Two new security flaws have been discovered in Mac OS X Lion. Both of these flaws come from changes made to the operating system since Snow Leopard.
Patrick Dunstan, a security blogger, posted the details of his findings on his blog (via The Register). Dunstan first raised issues regarding Mac OS Xs password security back in 2009, describing the process used to extract and crack OS X passwords.
The first flaw is the ability for any user on a system, regardless of privileges, to access the password hashes of any user. Previously, only the root account in OS X had access to the shadow file, which is used by the operating system to store password hashes. In Lion, that has changed:
It appears in the redesign of OS X Lions authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.
This ShadowHashData attribute actually contains the same hash stored in user bobs shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other users profile.
The next issue lies with the ability to change a users password when theyre logged on, without requiring the users old password for authentication. This differs from Windows and Linuxs "passwd" utility, both of which do require user authentication before a password change:
It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:
$ dscl localhost -passwd /Search/Users/bob
And voilà! You will be prompted to enter a new password without the need to authenticate.
This report comes a month after a bug was exposed in Lion, allowing for users to log on via LDAP using a valid username and any password.