UPDATE – Apple released the security patch for the bug:
The security fate discovered in MacOS High Sierra by Lemi Orhan Ergin is so serious that it is hard to believe it’s real: you can become root without typing a password.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
An attacker can then take full control of the system, and in some cases also via the Internet.
The bug can be triggered via the authentication dialog box which prompts you for an administrator’s username and password when you need to do stuff that needs privileges escalation.
If you type in “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears you now have gained admin rights. The bug works also on the user login screen.
Here a video demonstration:
Is there a patch?
Not yet, Apple working on a patch and has just now published a guide to enabling the root account and setting a non-blank password for it:
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click , then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility, choose Edit > Change Root Password…
- Enter a root password when prompted.
Furthermore, some workarounds comes also from security researchers on twitter:
If not, you can fix via cmd line:
sudo dscl . delete /Users/root AuthenticationAuthority
sudo dscl . -create /Users/root Password '*'
sudo dscl . -create /Users/root UserShell /usr/bin/false
— ericjboyd (@ericjboyd) November 28, 2017
$ osascript -e 'do shell script "id" with administrator privileges user name "root" password ""'
uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel) [..]
— Valerio Mulas (@drakkars) November 28, 2017