How To: Easily Bypass macOS High Sierra's Login Screen & Get Root (No Password Hacking Required)

Easily Bypass macOS High Sierra's Login Screen & Get Root (No Password Hacking Required)

It looks like there is a fatal flaw in the current macOS High Sierra 10.13.1, even straight from the login menu when you first start up the computer. This severe vulnerability lets hackers — or anyone with malicious intentions — do anything they want as root users as long as they have physical access to the computer.

Designated as CVE-2017-13872 by Apple, this bug is not the be-all and end-all of exploitable bugs, where you can load up a remote terminal and just log into a victim's Mac without leaving the room you're in. Unless, of course, the victim has screen-sharing enabled. If this isn't the case, the attacker is going to have to get up close and personal with the victim's laptop, meaning the attacker is going to have to James Bond his or her way to the victim's Mac and be in front of the computer itself.

Apple issued a patch within 18 hours of this vulnerability being discovered, but for users who had not yet upgraded their operating system from the original version of High Sierra (10.13.0) to 10.13.1 before applying the patch, some have reported the bug re-emerging after updating. Because this patch seems to be having some issues rolling out, you should test to make sure this vulnerability doesn't affect your macOS device.

Step 1: Logging into Root from Boot

A hacker can just start up the machine, literally. When on the login window, they'd click on the "Other" option, not an actual user or guest user. For the username, they'd simply input root, and for the password, it would be left empty. All they have to do is click inside the password box, then hit enter. They may need to hit enter repeatedly until successfully logged in and on the desktop.

If someone is already logged into the computer, a hacker could still use this root/passwordless trick to bypass privilege escalation prompts. It doesn't need to be from the login window. Security researcher Patrick Wardle was also able to demonstrate this scary exploit working remotely if screen sharing was enabled.

So what's happening here? According to Patrick's findings, the reason this takes two clicks is a logic error in the way macOS attempts to validate credentials for unknown users. In this case, the first attempt actually creates the user account and sets whatever password you used to attempt to log in (or no password). The second attempt to log in then logs in and authenticates with the account that was created with the first click.

Step 2: Looting the System

That was quick. After getting in, the attacker can quickly install any type of software he or she wants on the victim's Mac, so long as no one is looking. They can also reset passwords, view hidden files, and anything else you can think of.

Protecting Yourself from This Hack

Now that the scary stuff is out of the way, it's fairly simple to make sure this doesn't happen without waiting for Apple to fix this problem, or have found the patch to be ineffective.

On your admin account, open a terminal window, then type the line below, followed by pressing enter. The -u argument will unlock the non-existing password allowing you to change the root password.

sudo passwd -u root

If logged into the administrator account, you'll need to input your admin password first before proceeding. Then, enter a root password, then confirm it.

In the end, make sure to keep that root password safe. If you lose that password, it will be completely difficult should you need it, and you will have to format or go through some extra steps to get complete access back onto your Mac.

Have any questions? Comment below or hit me up on Twitter @Nitroux2.

Cover photo by Kody/Null Byte; Screenshots by Nitrous/Null Byte

1 Comment

Share Your Thoughts

  • Hot
  • Latest