Gain Root Access Remotely with Newly Discovered Vulnerability Within macOS High Sierra (CVE-2017–13872)

How an attacker gains root remotely on macOS High Sierra (no password needed) and how to protect yourself from this vulnerability.

UPDATE: Apple released a patch for CVE-2017–13872, Security Update 2017–001. This update is available for systems running macOS 10.13.1. We recommend immediately applying this update.

A newly discovered flaw, disclosed by Lemi Ergin[1], within macOS High Sierra permits root-level access without requiring a password. This vulnerability affects High Sierra version 10.13 and 10.13.1. During the initial disclosure of this vulnerability, the replication of the exploit required physical access. However, with further testing, we discovered that this vulnerability could be exploited remotely, by an adversary with network access to a macOS High Sierra system with: (1) the default root account is disabled and (2) Apple’s Screen Sharing functionality enabled.

This vulnerability is easily exploitable as an attacker could merely request to Screen Share with a macOS High Sierra, Screen Sharing enabled machine then enter “root” as the username with the password field blank multiple times as shown in Figure 1. This method enables the root account on the remote system without a password, which in return, allows remote access via Screen Sharing using the root account.

Figure 1. Remotely enabling the root account via Screen Sharing.

When a user is logged into a user account with Screen Sharing enabled, the attacker has the ability to log in as “root” (Figure 2), achieving a separate desktop session. This behavior also occurred while the screen was locked. However, when the user logs out, true screen sharing occurs, providing the ability to eavesdrop or control the victim’s active desktop session unnoticeably.

Sign up to get our latest blogs

Figure 2. Log in as root option via Screen Sharing.

As mentioned, an attacker could also enable the root user account with physical access to a logged in and unlocked machine — no matter the configuration of Screen Sharing. The user account logged into the targeted system could hold standard user privileges as the exploit does not require administrator rights.

In both cases, after the adversary gains unauthorized superuser access to the machine, the remote attacker could modify the system’s configurations to weaken its security posture (e.g., disable the firewall or enable remote logins), or worse, install malicious software to gain a permanent foothold in the compromised machine.

Detection

Currently, we identified two ways to discover if your machine was targeted and successfully compromised.

1. If an attacker logs into a system as root while the victim was logged in, the System Administrator user account appears on the login screen when the victim logs out of the system (Figure 3). Note: The System Administrator user account does not appear on system reboot.

Figure 3. System Administrator account appears on login screen on logout.

2. If an attacker actively logs into the system while the victim was logged in, logged out, or if the screen was locked, then the victim attempted to reboot the compromised system, the victim would receive a prompt denoting users are logged into the machine as shown in Figure 4.

Figure 4. Prompted recieved when attempting to reboot compromised machine while an attacker is logged in.

Mitigation

Currently, a patch for this vulnerability is not available. Until Apple releases an official update for this vulnerability, Apple recommends changing the root account’s password or enabling the root account then setting a password to mitigate this security flaw’s risks. In addition to Apple’s guidance, we recommend selecting a secure password for the root account to improve the security posture of the High Sierra machine further. These steps are depicted below in Figures 5 and 6.

Enable Root Account

Figure 5. Steps to enable root account[2].

Change Root Account’s Password