Another bug disclosed

By now we all know about the bug for MacOS that has been so cleverly referred to as #IamRoot on Twitter. So there are some thoughts I had about it.

First and foremost, this did not affect just root. If you actually read a breakdown of the bug like this one, you will see why. It all has to do with whether an account is disabled or not. Disabled accounts do not have  ‘shadowhash’ data. So when you type in root to log in, initially it looks for it, and the programming that does the checks winds up enabling the root account and setting a password, in these cases a password of blank because of mashing the enter key. You could actually type in a password, and it will enable and set the root password to whatever you want it to be. Once that has been set the next time round, it logs you in. Simple right? Think about it though, what other accounts are disabled? Service accounts? What other accounts have system level access. or near to it. All it would take is an account that has sudo rights that is disabled to allow a blackhat to access the system with sudo privileges and thereby root the box. All this from what is considered a good practice, disabling accounts that do not need to be enabled.

Now Apple has a patch out there (seems they knew about the bug before it was disclosed, and we will touch on that shortly), and that is the ultimate fix. I have heard that this bug has been around forever and was a way to get into a locked out Mac as far back as OSX 10.4 but have not been able to confirm that. Is this a case of a “feature” being a bug? It very well could be, and wo8uld bring us into the idea of backdoors. I do not understand how they could change the logic in the OS code to all of a sudden allow this in High Sierra and it not already being in place for prior versions, unless Apple had done a complete redesign of login and disabled accounts. There were ways of mitigating the problem before the patch, the best known being to enable root and give it a password (the patch from Apple undoes this). Another potential way would be to set a low lockout threshold on the the account (basically enable the root account, but have it set to lockout at the first attempt). The issue with the second method is how would that affect the system. Just thinking out loud here. The bigger concern was that everyone focused on root, and not on checking what disabled accounts there are on the system. As I said, this bypass technique could be used for ANY disabled account. Imagine having to enable all of them and set passwords on all of them. Now put that into an enterprise situation. That could amount to a ton of work.

Now let’s look at the fix/disclosure situation. It took Apple less than 24 hours to release an out of band patch for this problem. Seems they had a fix in the latest beta roll up, and just pulled it out of there. That is all good and dandy, but why wait? With how big a problem this was why not be ahead of the game? Again it leads me to go down the backdoor thought on this bug, and that it was a feature. They knew about it, so the disclosure was cool, right? That is debatable. First we do not know if the person who tweeted Apple Support had reported the bug privately. Either way, using twitter to tell a company about the bug is odd, and sets a bad example of responsible bug disclosure. I would think they would go through getting a CVE for the bug before announcing it. At least that would be the responsible way in my mind. Also why not mention in the tweet that you had found this say 30/60/90 days ago and have not heard back, showing that you gave Apple a chance to fix the problem? The fact that there was a patch basically waiting to be pushed out is not the point, and in fact may have been a lucky coincidence.

So there you have it. Apple screwed up. The disclosure seems a bit irresponsible, and now everything is fine as long as you apply the patch. It does scare me that we are seeing more of these “features” that are exploitable being found (look at Microsoft recently). It scares me even more when a company either has an immediate patch available or says that they will not patch said “feature”.