A flaw in one of Mac OS X Lion’s command-line utilities has potentially opened a route for an attacker to change a user’s password without knowing the current password. But how big of a concern is it?
The issue in question was first brought to light by Patrick Dunstan, author of the Defence in Depth blog. The command-line programme dscl is a multi-purpose utility for interacting with Directory Services nodes. As it turns out, not only can it be used to retrieve the hashed version of a password (which makes it easier for a malicious attacker to try and brute force a password), but, far more worrying, it can also change a user’s password without requiring the current password.
Caveats, of course, apply: in order for this to work, the attacker needs either physical access to a computer where the target account is logged in, or needs to have remote access to the account (which would require the attacker already know the account password, thus rendering the vulnerability moot). However, Dunstant says that restriction could be side-stepped via a maliciously-constructed Java applet; a disreputable Mac app could also, presumably, do the deed.
In a test, I confirmed that the current user’s password can in fact be changed without having to enter the current password. However, I was unable to change the password for other user accounts on the same machine, as some sources have claimed. It is worth bearing in mind, though, that if the currently logged in account has administrator privileges, changing its password essentially gives the attacker elevated privileges for your Mac.
Apple did not respond to a request for comment about whether it was aware of the vulnerability or when it would make a fix available.
So, while waiting for a patch from Apple, what should a user do? Of course, you should always practice the tenets of safe-computing, such as avoiding visiting suspicious websites or downloading untrusted programs. In addition, it’s always good to take steps to secure physical access to your machine, such as requiring a screen-saver password and remembering to lock your screen if you step away.
If those common-sense actions aren't quite enough for you, Dunstan's blog post recommends changing the permissions on the dscl application, so that it can only be run by root, the OS's superuser. To do so, use the command: sudo chmod 100 /usr/bin/dscl and enter your administrator password when prompted. That ought to prevent unauthorised access, though it may impede users who actually depend on using the program for legitimate reasons.
At the moment, there are no reported incidents of this vulnerability being exploited in the wild, so the concern level for Mac users is probably not very high. That said, taking steps to protect yourself is a smart and, in this case, fairly easy thing to do.