High Sierra root vulnerability: how to check if someone logged in remotely?

security root high-sierra screen-sharing

In macOS High Sierra, where can I find the IP addresses that logged in to my Mac through Screen Sharing or ssh?

That would be useful in light of the recently discovered root login vulnerability.


As @Melvin points out, a patch was just released. But to the question at hand, the easy is answer is no, they were root on your machine. It is compromised, period, by definition you cannot trust anything on it if you suspect it was compromised.

To further elaborate, if someone got root access remotely to your machine, you would never ever be able to se the traces of that if they know what they are doing and clean their tracks.

This was not "somebody got the key to the boss's office and messed around a bit in there", this is "somebody got the master key, unlimited funds and an unlimited contruction crew with unlimited time at hand". If you suspect you where compromised, format and reinstall.

To answer the question in layman terms (i.e. how would someone without the prereq skills of cleaning tracks probably leave tracks).

Lets start with ssh, for a full discussion see this question. In short search for ssh or sshd (the "server" part of ssh) in "Console.app" or by terminal:

cat /var/log/system.log | grep sshd

The problem with sshd is that normally nothing is really logged (security concerns AFAIK).

The same problem exists with VNC / Screen Sharing and Apple Remote Desktop / Remote Management, see for example this, this and this, that normal accepted connections are not logged. Only refused ones. Refused ones would probably come from "screensharingd", so search for that in the "Console.app" or terminal

cat /var/log/system.log | grep screensharingd

Except this what other tracks could easily be found? I would look through users and make sure they are only valid users and that no permission levels have changed etc.

sharing panel osx

I would also check if any remote services are enabled. See picture below. Of interest are "Screen Sharing", "Remote Login" and "Remote Management". cmd + space -> "sharing" is the easiest way to get there.


I have not been able to exploit this vulnerability remotely, however I was able to while logged on and trying to escalate my privileges in System Preferences using "root" with no password.

To detect this, scan the logs of the desired machine with the following command in Terminal.

sudo log show --style syslog | fgrep "authenticated as user root (UID 0) for right"

The output of this command will show you the UID of the user that was logged on when this vulnerability was exploited, and the time. Take the time and look for ssh or remote connections around that time frame.

Update, to search for logins via the root account, use the following command in Terminal.

sudo log show --style syslog | fgrep 'loginwindow' | fgrep 'root'

Related

MacBook Pro keyboard and Trackpad not working. All solutions found have failed
Cannot connect to High Sierra using afp
OS X Safari: Toggle Socks Proxy from command line
How does macOS allow Standard users to ping
iOS VPN will NOT connect on certain WiFi
Why does my Apple Watch glow green sometimes?
Make numbers in table of contents go to right of page in Pages
How to get which PATH is available to a GUI application?
Finder's "Date Added" vs. "Date Created"
High Sierra - Bootable USB - Can't make
Mac Pro 2013 eGPU
How can I mute phone ringing with exceptions?