Notice that these hard-coded passwords were never changed and made available to anyone with knowledge of where to look. An attacker can access a variety of operating system functionalities by knowing the hard-coded passwords.
The hard-coded passwords are: root: “Password”, mail: “Password”, sys: “Password”, var: “Password”, boot: “Password”, dns: “Password”, ntp: “Password”, irc: “Password”, ftp: “Password”, gopher: “Password”, and ssh: “Password”.
The list of hard-coded passwords in the vulnerable versions of the watchOS and iOS operating systems is as follows: - watchOS: “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “Password”, “
root Access
The root user has the most unrestricted access of any other user on the device with unfettered access to functions like modifying system files and performing a variety of administrative tasks.
While this isn’t an issue for watchOS or iOS, it is an issue for macOS.
On macOS, any application running as root will have full access to everything on the system including other users’ personal data.
The following is a list of operations that can be performed by various applications running as root:
- Changing ownership of files in /usr/bin
- Changing ownership of files in /etc
- Installing new packages through PackageKit.
- Changing permissions on files in /etc/privileged
- Being able to read, write and execute any file on the system.
Timeline
Published on: 08/29/2022 23:15:00 UTC
Last modified on: 09/02/2022 18:49:00 UTC