In my last post I speculated that as the Apple user base grows the incentive for hackers to write effective exploits will increase. It turns out we don’t need to wait for hackers to write better exploits because there are already gaping holes in the operating system…
$ dscl localhost -read /Search/Users/username
This is a terminal command you can enter to find out the ‘Password Hash’ of any user on an OS X Lion operating system. This vulnerability does require a user to already be logged in and the Password Hash it reveals is an encrypted version of the password so it doesn’t sound like too much of a serious security threat, yet.
For those not familiar with Password Hashes an analogy could be stealing house keys from an unattended bag. They keys are useless without knowing the address of the house and all you can do is try the key in millions of doors until it works. You might get lucky and the house is nearby or you could search forever because the house is located on an island you don’t even know exists. Now imagine there are dodgey locksmiths that keep a record of the address of of all they keys they cut, and you can take the stolen keys to these dodgey locksmiths and if they’ve cut the key in the past they will happily tell you the address the keys belong to. So finding the address is hit and miss but over time the dodgey locksmith data base grows as locksmiths cut more and more keys and it gradually becomes easier to find a locksmith that knows the address of your stolen key.
So even if someone can gain access to your keys it’s a relatively small chance they will actually get into your house. That is until you discover there are downright criminal locksmiths out there who will take any key you give them, even your own house key, and change the lock on the door to match your key! All you have to do is flash the secret sign like this..
$ dscl localhost -passwd /Search/Users/username
This terminal command changes the password of any user on the system 
Like the command at the start of the post you still either need physical access to a machine with a user already logged in, or to gain remote access to a machine with a user already logged in but as Patrick Dunstan who discovered the threat explains gaining remote access isn’t as hard as it might sound..
[Imagine] A user with administrative rights is browsing the internet with Safari. The user happens to browse to a website hosting a malicious Java Applet. Unbeknownst to the user, they allow the innocent looking Java Applet to run. The Applet will proceed to make a connection back to the attacker, providing the attacker with full shell access. Whilst the attacker has access to the system, they are provided only with limited user privileges (they still do not have root access). This would limit what an attacker could accomplish. However, with the vulnerabilities described above the attacker now has an advantage: they can change the password of the current user. Now remember, the current user is an administrator. So now all the attacker has to do is sudo –s to become root. If lets say the victim did not have administrative rights, the attacker still has the ability to extract user hashes from the system and attempt to crack them.
So there you have it OS X Lion is as secure as a soggy paper bag. At least until apple gets its act together and patches the problem.
