digg

Facebook Connect Join Digg About

Mac OS X Admin Hack

hackmac.org Here's a quick little hack on how to create an administrator account on Mac OS X Tiger without knowing the current administrator password and do not have the installation disks.

Who dugg this? Made popular Sep 4, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

131 Comments

show profanity settings
expand all
  • eridius, on 10/10/2007, -8/+120This article is just FUD. It's common knowledge that without physical security, you have no security. If someone has access to your computer to boot it into single-user mode, all bets are off and they can do whatever they want. Not even remotely close to a security hole.
  • kbro, on 10/10/2007, -5/+73Anyone who has used the OS X Open Firmware application to setup a master password is immune to anything like this.
  • cjstone, on 10/10/2007, -19/+84Even easier, just boot off the install CD, which has a password reset utility. There are ways to prevent even these methods, but if you have no physical security for you machine, you have other things to worry about (like just having the drives removed).
  • threemagic, on 10/10/2007, -5/+59Well it requires physical access to the machine...

    physical access to a machine = no security ... no matter what OS you use.
  • pbaehr, on 10/10/2007, -1/+39Ah, yes, our friend the ellipsis. The swiss-army knife of punctuation.
  • kbro, on 10/10/2007, -1/+35If you really want to be ultra secure using OS/X, do the following:
    1) Set an Open Firmware password (authenticates all but normal bootups)
    2) Turn on the encrypted virtual memory
    3) Turn on FileVault (encrypts user files)
  • colincornaby, on 10/10/2007, -1/+34Um, this hack doesn't make very much sense. If you're booting into single user mode, why would you need an admin account? And it's not a major security flaw. Every platform has a mode you can boot into before the user accounts are loaded. Do they think Vista or Linux are immune to the same problem? If you have physical access to the machine, there is nothing preventing you from just pulling the hard drive or smashing the machine with a hammer, both probably more effective and less time consuming...
  • sholt, on 10/10/2007, -0/+32Single user mode is a well known and useful administration mode, and a firmware password will prevent unauthorized users from booting into it.

    Any attacks to circumvent that fall into the realm of physical security or social engineering, and aren't really Apple's responsibility.
  • drewpost, on 10/10/2007, -2/+29Dude - Read the description - if you "do not have the installation discs". Most anyone interested in this article knows if you have install discs, it takes 2 seconds...
  • Avor, on 10/10/2007, -0/+21'tis the price you pay for being extremely anal and paranoid.
  • kalikkalik, on 10/10/2007, -1/+22True, but they do support OpenFirmware-style protection:
    http://docs.info.apple.com/article.html?artnum=106482
  • ZachPruckowski, on 10/10/2007, -0/+20EFI (which is what Intel Macs use in place of OpenFirmware) is as feature-full as Open Firmware (which is to say more featured and extensible than BIOS).

    Intel Macs come with a similar program to PPC macs that allows an EFI password to be set.
  • ffleming, on 10/10/2007, -2/+20That's not a hack, that's using single-user mode to add a new account.
  • darkphan, on 10/10/2007, -6/+24Open Firmware was/is a PowerPC based mac thing. The Intel based Mac's do not use Open Firmware.
  • ThreeDee912, on 10/10/2007, -1/+18Secure yes, but very very slow. I mean VERY slow.
  • inactive, on 10/10/2007, -0/+15There's an Intel version that, as far as I know, works the exact same way. I use it on my MacBook, and I know I now cannot boot from an OS X DVD without a password, so I would assume that the same applies to this vulnerability.
  • zydeco, on 10/10/2007, -4/+19***** that. First, let's get rid of this you->'u' crap before it really gets obnoxious. Oh wait, it HAS. Maybe all those '...' could be swapped with 'y' + 'o'
  • jkgm, on 10/10/2007, -0/+14Obviously you've never used Mac OS X's CLI. passwd doesn't work if NetInfo services aren't running, which they aren't in Single-User mode. And no, Mac OS X (or any Linux variant for that matter) doesn't store user accounts in /usr.
  • judicar, on 10/10/2007, -1/+13Right, and doing this trashes your netinfo database effectively deleting every other account on the system. Apparently the bar has been set pretty low for what constitutes a "hack" these days.
  • turpenine, on 10/10/2007, -0/+11if you have a lab of macs and you don't set a firmware password, you should get them all haxored.
  • mercurysquad, on 10/10/2007, -1/+12Buried. While it might seem cool, it is accepted in the world of security that if someone has physical access to your machine, all forms of security are nullified. The first step in making your machine secure is to prevent physical access to it. If I can get into the server room, I can smash the servers to pieces; there goes your security.

    edit: sorry didn't see colincornaby already said this above.
  • kbro, on 10/10/2007, -2/+13The article does not say anything about needing to know the master password.
  • Cymrubeats, on 10/10/2007, -3/+13"...and do not have the installation disks."

    At least read the description before commenting.
  • barius, on 10/10/2007, -2/+10Rather than sounding like a moron again next time, you might want to read the dozens of posts that were posted before yours.
  • bigsteve, on 10/10/2007, -1/+9It's not Spacebar, it's F8. And no new account is created, you're simply presented with the option to log in as local administrator. It's just that most Windows XP users don't know to change the default password for that account (usually just null) when they get their shiny new eMachine home from Best Buy or wherever.
  • doubleaught, on 10/10/2007, -0/+8If this was presented as a trick or utility I would digg it, calling it a hack is just wacko.

    This has a tiny amount of utility, for example in the rare case of having a ton of apps installed on a 'puter with no dvd drive running 10.4, and when the admin password has been forgotten - yet you need admin access and don't want to reinstall. Use this, create a new admin user, and use that to reset the password on the other admin account. Seem a little crazy? Well I said it was rare :P (plus, there are better/easier ways if you have the right tools, such as fw disk mode to another machine that does have a dvd drive)
  • fonik, on 10/10/2007, -0/+8Awesome! I just hacked Digg to show this comment by typing it in the comment box and hitting "Submit Comment."
  • ZachPruckowski, on 10/10/2007, -0/+7Yeah, but the point is that no OS can insure physical security. Hypothetically, I could install a "Blue pill" hypervisor under your OS, or mount your drive for reading and do whatever I want. Set-ups that require that a computer be secure from on-site alteration (ATMs, voting machines) are drastically different from PCs. Given 30 minutes with any PC, and it's crackable. That's not security.

    Security is defending a computer from being remotely hacked, or hacked by a user with only limited local privileges. If a user has single-user access (because no EFI/OF/BIOS password has been set) or can connect untrusted peripherals or can open the case, then they have as much access to the machine as its administrator does.
  • inactive, on 10/10/2007, -1/+7OS X is not OS/2 damn it! No /
  • jimmiejaz, on 10/10/2007, -0/+5Actually, with the BSD family (not sure about Linux, but I assume it's the same), you can set it so you need the root password to get into single mode. I'm unsure if OS X has this option too or not.
  • inactive, on 10/10/2007, -0/+5Stupid and too slow.
    1) Reboot, hold Apple-S to get into single-user
    2) Wait for all the text to finish printing, type in "sh /etc/rc"
    3) Type in "passwd root"
    4) Make a new password
    5) Type in "reboot"
    6) Log in with username "root" and whatever password you set

    This is usually the best way, since the account is called "System Administrator" by OS X and most people won't figure out someone has root on their box.
  • inactive, on 10/10/2007, -0/+5I thought hemorrhoids were the price you pay for extreme anal.
  • brutalentropy, on 10/10/2007, -0/+5or remove a stick of RAM and do a PRAM reset and it will ALWAYS change the password. 100 times out of 100.
  • Dumbledorito, on 10/10/2007, -1/+6I don't know about you guys, but I found the installation disks in another article.
  • h00ligan, on 10/10/2007, -0/+5since when is using single user mode hacking? either disable it, turn on file vault... or don't lose physical possession of your machine.
  • Fduch, on 10/10/2007, -2/+7Reminds me of Win95 login where you could just press Cancel to enter the system (default setting).
  • manitoba98xp, on 10/10/2007, -1/+6You can set an OpenFirmware (or EFI?) (depending on Mac model) password to prevent easy access to single-user mode. Linux has a similar features, as do most Unixes. It's an ultra-low-level mode. What if your authentication database is corrupted? What if you don't know the root password? (Heck, OS X and many other Unixes don't even have one set; the root account is locked out.) The point is, with physical access, virtually all security is moot.
  • 3leggedHorse, on 10/10/2007, -1/+6Yes grav F8 at boot up safe mode start and you can change passwords of other user accounts and login with their account. Or you can delete there account completley, just for the ***** of it. BIOS password can stop this though. Or you could use ophcrack.
  • wjanoch, on 10/10/2007, -0/+5By Design. Calling this a hack is like calling it hacking when you log in normally.

    Hackers have historically created tools to take over a system when they have physical access, it's always just been a matter of time, a very short time. Many hackers (maybe most) created these tools to fix things, not to crack into other people's systems. So Apple and others have designed their systems with the idea that a computer's normal setup should require special knowledge to reset, but not special tools.

    As mentioned by another here, Apple has gone beyond this by adding features to prevent others from gaining access to your information when the user or company decides it's better to risk looking access to it then to risk others gaining access (by using File Vault and Encrypted Memory).

    Hardware Passwords slow hackers down, but hardware settings can be forced back to default settings, sometimes w/o even opening the case. It's good if you are worried about someone sitting at your work desk, hacking the system while you're at lunch, but not walk away with your computer.

    And with Apple hardware especially, it's a really simple matter to pull a hard drive out of one system and put it in another Apple computer and it will boot perfectly. I've booted a MacBook CoreDuo (32 bit dual CPU) from a hard drive pulled from a MacBook Pro Core2Duo (64 bit dual CPU), and vice-versa. Until OS X 10.5 Leopard is released you will still need to have the same CPU architecture (PPC or Intel) on both systems.

    Wm
  • andrewcod, on 10/10/2007, -0/+5Not the exact same thing technically, but they have an equivelant, which is presented in the exact same way to the user. So, for all practical puropses, they do have it. I've got it on my MacBook Pro.
  • pmpk, on 10/10/2007, -0/+4Open Firmware password requires that you enter the password any time you want to boot to a different drive than the internal hard drive's default partition, as well as when you attempt to enter target disk mode.

    Of note, there is a way to reset/remove the Open Firmware (/EFI) password if you have the capability of opening the machine, similar to a PC's cmos reset.... and by opening I mean getting physical access to the RAM.
  • PaperMonkey, on 10/10/2007, -0/+4Now be nice guys... maybe he has Parkinson's or some other disorder that causes tremors... So whenever he tries to put a period at the end of a sentence he ends up with three...
  • sholt, on 10/10/2007, -1/+4one of many reasons: for remote access at a later time.
  • inactive, on 10/10/2007, -0/+3No. If the Open Firmware/EFI password is set then you cannot enter Single User Mode, nor can you boot from CD or enable Firewire Target Disk mode.
  • securitymonkey, on 10/10/2007, -0/+3For some added hilarity, use the 'chflags' command on /var/db/.applesetupdone.
    Set the file to 'immutable'.

    In recent versions of OSX I think 'rm' is smart enough to ask root to 'override' though. Back in the old days that provided some real interesting root shell history files:

    # rm /some/file

    Access Denied.

    # ???? WTFGAHDAMMIT IAMROOT

  • sholt, on 10/10/2007, -0/+3It's in every OS X Administration manual, Apple's own knowledge base ( http://docs.info.apple.com/article.html?artnum=106388 ), and has existed in some form in nearly every *NIX style OS since the 80s, if not before.

    Asking people not to talk about it is like asking people to not mention that a gun is fired by pulling the trigger.

    This is not anywhere near a plausible attack vector for home users, and any administrator in a position where this could be an issue should know how to use the proper tools to mitigate any realistic threat.
  • jkgm, on 10/10/2007, -1/+4No, no, and, oh, what? NO! This does not stomp on existing user accounts, unless you intentionally use the same short name. Even then, it only overwrites the one account that you used.
  • Angostura, on 10/10/2007, -0/+3Ah, thanks for that. It wasn't clear to me whether the delete set-up tip would let you add a new account non destructively. I guess not. In which case, it;s not that useful really.
  • theprez, on 10/10/2007, -2/+5What I find funny is how everybody felt they were beeing attacked. I'm I Mac user too, chill out. This is a nice trick to use when someone forgets their password and you're not ready to format the disk to use the computer again. No one even states it's a security hole or compares OS X to other OSes.
  • wjari, on 10/10/2007, -3/+6Very true. I believe the hack states that you need a master password, or root to be able to use this. If they have set up the master password, than this is unable to be accomplished.
  • Fetching more discussions...
    Show 51 - 100 of 133 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.