Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Plugin Spotlight: Mac OS X FileVault Plaintext Password Logging

Encryption is Only as Strong as the Key

In this case, encryption breaks down because the OS X user's password (used to unlock an encrypted volume) is logged in clear-text via debugging function to a system-wide readable log file. In this scenario, a user running Mac OS X 10.7.3 would encrypt their drive using File Vault, which is included with OS X and encrypts the entire contents of your hard drive. When your system boots up, or you access your files over AFP (Apple's File Sharing Protocol), the system uses your password to decrypt the contents of the drive and your home folder. Debugging in vulnerable versions was enabled such that the password was logged in plain-text to /var/log/secure.log, as follows:

25/04/2012 13:12:12.340 authorizationhost: DEBUGLOG | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:usernam e:] | about to call _premountHomedir. url = afp://mymacbookpro, userPathComponent = paul, userID = 001, name = paul, passwordAsUTF8String = mysupersecretpassword

As this logging event could be repeated over time, and a history of the "secure.log" is stored on disk for potentially months, an attacker could easily gain knowledge of the File Vault password. As Apple states in their advisory, "A local attacker in the admin group or an attacker with physical access to the host could exploit this to get user passwords, which could be used to gain access to encrypted partitions."

Finding the Vulnerability on Your Systems

The problem arises that even after a patch has been installed, the passwords could still be buried in the system log archives. Provided Nessus has credentials to the target system(s), Plugin 59090 - Mac OS X FileVault Plaintext Password Logging will detect the presence of passwords in the system logs and log archives. The results of the plugin look as follows:

Mac OS X FileVault Plaintext Password Logging

Mac OS X FileVault Plaintext Password Logging (click for larger image)

Be certain the credentials you've provided are of a user in the admin group on the OS X target(s). The command run locally on the system is as follows:

/usr/bin/bzcat /var/log/secure.log.?.bz2 2> /dev/null | /bin/cat /var/log/secure.log - 2> /dev/null | /usr/bin/grep ': DEBUGLOG |.*, password[^ ]* ='"

The first two commands, bzcat and cat, dump the contents of the archived and current log files potentially containing the password. The grep command in the second half searches the output for lines containing the pattern corresponding to the password itself.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.