UPDATE: Please see https://macmule.com/2017/11/30/imaroot-its-fixed-somethings-broken-fixed-that-now-too/
Earlier tonight I was pointed to a tweet that seemed to show an easy manner for people on High Sierra were able to simply enable root.
Well, the vuln is real. See below for a link to a fix for the issue whilst we await Apple to push a High Sierra update.
In the beginning…
— macmule (@macmuleblog) November 28, 2017
Which OS’s are vulnerable?
macOS 10.13, 10.13.1, 10.13.2 b1-5, with root not enabled & therefore no root password set.
The following from Rich Trouton is a nice mitigation for this issue:
The root account needs to stay enabled to stop the vulnerability currently, also setting the shell is a nice little extra level of security.
In messing around with this vulnerability, I stumbled over a method to exploit the vulnerability via Applescript:
My bad, false blocks prefpane unlock, but it doesn't block:
do shell script "id" user name "root" password "" with administrator privileges
— Per Olofsson (@MagerValp) November 28, 2017
Good news is that it’s not all non-GUI, seems that there is still a need to authenticate to an auth dialog (as shown below) BEFORE the root account is enabled.
Once authenticated as root with no password to the above, you’ll then be able to login as root via the login window, screen sharing etc.
As mentioned, read Rich Trouton’s blog on this for mitigation.