something administratively, use an admin account and sudo. If anyone wants to change PermitRootLogin, you can either uncomment the parameter and change it to no, or append PermitRootLogin no to the end of the file. I recommend the end of the file, since leaving the commented params in place let's you know what the machine defaults are.
|
# ? Nov 29, 2017 07:32 |
|
Secfuck thread posted a low-level explanation of what the gently caress is going on with the Apple exploit. It's an interesting read, and explains why if you set a password and then disable root why it in essence "resets" to NULL if you use the exploit again.Qwijib0 posted:deeper dive into why the macOS bug works
|
# ? Nov 29, 2017 16:37 |
|
Heard on a call: "we run advanced antivirus to stop the majority of threats"
|
# ? Nov 29, 2017 17:46 |
|
CLAM DOWN posted:Heard on a call: "we run advanced antivirus to stop the majority of threats" Well, to be fair, they did say it was advanced.
|
# ? Nov 29, 2017 17:48 |
|
CLAM DOWN posted:Heard on a call: "we run advanced antivirus to stop the majority of threats" https://www.youtube.com/watch?v=dOUfkK08e24
|
# ? Nov 29, 2017 18:21 |
|
Security Update 2017-0001 is out for High Sierra and fixes the exploit. https://support.apple.com/en-us/HT208315 I just tested it and the exploit no longer works.
|
# ? Nov 29, 2017 18:31 |
|
Proteus Jones posted:Well, to be fair, they did say it was advanced.
|
# ? Nov 29, 2017 19:32 |
|
I'm remembering this, tyvm
|
# ? Nov 29, 2017 21:59 |
|
Gives a whole new meaning to APT.
|
# ? Nov 30, 2017 07:31 |
|
The fix apparently breaks file sharing.
|
# ? Nov 30, 2017 17:17 |
|
PBS posted:The fix apparently breaks file sharing. Probably because you could do the root login remotely. I remember one of the root escalations macOD had at one point took advantge of the fact root did all device mounts which then passed it back with the permissions of the original user. It was a race exploit where you constantly mounted and unmounted devices while creating symbolic links to it while root did the work and you could sometimes get a link to a root level /dev for a moment which you instantly slammed in a root shell using those privs. Edit: this was the exploit with bash code. You run it as any user and you would eventually break out with root shell. https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
|
# ? Nov 30, 2017 17:53 |
|
Those of you who have to use EMET, what are you replacing it with after end of life next year?
|
# ? Dec 1, 2017 18:27 |
|
Security center has pretty much 100% of the functionality baked in to the OS with the fall creators update. For legacy systems, Symantec baked EMET-like functionality in to the AV client so we'll use that until those systems get retired.
BangersInMyKnickers fucked around with this message at 19:18 on Dec 1, 2017 |
# ? Dec 1, 2017 19:10 |
|
https://twitter.com/cabel/status/936814667908841473 Applol
|
# ? Dec 2, 2017 05:36 |
Apple apparently has to issue yet another fix for passwordless root. It also happened to Linux a few days ago, where the patch to fix Dirty COW had its own CVE issued.
BlankSystemDaemon fucked around with this message at 11:08 on Dec 2, 2017 |
|
# ? Dec 2, 2017 11:04 |
|
D. Ebdrup posted:Apple apparently has to issue yet another fix for passwordless root. It also happened to Linux a few days ago, where the patch to fix Dirty COW had its own CVE issued. Lolnux
|
# ? Dec 2, 2017 11:05 |
lolit Reply is not edit
|
|
# ? Dec 2, 2017 11:08 |
|
I was just ing at the owner of my company talking about how ios is so much more secure than android
|
# ? Dec 3, 2017 01:40 |
|
NevergirlsOFFICIAL posted:I was just ing at the owner of my company talking about how ios is so much more secure than android
|
# ? Dec 3, 2017 01:53 |
|
You shouldn't ask questions for which the answers are plain, right?
|
# ? Dec 3, 2017 22:40 |
|
Anyone know what this is about? https://twitter.com/SwiftOnSecurity/status/937330626516213761
|
# ? Dec 4, 2017 03:38 |
|
Absurd Alhazred posted:Anyone know what this is about?
|
# ? Dec 4, 2017 03:42 |
|
anthonypants posted:You haven't heard about the macOS High Sierra root exploit? Oh, it's about that one?
|
# ? Dec 4, 2017 03:47 |
It bears mention that the person who posted it on Twitter wasn't the first to have found/posted about it on Twitter, let alone on the broader internet as there was a post about it on Apples own support forum a lot earlier. So either Infosec Taylor Swift is referring to something else, or is too busy with hot takes that are quickly turning luke-warm to let facts bother them.
|
|
# ? Dec 4, 2017 15:27 |
|
D. Ebdrup posted:So either Infosec Taylor Swift is referring to something else, or is too busy with hot takes that are quickly turning luke-warm to let facts bother them.
|
# ? Dec 4, 2017 16:42 |
|
|
# ? May 28, 2024 06:42 |
|
How bad is Bluetooth in a home environment? I would really like to have headphones that don’t involve me constantly rolling over the cable, but I hate the idea of making my network less secure. Actually, my wife already uses a Bluetooth speaker, so the horse is already out of the barn isn’t it?
|
# ? Dec 7, 2017 19:19 |