Extracting and Cracking Mac OS X Lion Password Hashes [Updated]
The Defence in Depth blog has a post about a flaw in Lion’s redesigned authentication mechanisms and Directory Services. In short, it is possible to change the password of the currently logged in user by simply running the following command in the terminal, and it won’t ask you for the user’s current password:
$ dscl localhost -passwd /Search/Users/<username>
In Lion it is also easy to dump a user’s SHA-512 password hash using the following command:
$ dscl localhost -read /Search/Users/<username>
Then look for the dsAttrTypeNative:ShadowHashData chunk in the output (sample below). The hex string in red is the salt, and the green is the hash.
62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060
Cracking password hashes can be done using his custom Python script, or John the Ripper (with the Jumbo patch). Note that even if someone manages to obtain your password hash, if you’re using a strong password it will be extremely difficult for them to recover it. Seems like both of these are important but fairly low-risk flaws introduced into Lion. Hopefully Apple will look into these for the next update.
[Update 1] While waiting for an Apple-supplied security update, it is possible to protect yourself from this vulnerability by adjusting the permissions on dscl:
sudo chmod go-x /usr/bin/dscl
This makes it so that only root can execute dscl. To revert this simply run:
sudo chmod go+x /usr/bin/dscl
[Update 2] This vulnerability was patched in Mac OS X 10.7.2.
Lion + LDAP = Authentication Bypass
Around a month ago, Mac OS X Lion (10.7) was found to have a fairly severe vulnerability when configured to use an LDAP server for authentication. In such a configuration, the system accepts any username or password upon login. This affects both the user interface, but also remote login such as SSH. This issue does not affect normal Lion users who haven’t set up an LDAP server.
Details of the issue aren’t well known, and as much as I’d like to reproduce the issue, I’m too lazy to set up an LDAP server to do it. My guess is that OSX queries the LDAP server, but a bug in the authentication and authorization code makes it so that the user is granted access regardless of whether a login failure is received from the server. I’ve heard reports that it’s possible to login using any non-existent username (with some errors about invalid home directories), but then it begs the question: who do you end up logged in as, and what privileges do you have? If you login with a known username, then you get access in the context of that user. I can’t say for certain, but this vulnerability should not allow a user using an invalid password to gain access to network resources that rely on that user’s authentication credentials, just the local system.
Apple hasn’t yet acknowledged the issue as far as I know, and it’s surprising that no patch was issued with 10.7.1. Perhaps a fix will come in the form of a security update, or the upcoming 10.7.2 update. In the meantime, consider disabling LDAP authentication on Lion systems to prevent unauthorised access.
Simpler Stronger Passwords
The complexity of passwords is indeed something that has recently flipped into the realm of impossibility for us humans. In order to get any kind of decent cracking-resistant password these days you’re probably looking at having a password of at least 15 characters, making heavy use of uppercase, lowercase, symbols, etc. Very few people will be willing to commit that to memory, and if they do, they’ll be even less likely to change it on a regular basis.
The XKCD comic below shows that point pretty simply. It’s not actually that bad to use dictionary words, as long as they’re unrelated and you chain many of them together. The reason this works is because instead of picking from a character set of 26 letters, 10 digits and 20 symbols (total=56), you’re now selecting from a character set that is as large as the dictionary (~150,000 words). If you select four words of about 5 characters or more, the potential keyspace an attacker has to guess will be enormous – especially if you throw in a few symbols for good measure ;)
Gawker Media Hacked and Accounts Compromised
Gawker Media, who run many other sites including Lifehacker, Gizmodo and io9, have had their servers and databases hacked by a group called Gnosis. This results in over 1.3 million user accounts being compromised, across their various websites. Part of the issue is the fact that Gawker were using the outdated DES algorithm to secure passwords in the database, making it trivial for the hackers to crack the hashes. To make matters worse, many Gawker admins have also been using extremely weak passwords for their accounts. A full account from the hackers’ perspective can be found here, and there is clearly some beef between them and Nick Denton (owner of Gawker) who appears to have been baiting 4chan (baad idea).
The 1.3 million user accounts, together with Gawker Media’s source code, have been made available in a torrent posted on The Pirate Bay. You can quickly check whether your account is one of those by checking out this spreadsheet (Google). It’s safe to say that if you have any accounts on websites run by Gawker Media, you’re going to want to change your password. If you happen to reuse passwords a lot, then you’ll want to change your password everywhere… isn’t password reuse a joy?
XKCD: Password Reuse
Today’s XKCD is amusing, but still makes a very valid point. After using ultra-stupid passwords such as “password”, “123456” and “abc123”, password-reuse is the second biggest threat to the security of your accounts.
Google and Mr. Black Hat think alike!
Test Your Password Strength with Password Meter
To continue my emphasis on the importance of password strengths, you can now quickly and easily check the quality of your passwords using Password Meter. This is a good cross-platform compatible solution, and allows users to understand how the strengths of passwords are calculated. Although no official weighting exists, the values they use seem very reasonable to me.
Although the script does not appear to send the tested passwords anywhere, this can easily change without notice. So always err on the side of caution, and use this to help you understand how to create a good password. Then create one equally strong in your head.
Note: for those of you who use Mac OS X, the built-in Password Assistant is quite good.
Those of you who require ultra-strong passwords, for use with encryption schemes for example, check out Steve Gibson’s Ultra High Security Password Generator.
Loading ...
