Whole Disk Encryption and the dscl password bug in OS X

There has been some lively discussion at MacInTouch about a problem with Lion systems and being able to change the password of a user without verification via dscl(1), and what that means, and I’ve attempted to explain it.

I submitted this as a Reader Report but am archiving here as well.

Gregory Tetrault writes:

Lion’s whole disk encryption feature has a password-related security flaw that should be fixed ASAP.

Not at all.

From the article:

Key phrase is “currently logged in user”. You must be an authenticated user of the target system in order to leverage this type of attack. WDE is already invalidated at that point.

I dated in high school, what does this mean?

For the non-nerds out there who are wondering what we’re talking about:

When you log in to a Lion system running FileVault 2 WDE (whole-disk encryption), it uses your password and then opens the encrypted volume. You have to authenticate by logging in to do that.

Upon entering your own private Groundhog Day where Lion dutifully resumes your previous session and your home directory is available and your Farmville animals or Malcontent Avians are waiting for you, you have unlocked the whole-disk encryption. That encrypted volume (courtesy of the new Core Storage logical volume manager technology in Lion) has been mounted.

This means you have already unlocked the disk and already have access to the filesystem. Once you are logged in to a Lion system using FileVault 2’s WDE, you have unlocked the disk.

So at that point, you can leverage this bug/flaw what-have-you and dump hashes for other users of your Mac to crack later, or change the password on your account without knowing what it is. This would allow someone else to then login with that password that they have changed it to, BUT it requires them to have access to an active session with you logged in.

This doesn’t mean strangers can access your Mac if they steal it. It means if you are successfully logged you can change your password without knowing what it is.


Log out or shut down. Your disk isn’t locked unless you’re not holding it open. Once you’re logged in, any process can access the filesystem limited only by ACLs and file permissions. It is encrypted on-disk but the volume you open upon login is the unencrypted creamy center.

The real danger

The real threat or attack vector this presents is this:

  • Malicious software that you install (MacDefender) and provide your credentials to can then change your password and use that to escalate privileges via UNIX sorcery (i.e. sudo(8)) and do bad things without knowing your password because it can change it to something else, then use that to become the super-user with full permissions to do everything. This is a serious problem.
  • Unpatched and vulnerable software such as your Flash Player you haven’t updated since the Bush administration can be manipulated into executing code without you knowing about it. This is also a problem because it can do the same thing mentioned above — force super-user by forcing a password and then doing whatever they want.

When you read a vulnerability notice or security bulletin and see the phrase “execute arbitrary code”, that means “feed whatever malicious software we want onto the system”, and that is precisely what can happen on your Mac if you install software that is malicious (like MacDefender) or when you have exploitable software on your Mac.

How can I stay safe?

“Gosh, Emory, I want to be sure my browser isn’t back-stabbing me every time I play the Facebooks!”

Well you’re in luck! You can use a tool like the Qualys Browser Check[1] to ensure your plugins are all up-to-date.

If they’re not current, they’re likely vulnerable, and you’re leaving yourself open to miscreants and villains.

Staying current on software patches isn’t just for the enterprise. The majority of compromised systems on the Internet are small business, residential home users.

FWIW I strongly recommend (to everyone that listens) that if you aren’t going to stop using Adobe Flash entirely, remove every instance of it from your Mac (Internet Plug-ins folders in /Library and ~/Library) and install Google Chrome and use that for Flash sites. Google does a much better job than you do at keeping the Flash plugin current. Certainly better than Adobe does at any rate.

Hopefully I have managed to avoid the rage of my fellow neck-beards in the nerdery while still explaining to others the situation. It isn’t the end of the world, you do however need to follow best practices.

Log out when not in use. Require passwords. Disable auto-login. Install patches regularly. Practice good hygiene.

[1] https://browsercheck.qualys.com/