CVE-1999-1543

Vulnerability

MacOS versions 7.5.3, 7.5.5, 8.1, and 8.5 store user passwords in the Users & Groups Data File located in the Preferences folder, using a simple XOR-based encryption algorithm. The encrypted password is stored at an offset after the owner's username, and the algorithm uses a fixed XOR mask ("rpcgtprk") and chained XOR operations [1]. The password is stored in plaintext in a hex-encoded form in the file, and the encryption is easily reversible without any key or secret [2].

Exploitation

An attacker with local access to the system can locate the Users & Groups Data File (e.g., using a hex editor), find the encrypted password bytes after the owner's username, and apply the XOR decryption algorithm. The algorithm requires only the encrypted hex bytes and the XOR mask; for the first character, an additional byte (the 4th byte after the encoded sequence) may be needed [2]. The attacker can use a simple script (e.g., an AppleScript or C program) to automate decryption [1][2].

Impact

An attacker who gains local access can retrieve all user passwords in plaintext, leading to complete compromise of user accounts. This includes the ability to authenticate as any user on the system, access files, and potentially escalate privileges if administrator passwords are decoded [1][2].

Mitigation

Apple never released a patch for this vulnerability, as it affects legacy MacOS versions (7.5.3, 7.5.5, 8.1, 8.5) that are no longer supported. The only mitigation is to upgrade to a supported version of macOS that uses stronger password hashing (e.g., SHA-1 or later). There is no known workaround for the affected systems. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.