SECURITY FLAWS identified in Apple's Mac OS X 10.7 Lion allow potential attackers to extract the password hashes of any system users and change their access codes without authorization.
The vulnerabilities stem from authentication oversights in the Mac OS X directory services and were discovered by Patrick Dunstan of the Security in Depth blog.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data," Dunstan warned.
The data can be extracted from directory services by invoking the dscl command with a /Search/ path like this: dscl localhost -read /Search/Users/[user].
The output returned by this command contains a "dsAttrTypeNative:ShadowHashData" section with the password hash normally stored in the user's .pslist shadow file.
Shadow files can normally only be accessed by root and include the individual .pslist files which contain password hashes for every user on the system.
The obvious implication of this flaw is that an attacker who obtains access to a local account can extract all password hashes and run them through a brute force cracking program.
Fortunately, Mac OS X Lion hashes are generated using the SHA-512 algorithm and a four-byte salt, so unless they use common words or combinations, the passwords won't be easy to recover.
However, according to Dunstan, this is not the only attack vector opened by the flaws. It turns out the same dscl tool can be used to easily change the password of the currently active user.
This can be exploited in various ways, especially when attackers gain unauthorized access to authenticated administrative users who can use the sudo command.
"This is particularly dangerous if you are using Apple's new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data," warned Chester Wisniewski, a senior security advisor at Sophos.
One possible mitigation is to prevent access to the /usr/bin/dscl command line tool until Apple releases a patch by doing: sudo chmod 100 /usr/bin/dscl. µ