Lion 密碼漏洞

外國一個有關電腦安全的Blog 最近發現了一個 Lion 使用者密碼的漏洞

"In Lion the permissions for the user's shadow files are still restrictive and prevent tampering; however, the need for direct access can be bypassed in because the system holds the password hashes in the system's directory services, which any user can look up. As a result, the hashes can be extracted without needing to supply admin privileges, and then be run through various hacking tools and scripts to recover the user's password.

In addition to being able to extract the password hashes for a user, any user can also directly change another user's password, including those of system admins, merely by supplying the following command in the Terminal (substituting USERNAME for the short name of the target account):

dscl localhost -passwd /Search/Users/USERNAME

When run, this command will appear to give an error, but if you enter the same new password at all prompts then the target account's password will be changed. This is particularly notable, because once an admin's password is changed, the hacker can log in as that the admin account and have full access to the system.

"
使用者的密碼是存在一個shadow file, 一般來說只有使用者本人及 admin/root 才能讀取.在Lion 系統這個部份是ok的, 但是根據使用者的密碼運算出來的hash值檔案卻是放system directory services 這部份是所有系統上的使用者都可以讀取的.所以一般使用者都可以看到,只要讀出這個值在經過一些網路上的tool就可以還原所有在這個系統上所有使用者密碼.
另外一個相關的漏洞是只要在console上打 dscl localhost -passwd /Search/Users/USERNAME 就可以更改USERNAME 使用者的密碼. 會顯示錯誤 但是只要一直輸入你想要的密碼,最後那個使用者的密碼便會被改變
不過有兩個限制
1. 需要有在這個Lion的本地帳號
2. 有directory service access ,像是有可以使用 Terminal 或是其他會顯示所有系統檔案的tool
下面是一些步驟防止自己的密碼被更改或是讀出來
"
1. Disable automatic log-in
OS X has the option to automatically log in to a system. While this is convenient, it is also a security risk (especially for administrator accounts). By disabling automatic log-in in Lion you can prevent your account from being accessed merely by restarting it, and thereby prevent access to the Terminal and other utilities that can allow access to the directory services. Note that if you have FileVault 2 enabled, then automatic log-in will not be enabled.

2. Enable sleep and screensaver passwords
Since this problem can be taken advantage of by anyone with physical access to an unlocked account, if you leave your system in a public area then someone can sit down at your account and invoke this hack. Therefore, enable a password both for waking from sleep and for when the screensaver starts, to prevent unauthorized access if you step away.

3. Disable Guest accounts
If you have the Guest account enabled on your system, disable it in the Users & Groups section of System Preferences. Furthermore, only keep accounts active that are regularly used by people you know, and delete those that are no longer in use.


4. Manage users on the system
It may seem easy to just set up all accounts with administrative privileges, but this setup is not a secure way to run the system, especially given this latest security issue. In OS X you can set up one admin user and then set all other users to be managed accounts. This will allow you to govern whether they have access to tools that could modify the directory services. For instance, since the Terminal allows for this you can disable access to that program for all accounts on the system except for the Admin account. If you enable the "Limit Applications" feature for an account in the system's Parental Controls, the Terminal and other similar utilities will be disabled by default for that user."

1.把auto login 關掉
2.從睡眠或是螢幕保護回復之後需要使用password
(這兩項一般都應該要做吧,除非你有把握自己的電腦永遠不會被偷)
3.把Guest Account 關掉
4.所有在電腦上的使用者帳號要管理(一些可以看到系統檔案的程式不給一般的帳號使用,像是Terminal, X11 server 之類的)

原文來自:
http://reviews.cnet.com/8301-13727_7-20108261-263/os-x-lion-passwords-can-be-changed-by-any-local-user

基本上來說就是不讓不相關的人使用你的電腦,只要有能力使用你的電腦就可能拿到你的密碼
希望Apple能快點Patch這個漏洞