cbcvebase.
CVE-2017-13872
published 2017-11-29

CVE-2017-13872: An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility"…

PriorityP269high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
36.89%
98.3th percentile
An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.

Affected

4 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemacos_high_sierra_10.13.2_security_update_2017-002_sierra_and_security_update_20
applesecurity_update_2017-001

Detection & IOCsextracted from sources · hover to see the quote

commandosascript -e 'do shell script "#{root_payload}" user name "root" password "" with administrator privileges'
path/private/var/db/dslocal/nodes/Default/users/root.plist
commandSELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;
commandSELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";
commandsudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist
  • Monitor for root account enablement with a blank password hash on macOS High Sierra. Use osquery against /private/var/db/dslocal/nodes/Default/users/root.plist to check for a passwd key with length <= 1 (blank password).
  • Check the passwordLastSetTime field in root.plist accountPolicyData to identify when the root account was unexpectedly enabled, which may indicate exploitation.
  • Detect exploitation attempts via SSH or VNC sessions where a non-privileged user attempts to run commands as root with a blank password. The first attempt fails but enables the root account; the second attempt succeeds.
  • Organisations with Screen Sharing or Remote Management (VNC/ARD) enabled on macOS High Sierra are remotely exploitable; audit for these services being active on unpatched hosts.
  • ·The Metasploit exploit module targets macOS 10.13.1 High Sierra x64 only and uses the osx/x64/meterpreter_reverse_tcp payload by default; adjust payload and target accordingly.
  • ·Applying Security Update 2017-001 and then upgrading to macOS 10.13.1 requires the security patch to be reapplied, otherwise the system reverts to a vulnerable state.
  • ·osquery detection queries require the osquery daemon to be running as root (sudo); ad-hoc non-privileged osquery invocations will not have access to the root.plist.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.