CVE-2017-13872
published 2017-11-29CVE-2017-13872: An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility"…
PriorityP269high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
36.89%
98.3th percentile
An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | macos_high_sierra_10.13.2_security_update_2017-002_sierra_and_security_update_20 | — | — |
| apple | security_update_2017-001 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandosascript -e 'do shell script "#{root_payload}" user name "root" password "" with administrator privileges'↗
commandSELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;↗
commandSELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";↗
- →Monitor for root account enablement with a blank password hash on macOS High Sierra. Use osquery against /private/var/db/dslocal/nodes/Default/users/root.plist to check for a passwd key with length <= 1 (blank password). ↗
- →Check the passwordLastSetTime field in root.plist accountPolicyData to identify when the root account was unexpectedly enabled, which may indicate exploitation. ↗
- →Detect exploitation attempts via SSH or VNC sessions where a non-privileged user attempts to run commands as root with a blank password. The first attempt fails but enables the root account; the second attempt succeeds. ↗
- →Organisations with Screen Sharing or Remote Management (VNC/ARD) enabled on macOS High Sierra are remotely exploitable; audit for these services being active on unpatched hosts. ↗
- ·The Metasploit exploit module targets macOS 10.13.1 High Sierra x64 only and uses the osx/x64/meterpreter_reverse_tcp payload by default; adjust payload and target accordingly. ↗
- ·Applying Security Update 2017-001 and then upgrading to macOS 10.13.1 requires the security patch to be reapplied, otherwise the system reverts to a vulnerable state. ↗
- ·osquery detection queries require the osquery daemon to be running as root (sudo); ad-hoc non-privileged osquery invocations will not have access to the root.plist. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-13872: macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
vendor_apple·2017-12-06·CVSS 8.1
CVE-2017-13872 [HIGH] CVE-2017-13872: macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
Product: macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
CVE: CVE-2017-13872
Component: CVE-2017-13872
Apple
CVE-2017-13872: Security Update 2017-001
vendor_apple·2017-11-29·CVSS 8.1
CVE-2017-13872 [HIGH] CVE-2017-13872: Security Update 2017-001
Apple Security Update: About the security content of Security Update 2017-001
Product: Security Update 2017-001
CVE: CVE-2017-13872
Component: CVE-2017-13872
GHSA
GHSA-69wx-h62r-474c: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2017-13872 [HIGH] CWE-287 GHSA-69wx-h62r-474c: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.
No detection rules found.
Exploit-DB
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)
exploitdb·2017-11-30
CVE-2017-13872 Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Mac OS X Root Privilege Escalation',
'Description' => %q{
This module exploits a serious flaw in MacOSX High Sierra.
Any user can login with user "root", leaving an empty password.
},
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ],
[ 'URL', 'https://news.ycombinator.com/item?id=15800676' ],
[ 'URL', 'https://forums.developer.apple.com/thread/79235' ],
],
'Platform' => 'osx',
'Arch' => ARCH_X64,
'DefaultOptions' =>
{
'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp',
},
'Sess
Exploit-DB
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation
exploitdb·2017-11-28
CVE-2017-13872 Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation
---
## Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235
"Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?"
## Proof: https://twitter.com/patrickwardle/status/935608904377077761
## Mitigation/Detection/Forensic: https://news.ycombinator.com/item?id=15800676
- Can be mitigated by enabling the root user with a strong password
- Can be detected with `osquery` using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;";`
- Yo
Metasploit
Mac OS X Root Privilege Escalation
metasploit
Mac OS X Root Privilege Escalation
Mac OS X Root Privilege Escalation
This module exploits a serious flaw in MacOSX High Sierra. Any user can login with user "root", leaving an empty password.
Metasploit
Apple Remote Desktop Root Vulnerability
metasploit
Apple Remote Desktop Root Vulnerability
Apple Remote Desktop Root Vulnerability
Enable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled.
Tenable
Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
blogs_tenable·2017-11-29·CVSS 8.1
CVE-2017-13872 [HIGH] Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
Blog /
Subscribe
# Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
Cody Dumont
November 29, 2017
4 Min Read
On November 28, 2017 a software developer (Lemi Orhan Ergin) reported a critical flaw in macOS High Sierra which allows any local user to log in as root without a password after multiple attempts. The vulnerability was originally thought to only be exploitable if you had physical access to the computer, but our researchers have been able to exploit this vulnerability to elevate privileges over an authenticated Secure Shell (SSH) session using a lower privileged account and remotely using Virtual Network Computing (VNC) if screen sharing is enabled.
### Understanding the Root Cause
Patrick Wardle provides a very in-depth discussion on the root cause (no
Tenable
Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
blogs_tenable·2017-11-29·CVSS 8.1
[HIGH] Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/101981http://www.securitytracker.com/id/1039875https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/https://github.com/rapid7/metasploit-framework/pull/9302https://objective-see.com/blog/blog_0x24.htmlhttps://support.apple.com/HT208315https://support.apple.com/HT208331https://www.exploit-db.com/exploits/43201/https://www.exploit-db.com/exploits/43248/https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/http://www.securityfocus.com/bid/101981http://www.securitytracker.com/id/1039875https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/https://github.com/rapid7/metasploit-framework/pull/9302https://objective-see.com/blog/blog_0x24.htmlhttps://support.apple.com/HT208315https://support.apple.com/HT208331https://www.exploit-db.com/exploits/43201/https://www.exploit-db.com/exploits/43248/https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/
2017-11-29
Published