Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.MACOSX_HIGH_SIERRA_EMPTY_ROOT_PASSWORD.NASL
HistoryNov 28, 2017 - 12:00 a.m.

MacOS 10.13 root Authentication Bypass (Security Update 2017-001)

2017-11-2800:00:00
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
21

8.3 High

AI Score

Confidence

High

JSON

The remote host is running a version of MacOS 10.13 or 10.13.1 that is missing a security update. It is, therefore, affected by a root authentication bypass vulnerability. A local attacker or a remote attacker with credentials for a standard user account has the ability to blank out the root account password. This can allow an attacker to escalate privileges to root and execute commands and read files as a system administrator.

#TRUSTED 82f4bc84fe6115b1cd333e706612a5cf4fb1bd0d10e1e08e3617be8edac48f36166d9f332192c55351478c7bc637dd68d84d1869b885e273ecf5a89ad8b31a0b9e223be2ef048e10419efbffbc6e5469e21d94be378625814ede630747d6b18e104af4113f4744de28fab6963afb30a9510867f6c6a45f20581cab42022e6acd2a3a89cca6d9627906c15a0e4e80a7f58e5d80e9cf741b5ce07688339dd1b5863f0abcb98998d6ead64f5644f1e467701f724abb419140c963d39923d163cee788c94ab8d42428fdf76224ef9f0e95d350a8c50656c45c181f714037cb7647095ce9da770940ad94a1a88d2957da481616714f5e0f2625d125254d2ef920265fd6cbff685d4cb77c6ffb7926fe2aee2c748098de9131704be4373eade09aa07d41c7a3ce72a7cc4b5f17a2526712b45563a87dd2d45913cbddd9faa229dacf1596cf8dbe967f2e33212056ab9663f5ece153988d63205c44c8fce6caf28b871dbe69639c9cce0ae3a290ea741d66a89236c264135239d8825656479a5b1711aa4f4656568a28d716b51c756395999a1836a8729c6e4f2ade739e4493035629c08dbaaef651885183951a78ee67c6ffa402a81819a683bd7065a8e04bdeaf2728d99fbeb27dd7b8e033226591285d0cf173b094d39176d76c50d360e031e269a0f326a7ad2b4d8a8502a047a5f71a16a0c27e95f3d6f9823479ffe610b0c518f7
#TRUST-RSA-SHA256 a0157a86613995e9358ffb92da408220c5fbe2ab508a9e9f961ca58db61aa68dbbc122afe3e5c09f906f1ed66720c1ed8d701001ccb2fbcb0a591467b2dbb9ee3aeb22d813d61b66707bfa5d633195ae44e99a0631eace5eadccb5a7610a5ddf4cc0dfbaadd9f9d4921beb8085c85ddcbadd10277d2d832e5b59ffb6dd1abea5e5d1be282fdf4697e9fad65af0135bc4a650263b5a1c69f0adcd57f576a0e555e92e706a0c6106a7018ce994886455685c14110f3f200d0a4d04ec67019c79af7124a73cfc8623e036831fcc2382d4799e96109018ad2360fd3d548806ea9389c642de7806a96df2015ffaaaf3080e15b706d4cc47259f8dc8046361eb01a367767d962c071cfd7f544bd35c8789c83afca0da738b25b765629f8bbc80003644a07548aaee965d93ab35171ef5b7dee09cb9756782aea97b98c8d4486d5d0b5b101262acb5748e2096ef9ac3d2f54d2d3204f30348e5f94f36cc5ef9e53f71f9ae1132a6504001dd57ce717fafe8fa3c9eaf07ab9d11002ffd14c54684288141642e5e2e4afb691bf938a9c646f4b20e9946115cd02d963f147013447bb64d024dcd04a6f143983ff3a936a26e231b540fd43ca955a1794ca412101a371bb74a8f89d1d50e1bf87ddaa75554a0a99ef80f27b3a46f5d6982e8c211c4c3cbdd642ed7782c1f671d4fd8b6ae41c45db9c7ef986dc5ee1d03e2895fa0ade7e347aa
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(104814);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id("CVE-2017-13872");
  script_bugtraq_id(101981);
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2017-11-29-1");

  script_name(english:"MacOS 10.13 root Authentication Bypass (Security Update 2017-001)");
  script_summary(english:"Checks for the presence of Security Update 2017-001.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a version of MacOS that is affected by
a root authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of MacOS 10.13 or 10.13.1 that
is missing a security update. It is, therefore, affected by a root
authentication bypass vulnerability. A local attacker or a remote
attacker with credentials for a standard user account has the ability
to blank out the root account password. This can allow an attacker to
escalate privileges to root and execute commands and read files as a
system administrator.");
  # https://objective-see.com/blog/blog_0x24.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2cf4b55a");
  # https://twitter.com/lemiorhan/status/935578694541770752
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ff9ff45");
  # https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e5890f3");
  # https://www.theverge.com/2017/11/28/16711782/apple-macos-high-sierra-critical-password-security-flaw
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f367aab4");
  # https://support.apple.com/en-us/HT204012
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f9f9bbc3");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT208315");
  script_set_attribute(attribute:"solution", value:
"Install Security Update 2017-001 or later. Alternatively, enable the
root account and set a strong root account password.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-13872");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Root Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");

enable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

os = get_kb_item_or_exit("Host/MacOSX/Version");

if (!preg(pattern:"Mac OS X 10\.13(\.[0-1]|[^0-9]|$)", string:os))
  audit(AUDIT_OS_NOT, "Mac OS X 10.13 / 10.13.1");

patch = "2017-001";
ver = UNKNOWN_VER;

cmd = "what /usr/libexec/opendirectoryd";
result = exec_cmd(cmd:cmd);
matches = pregmatch(pattern:"PROJECT:opendirectoryd-([0-9.]*)", string:result);
if (!isnull(matches) && !isnull(matches[1]))
  ver = matches[1];

if (preg(pattern:"Mac OS X 10\.13\.1([^0-9]|$)", string:os)) # 10.13.1
  fix = "483.20.7";
else # 10.13 / 10.13.0
  fix = "483.1.5";

if (ver == UNKNOWN_VER)
  audit(AUDIT_UNKNOWN_APP_VER, "opendirectoryd");

if (ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)
{
  report = '\n  Missing security update : ' + patch +
           '\n  opendirectoryd version  : ' + ver +
           '\n  Fixed version           : ' + fix +
           '\n';
  security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
}
else
  audit(AUDIT_INST_VER_NOT_VULN, "opendirectoryd", ver);
VendorProductVersionCPE
applemac_os_xcpe:/o:apple:mac_os_x
applemacoscpe:/o:apple:macos

Related

cert 1
seebug 1
zdt 1
openvas 2
apple 4
nessus 4
cve 1
prion 1
threatpost 1
kitploit 1
cert
cert
Apple MacOS High Sierra disabled account authentication bypass
2017-11-29 00:00:00
seebug
seebug
macOS High Sierra - Root Privilege Escalation (CVE-2017-13872)
2017-12-01 00:00:00
zdt
zdt
Apple macOS 10.13.1 High Sierra - Blank Root Local Privilege Escalation Vulnerability
2017-12-09 00:00:00
openvas
openvas
Apple Mac OS X High Sierra Local Root Authentication Bypass Vulnerability
2017-11-29 00:00:00
Apple Mac OS X Security Updates (HT208331)-03
2017-12-07 00:00:00
apple
apple
About the security content of Security Update 2017-001 - Apple Support
2017-12-02 04:57:38
About the security content of Security Update 2017-001
2017-11-29 00:00:00
About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan - Apple Support
2020-07-27 08:21:38
nessus
nessus
macOS 10.13 root Authentication Bypass Direct Check
2017-11-29 00:00:00
macOS 10.13 Authentication Bypass Remote Check (CVE-2017-13872)
2017-12-04 00:00:00
macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)
2017-12-07 00:00:00
cve
cve
CVE-2017-13872
2017-11-29 17:29:00
prion
prion
Directory traversal
2017-11-29 17:29:00
threatpost
threatpost
Apple Announces Emergency Patch to Fix High Sierra Login Bug
2017-11-29 13:17:13
kitploit
kitploit
rootOS - macOS Root Helper
2019-03-09 20:25:00

8.3 High

AI Score

Confidence

High

JSON
Related for MACOSX_HIGH_SIERRA_EMPTY_ROOT_PASSWORD.NASL
cert1seebug1zdt1openvas2apple4nessus4cve1prion1threatpost1kitploit1