UPDATE - Apple released the security patch for the bug:

https://support.apple.com/en-us/HT208315


The security fate discovered in MacOS High Sierra by Lemi Orhan Ergin is so serious that it is hard to believe it's real: you can become root without typing a password.

https://twitter.com/lemiorhan/status/935578694541770752

An attacker can then take full control of the system, and in some cases also via the Internet.

The bug can be triggered via the authentication dialog box which prompts you for an administrator's username and password when you need to do stuff that needs privileges escalation.

If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears you now have gained admin rights. The bug works also on the user login screen.

Here a video demonstration:

https://www.youtube.com/watch?v=ErXwuf_OUko

 

Is there a patch?

Not yet, Apple working on a patch and has just now published a guide to enabling the root account and setting a non-blank password for it:

  1. Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility, choose Edit > Change Root Password…
  8. Enter a root password when prompted.

https://support.apple.com/en-us/HT204012

Furthermore, some workarounds comes also from security researchers on twitter:

https://twitter.com/ericjboyd/status/935628606310572032

https://twitter.com/drakkars/status/935641430046932994?ref_src=twsrc%5Etfw


References