Hello, welcome to the Wednesday, November 29th, 2017 edition of the Santernut Storm Center's

Stormcast. My name is Johannes Ulrich, and the time, recording from Augusta, Georgia.

Today, we got an amazingly simple exploit in OS10 that will get you root access.

Turns out that OS10 does ship without a route password being set for the operating system.

At first, site this may not be a big problem because the route account is disabled, so you cannot

actually directly log in using route. However, you can still use root credentials to

authenticate yourself as an administrator when you're adjusting system preferences.

So for example, if you are going to the system preference dialogue, then you're trying to unlock one of the options.

Typically, you get a pop-up box, it's pre-populated with your current username as a username,

and you enter your own password.

But as an alternative, you can also just enter root as a username, leave the password empty,

and then in my experience click the unlock key twice. First time won't work, but second time

you click it, it will work and will give you access to change these security preferences.

I tried it with a couple of the preferences and it worked like a charm.

Now, I haven't tested all and every single one of them. The quick fix here is to actually set a password

for route. Now, this is done pretty easily. Just use pseudo password, where password is abbreviated, P-A-S-S-W-D, and enter a new password.

Take a good password here, of course, because once you do actually set a password, the route account

becomes enabled and can be used to log in.

Apple stated that they are working on a fix for this issue and does recommend that for now

you should be changing your password. Now I will add a link to the respective page at Apple's

support website to the show notes.

One of the more scary up-and-coming technologies that you may have heard of is the use of

...