Type: Local
Class: Environment/Access Validation Error
Vulnerable:
MacOS 8.6/MacAdministrator(tm) 2.0.4fc4
MacAdministrator 2.0 is a powerful management tool
for computers running MacOS(tm). It provides an
extensive range of features, under administrator
control, for large and small networks independent
of server type.
Discussion:
MacAdmin 2.0 provides the utilization of the
hidden file attribute on the HFS catalog system
providing a way of maintaining and administrating
a network of multiple users. It also provides the
administrator with an override account on each
node connected to MacAdmin's virtual network.
MacAdmin also secures the Navigation
services/Standard File Manager APIs in the MacOS
development toolbox, for accessing certain
features(eg.making sure hidden files don't show
up, access locking). Such features are noteable
on most programs try to access the filesystem
catalog.
The problem comes in however, when certain
programs at compile time are linked against an
older version of the macintosh toolkit or other
customly crafted routines, they sometimes neglect
newer features of the system eg. hidden file
flags, which leads to the disclosure of hidden
files.
This in itself provides a theoretical problem, as
users could venture into hidden folders and expose
hidden filenames, possibly sensitive information,
which could compromise the privacy of other users
or the system.Furthermore, users are also able to
access and even open/read such unprotected hidden
files on the system, increasing the likelihood of
the user to view private information and sensitive
system information.
Indeed this is what can be achieved with
MacAdmin's preference files, resident on every
computer node in its virtual network(distribution
design feature). This allows for malicious users
the possibility to disclose settings, manipulate
vital configurations of the MacAdmin system(as
files do not appear to be read-only), and even
gain access to the override account name and
encrypted password, which would effectively
compromise all override accounts on connected
nodes if the user in turn compromised the
password.
Part of the problem is that MacAdmin relies on
using hidden files to try secure a few
sensitive/private files such as original
extensions, control panels, prefs, and user
folders of other users(user folders are however
also coupled with access locking preventing
exposure of docs, but does give indication of what
login names are available). This only makes the
environment more obscure, but leaves it vulnerable
to attack when exposed.
Exploit:
Proof of this concept can be presented by
compiling the example program "HexDump" (user
account required) provided by the Think Pascal(tm)
4.0 program package and then using it to browse
through the filesystem hierachy. Because Think
Pascal provides its own runtime library with
custom routines and toolbox(released from some OLD
MacOS release)it neglects to handle hidden files
properly. The HexDump program uses the GetFile()
procedure to list and open files(it is a toolbox
trap for the Navigation Services/Standard File
Manager API set itself provided), which allows a
user to explore through the system detecting
hidden files and opening them for viewing (unless
prevented by the access permission locking on
files/dirs).
The likelihood is that this fault is not limited
to MacAdmin 2.0.4fc4
Suggested Solution:
The long and strenuous solution is for Hi
Resolution Systems to make MacAdmin secure system
routines by restriction of some sort and mandatory
locking of configuration files(admins do not
appear to be able to do so by configuration
currently).
Current administrators are advised to tighten
configurations a lot more by allowing a certain
set of applications execution priveleges only so
rogue programs cannot be run which may pose a
security risk and perhaps update older
applications in favour of newer releases that have
been compiled against a newer Mac Toolbox. Hiding
files should also not be relied on for protecting
sensitive information.
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 16:22:32 PDT