The vulnerability appears to stem from a change in Lion's security model. Previous versions of OS X--back to 10.4--gave each operating system user a shadow file, or hash database (using SHA512 plus a 4-byte salt)--which could only be accessed by a user with admin-level privileges.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," according to a blog post from security researcher Patrick Dunstan, who discovered the new password vulnerability. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services." Dunstan has also released a Python script to simplify the password hash cracking process.
[Apple has new leadership, but the company can be expected to continue on the path defined by its former CEO. See Jobs's Legacy: 8 Reasons Apple Will Dominate The Decade.]
But apparently, cracking password hashes--after they've been retrieved--isn't even necessary. According to Dunstan, "it appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user." Instead, users can just enter command-line code to call the directory services (dscl) feature built into OS X, and employ it to immediately change any user's password.
How damaging could this attack be? "This is particularly dangerous if you are using Apple's new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.
According to Dunstan, malware could also make use of the vulnerability to exploit Macs. For example, if an attacker could get a user to run a malicious Java applet--perhaps present on a website--then the applet could establish a control channel with a command-and-control server, then change the password of the logged-in user. If that user had administrative-level rights, the applet would then possess the admin password and thus gain root access to the Mac and the ability to push and execute any code.
Wisniewski said he'd confirmed with developers testing the forthcoming 10.7.2 update that the flaw is still present. Until the flaw gets patched, Dunstan said a temporary workaround would be "to limit standard access to the dscl utility."
Wisniewski said the attack serves as a security reminder that Mac users should disable automatic logins, set screensavers to require a password to unlock, and before leaving a Mac unattended, "use a 'hot corner' or the keychain lock to lock your screen."
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)