Flaw in OS X Lion allows unauthorized password changes

Flaw in OS X Lion allows unauthorized password changes

 

Cracking OS X Lion Passwords - Defence in Depth

 

Read about this a few days ago. Pretty silly.

 

OSX makes absolutely 0 effort to protect the computer from someone who hsa physical access to it.

"you've always had the option of changing the password when you boot from the os disk. it's an option right in the menu. as long as you have the original system disks, you can always change your password.

in lion, the system discs are replace by the recovery partition, and though the "reset password" option is gone from the menu, you can simply type "resetpassword" in terminal to bring it up."

 

True true. and Firmware password would help but this is another reason to encrypt the HDD/SDD. I mean even if it's just the built in filevault, it's better than nothing.

 

Yet I heard of so many "computer experts" using it. Maybe they like to hack their own OS.

 

Won't help much with hacking. You'd have to be right at the computer to use this.

 

Not according to the Sophos article.

Or, am I misunderstanding something?

 

Kinda. Let's see - If you are "already logged in" then presumably you know the password. huh?

Typically password change programs force you to re-authenticate, to prevent physical access issues - to ensure that the person changing the password is really the person logged in.

To use this, the example proof of concept given is someone who first willingly executes a java applet which is a trojan, giving some random remote person full shell access - then this flaw is used to change the password, or better yet, to steal hashes.

So this is not a good thing, but really IMHO not really remotely exploitable, unless paired with another vulnerability.

 

WTF? What does that have to do with anything?

It's not about the user knowing the password to log in. Obviously, if I own my system, I know the bloody password. It's rather about someone else, even remotely, being able to modify the password, without having to know the former password. So, in other words, there's no reauthentication, at all.

Not the case. You don't have to know the former password to change it. That's the issue.

Interesting first post, anyway.

Please, read what other users provided, like the links. I suppose you didn't, because if you did, then you wouldn't post what you posted.

-edit-

I'll quote again a paragraph from Sophos article.

No need to know the existing password, according to this. Unless you can prove them all wrong, of course.

 

It does beg the question. Why the hell would I let someone connect via RDP/VNC/SSH? If I let someone on via one of these I am pretty much SOL anyways. The First too I would have to go out of my way to install/activate the second is off by default.

Those are all disabled on my system. (Firewall is set to block everything but necessary protocols)