CVE-2017-13911

Vulnerability

A configuration issue in the Admin Framework component of macOS allowed passwords supplied to the sysadminctl command-line tool to be exposed to other local users [1]. The sysadminctl tool required that passwords be passed via command-line arguments, which could be observed by other users on the same system through process listings or other mechanisms. This issue affected versions prior to macOS High Sierra 10.13.4, macOS Sierra 10.13.3 Security Update 2018-002, and macOS X El Capitan 10.11.6 Security Update 2018-002 [1].

Exploitation

To exploit this vulnerability, an attacker would need local user access to the same macOS system and the ability to observe process arguments (e.g., via ps command or /proc). The attacker could then capture the plaintext password passed as an argument to sysadminctl when another local user (including an administrator) invoked that tool [1]. No additional authentication or privileges are required beyond local access.

Impact

Successful exploitation allows an attacker to obtain the plaintext password supplied to sysadminctl, potentially leading to unauthorized access to accounts, privilege escalation, or further compromise of the affected system [1]. The confidentiality of credentials is directly compromised.

Mitigation

Apple addressed the issue by making the password parameter optional in sysadminctl; the tool now prompts for the password interactively instead of accepting it as an argument [1]. The fix is included in macOS High Sierra 10.13.4 (released March 29, 2018), Security Update 2018-002 for macOS Sierra, and Security Update 2018-002 for macOS X El Capitan [1]. Users should update to these versions or later.