Mac OS X Lion (10.7) has been found to suffer from password flaws that allow underprivileged users access to password hashes of other users. Researcher Patrick Dunstan revealed this on the defense in depth blog, along with the fact that redesign of OS X’s authentication scheme does not require the user to supply a password to change the password for the current user, which was previously the norm with UNIX systems.
The password information for all users under OS X is stored in shadow files (hash databases), with users having individual shadow files. The content of the shadow files is only, or should only be, accessible to users with super-user rights. However, under OS X 10.7, while non-root users cannot directly access OS X shadow files, they are still able to see the password hashes by directly extracting data from the Directory Services listing.
While this is not a privilege escalation flaw, it could be exploited to serve the same purpose, says Dunstan. Given that OS X 10.7 allows the logged on user to directly change the password, attackers can now change the password for current users once they manage to get shell access. Privileges can subsequently be escalated to root through a simple sudo –s command. For non-root users, attackers can still extract the password hashes for cracking later, using the directory services command line (dscl) utility.
Changing the password can have severe consequences to users, especially if they are using OS X’s FileVault 2 file encryption technology. Loss of their admin passwords means that users may potentially lose access to their entire data.
In the absence of a patch, Dunstan recommends that users limit standard access to the dscl utility. The full blog-post can be read at the defense in depth blog. Experts believe that it is a good practice to not leave a Mac logged-in and unattended, as well as enable the screensaver with a password prompt. Disabling auto-logon is yet another recommended practice.