Plugin Spotlight: Mac OS X FileVault Plaintext Password Logging

Encryption is Only as Strong as the Key

In this case, encryption breaks down because the OS X user's password (used to unlock an encrypted volume) is logged in clear-text via debugging function to a system-wide readable log file. In this scenario, a user running Mac OS X 10.7.3 would encrypt their drive using File Vault, which is included with OS X and encrypts the entire contents of your hard drive. When your system boots up, or you access your files over AFP (Apple's File Sharing Protocol), the system uses your password to decrypt the contents of the drive and your home folder. Debugging in vulnerable versions was enabled such that the password was logged in plain-text to /var/log/secure.log, as follows:

25/04/2012 13:12:12.340 authorizationhost: DEBUGLOG | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:usernam e:] | about to call _premountHomedir. url = afp://mymacbookpro, userPathComponent = paul, userID = 001, name = paul, passwordAsUTF8String = mysupersecretpassword

As this logging event could be repeated over time, and a history of the "secure.log" is stored on disk for potentially months, an attacker could easily gain knowledge of the File Vault password. As Apple states in their advisory, "A local attacker in the admin group or an attacker with physical access to the host could exploit this to get user passwords, which could be used to gain access to encrypted partitions."

Finding the Vulnerability on Your Systems

The problem arises that even after a patch has been installed, the passwords could still be buried in the system log archives. Provided Nessus has credentials to the target system(s), Plugin 59090 - Mac OS X FileVault Plaintext Password Logging will detect the presence of passwords in the system logs and log archives. The results of the plugin look as follows:

Mac OS X FileVault Plaintext Password Logging (click for larger image)

Be certain the credentials you've provided are of a user in the admin group on the OS X target(s). The command run locally on the system is as follows:

/usr/bin/bzcat /var/log/secure.log.?.bz2 2> /dev/null | /bin/cat /var/log/secure.log - 2> /dev/null | /usr/bin/grep ': DEBUGLOG |.*, password[^ ]* ='"

The first two commands, bzcat and cat, dump the contents of the archived and current log files potentially containing the password. The grep command in the second half searches the output for lines containing the pattern corresponding to the password itself.