Another method for exploiting the macOS root vulnerability

Yesterday, @lemiorhan on Twitter reported that any user could gain root access to a macOS 10.13 machine by attempting to log in as root when prompted for authentication on the machine.

This vulnerability was widely validated, and patched by Apple in today’s critical security update.

During my investigation, I noticed another mechanism for exploiting this vulnerability, through the su command in the shell. Simply entering su root -c 'echo hello' followed by the desired root account password would set that password. This provides an even easier vector for any malware to exploit the vulnerability, as it could be executed entirely through a shell command (by any unprivileged user):

echo new_root_password | su root -c 'echo hello'

I verified that this method no longer works after the installation of Apple’s patch.