Thursday, November 30, 2017

MacOS High Sierra login bug

Intro

If you've been following security news, you'd know that Mac OS High Sierra has a security bug. Most of the articles have done a fine job explaining all the fluff, so I'll get straight to the point.

If you have no password for the root account (as is the case for most users, since they haven't explicitly set up a root account and password on their system), then Mac will accept a blank password for logging into root.

A demo is better than a 1000 words, and I'll show you one real quick-

Demo

Step 1 : Go to a place requiring admin privilege authentication. For example, Users and Groups in System Preferences.

Step 2 : Click on the lock, and you'd be prompted to login.

Step 3 : Change username to root, leave the password field blank (After changing username to root, press tab to move to the password field, then tab again to go back to username field, and then click unlock, otherwise this won't work).


That's it. You can get creative regarding what all you can accomplish with this. I haven't tried it, but I've heard that this attack (bug :p) works remotely!

Fix

Seeing as how this bug puts your system at risk, I'm sure you are curious as to how to fix it. One way is to give your root account a password. 

However, on 29th Nov apple released a security update for this bug. We'll simply use that. Here's the update - https://support.apple.com/en-us/HT208315 (the section below uses info from the linked page)

Let's first check if the update is installed. 

For that, type this on your terminal and hit enter-
what /usr/libexec/opendirectoryd
If your output is something like this, then you have an old version of the update installed-


If it's one of these two, or a more recent version (higher numbers), then you're good

opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1

So, if you have and old version like me, let's head to the app store and install the update.
Sure enough, here's the update we need. It'll take a bit to get installed.



Once that's done, let's just run the same command again and verify that the version number increased to our liking. Now we're all good. 




Verify-


Bug seems fixed. That's it for the post.

23 comments:

  1. Today you will show Sqlmap's work! Which is already in ink linux! You can use Nessus, Vega, Acunetix for Windows to know whether a site is eligible for SQL Injection! The software will get Google A search!

    For Kali Linux youo can use Vega, Power Fuzzar! Kali linux Tutorial

    ReplyDelete
    Replies
    1. ✅ ✅ MEET THE REAL HACKERS ✅✅

      Hello,

      I’m Nicholas Shields I’m the Marketing Manager Of The Hack Team COMPOSITE HACKS, We Are Hackers Who Specializes in All Kinds Of Legit Hacking Services, I'm really concerned about sharing my views on this advert cause many people now don't know who to ask for help anymore but there's really an actual solution to that which I am giving you for free, Don't go for the cheap Ones which I know you understand what I'm saying like hackers using gmail and other cheaper email accounts that could be easily hacked you know, why would a REAL HACKER want to use something that brings out his vulnerabilities? it's really so sad that they even lack creativity to the extent that they show their frustrations to people. so you see they are really not who they say they're, they are just here to Rip people Off and my advice really goes out to you looking for a Real Hacker that's a heads up so that you would fall deep into their trap no more.

      * So hit me up to get to experience real life effective hacking Services, I Will Link you Up with some Legit Hackers That you never believed you could meet, such as FRANS ROSEN, BEN SADEGHIPOUR, PETER YAWORSKI, JOBERT ABMA, JACK CABLE and More.

      ✅CONTACT:
      * Email:
      compositehacks@cyberservices.com
      * Hire a Hacker!
      * Want faster service? Contact us!
      * HackerOne©️LLC 2018.
      * All Rights Reserved ®️

      Delete
    2. 🌝 HAVE YOU LOST YOUR HARD EARNED MONEY TO A BINARY OPTION SCAM?? DO YOU WANT TO RECOVER IT ALL? DO NOT GIVE UP, I HAVE GOOD NEWS FOR YOU!!!

      First of all, in my opinion, Binary options trading is dead — though few will mourn it, but recovery is 100% possible and many fall for scams other than legit hackers.

      Dearly beloved readers. We are gathered here today to celebrate the passing of binary options, the much-hated financial instrument.

      🌟Traded by risk-hungry speculators, binaries brought riches to the few and hefty losses to the many. They inhabited that tantalising grey area between financial investment and gambling, luring us in with promises of mega returns and pictures of people on Twitter with Lamborghinis. Instead, most were left red-faced with empty pockets.

      🌟Many hundreds of people around the world are targeted each day by disreputable fraudulent brokers. They deliberate target novice investors in contravention of the trading regulations. In many cases the investors who are targeted are completely unfamiliar with the markets and do not recognise that they are dealing with a bogus trading platform. The fraudulent brokers rely on this lack of knowledge to extract as much money as possible before closing down the account, cutting all contact and disappearing. The hapless investor then begins to suspect that they have been scammed. The targeted individuals have frequently lost considerable sums of money and their beginner status means that they have little idea of where to turn for help. Now, investors like you run to an unknown hacker who are secretly scammers to help recorver your fund of which you will be disappointed at the end.

      🌟We are a group of hackers called *HackerOne*. We consist of top skilled individual hackers coming together to render services to as many people out there on the common web, we all have operated in the dark web and have carried out classified job so we're bringing our skills here to the common web cause we know how difficult it is to access a service of a real hacker out here.

      🌟HackerOne has a track record of recovery in relation to financial fraud, with many strategies and tactics to compel the fraudulent broker to restore funds to their former clients, then extract your files and documents, Decrypt your Transaction Details and some Technical Hacking Procedures follows then you have your money recovered in Bitcoins.

      You Can Also Contact us for other Technical Hacking Services you desire Such as:
      * WEBSITE HACKING
      * PHONE HACKING (giving you Unnoticeable access to everything Happening on the Target’s Phone)
      * LOCATION TRACKING
      * CLEARING OF CRIMINAL RECORDS
      * SOCIAL MEDIA ACCOUNTS HACKING etc

      For further information, please contact us on our Email address bellow:
      >>
      hacktech@hackermail.com
      Cheers!!

      Delete
    3. Money Transfer Service

      Bank Transfers / Western Union Transfer / Wire Transfer / Bank Logins / PayPal Transfer / Money Gram are now available to the following countries :

      USA, UK, EU, Canada, Australia, Russia, Netherlands, China, Malaysia, France, Thailand, Ukraine, Nigeria

      Our Services for Worldwide and we exclusively deal with Western Union / Money Transfer / Bank Logins / CVV, Fullz / Money Gram. The global nature of our service enables us to interact with clients all over the world who have access to our services. Our proxy dealers process your transfer request(s) and we subsequently provide you with the details of your transfers the transactions are carried out in 1-2 hours. Our services are available 24/7/365 we strive to build a strong relationship with our clients.

      Services We Provide to our valuable Clients:

      Bitcoin Transfer
      Wire Bank Transfer
      Paypal Transfer
      Western Union Transfer
      Skrill Transfer
      Carding
      Credit Card (cc) for sale
      Random CC for sale
      Fullz for sale
      Bank logins with High Balance selling
      Teaching
      GMAIL / Facebook
      Whatsapp / Instagram

      We also teaching all type of Hacking within a few days.
      We are providing our work then make a deal.
      Only serious / needy people contact us.

      Support 24/7

      Email - topley994@gmail.com

      Delete
  2. This login bug is unaccetable. I was seriously scandalized by this when the news first appeared, and now that they are trying to fix it with updates, we need to think how messed up the development must be if things like that are present.
    https://macdownload.informer.com/Mac-Stories/macos-high-sierra-can-be-hacked-simply-by-typing-root.html
    Apple needs to be scrutinized.

    ReplyDelete
    Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder spammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      fixitrogers@gmail.com

      Delete
  3. I sincerely didn’t like the idea, but this is my way of saying thank you to the Quora user that recommended a hacker (ETHICALHACKERS009@GMAIL.COM)

    I hired him for a very private and difficult matter of helping me hack a my spouse’s phone and social networks and some other personal stuffs and he far exceeded my expectations. which Jeremie, helped me get the info(whatsapp, facebook, text messages, call logs etc) faster and cheaper than I had imagined. The first time we spoke, we had a very long phone consultation in he gave me all my options that he could think of to resolve my case, and he even recommended I try other options before hiring him, which shows that he is honest. I decided to hire him and I am glad I did. he is a fantastic investigator and a great person. If you need a professional, reliable and efficient hacker, then you should contact this guy ; ETHICALHACKERS009@GMAIL.COM
    You can also call him or send him a text +16692252253

    ReplyDelete

  4. 24hours ago i saw a recommendation about cyberprofessionalhacker@gmail.com and i took the risk to hire him for the job i
    wanted done and to my surprise he delivered to me with no stress and he even gave me proof of his
    prowess before i issued payment, i am so happy that finally i got what i have been searching for a long time
    you can call them or send them an email cyberprofessionalhacker@gmail.com whatsapp:+1 (518) 418-1598

    ReplyDelete
  5. Sabung Ayam Resmi 2018 klik di sini
    cheat games online
    http://www.sateayam.net/

    disini!
    dan dapatkan seputar sabung ayam hanya di sini www.Sateayam.org

    https://siswaburung.tumblr.com/post/175224462531/type-ayam-aduan-super-di-sabung-ayam-on-line

    ReplyDelete
  6. Langkah Tepat Untuk Melatih Ayam Aduan Menjadi Ayam Aduan Juara Yang Menakutkan Klik Di Sini

    Agen Sabung Ayam Online Terbaik Dan Juga Terpercaya http://www.bakarayam.co

    Portal Informasi Mengenai Sabung Ayam

    http://bakarayam330033.webstarts.com/blog/post/mengulas-lebih-dekat-ciri-ayam-philipin-yg-bagus/

    ReplyDelete
  7. I never knew it was possible until a friend of my who is studying computer science in Massachusetts Institute of Technology told me about these Chinese computer geniuses he knew Soft tech geeks. They helped me clone a credit card to my dad's account and now I can spend Dad's money without him knowing. Contact them for any tech job you need. softtechgeeks@gmail.com

    ReplyDelete
  8. Selamat Datang
    S1288poker.com
    Kami menyediakan berbagai permainan yang menarik untuk anda, selama anda bermain kami juga menyediakan berbagai bonus menarik buat anda. Penasaran?
    mari klik link di bawah ini :
    Situs Judi Online
    Bandar Ceme
    Ceme Online
    Ceme 99
    Qiu Ceme
    Untuk info lebih lanjut silakan hubungi konta di bawah ini
    Contact Person :
    WA : 087782869981
    BBM - 7AC8D76B

    ReplyDelete
  9. If you think your spouse may be cheating, you can contact PHONESPYAPPS1@GMAIL.COM
    He’s a real hacker and was very reliable in helping me spy on my cheating husband’s cell phone remotely.

    ReplyDelete
  10. Agen Sabung Ayam Terbaik Indonesia AGENS128.
    Agen Bola Sbobet Indonesia
    Link Alternatif Sbobet
    Contact Kami :
    BBM : D8B84EE1 / AGENS128
    Line id : agens1288
    WhatsApp : 0877-8922-1725
    Telegram : AgenS128 / https://t.me/AgenS128

    ReplyDelete
  11. Hi,

    thanks for great article and also visit for more :

    http://www.techtrick.in/PenetrationTestingToolKaliLinux.aspx

    ReplyDelete
  12. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder spammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete
  13. Hello, are you in need of hacking services? Then contact
    HACKINTECHNOLOGY@GMAIL.COM
    +16692252253

    He is a certified hacker which will always give full proofs. If you need to
    *hack into email accounts,
    *all social media accounts,
    *school database to clear or change grades,
    *bank accounts,
    *company records and systems,
    *DUIs
    He is really the best. His services are affordable. Don't waste your time with fake hackers
    + Credit cards hacker
    + We can drop money into bank accounts.
    + credit score hack
    + blank credit card sale
    + Hack and use Credit Card to shop online
    + Monitor any phone and email address
    + Tap into anybody's call and monitor their
    conversation

    ReplyDelete
    Replies
    1. HACKINTECHNOLOGY@GMAIL.COM

      scammer
      scammer

      Delete
  14. Guys it no longer questionable when it comes to (HACKING). I am good in what I do Hacking.

    I am tire of showing you guys list of what I do and good at, no matter what it is you WANT just bring it on I will Hack it for you

    All you need do just Email:- pointekhack@gmail.com and your job shall be done with %100✓ guarantee

    ReplyDelete
  15. Money Transfer Service

    Bank Transfers / Western Union Transfer / Wire Transfer / Bank Logins / PayPal Transfer / Money Gram are now available to the following countries :

    USA, UK, EU, Canada, Australia, Russia, Netherlands, China, Malaysia, France, Thailand, Ukraine, Nigeria

    Our Services for Worldwide and we exclusively deal with Western Union / Money Transfer / Bank Logins / CVV, Fullz / Money Gram. The global nature of our service enables us to interact with clients all over the world who have access to our services. Our proxy dealers process your transfer request(s) and we subsequently provide you with the details of your transfers the transactions are carried out in 1-2 hours. Our services are available 24/7/365 we strive to build a strong relationship with our clients.

    Services We Provide to our valuable Clients:

    Bitcoin Transfer
    Wire Bank Transfer
    Paypal Transfer
    Western Union Transfer
    Skrill Transfer
    Carding
    Credit Card (cc) for sale
    Random CC for sale
    Fullz for sale
    Bank logins with High Balance selling
    Teaching
    GMAIL / Facebook
    Whatsapp / Instagram

    We also teaching all type of Hacking within a few days.
    We are providing our work then make a deal.
    Only serious / needy people contact us.

    Support 24/7

    Email - topley994@gmail.com

    ReplyDelete
  16. IF YOU NEED TO HACK OR CLONE SOMEONES PHONE AND DEVICES, I'LL RECOMMEND ' QUADHACKED @ G MAIL .COM '
    if you need to hack into someones phone for any reason i'll recommend QUADHACKED . i was getting in to a relationship to someone i was quite older than, i was so unsure . i hired a ethical hacker to help me clone his whatsapp, facebook messenger and few other of his social devices. i couldn't believe my eyes, if he was occasionally cheating it would've been manageable really. but he was jumping from one woman to another, always complaining he's broke and working on something. i hired them based of recommendations i got from a friend he helped her hack into her teenage sons phone . QUADHACKED @ GMAIL. COM is the contact address he helped me a lot more times but i can't let out on here . for your hacking exploits i recommend

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC