COMMAND
MacAdministrator
SYSTEMS AFFECTED
Hi Resolution System Ltd's MacAdministrator 2.0.4fc4
PROBLEM
'MD5' found following. MacAdministrator 2.0 is a powerful
management tool for computers running MacOS(tm). It provides an
extensive range of features, under administrator control, for
large and small networks independent of server type.
MacAdmin 2.0 provides the utilization of the hidden file
attribute on the HFS catalog system providing a way of
maintaining and administrating a network of multiple users. It
also provides the administrator with an override account on each
node connected to MacAdmin's virtual network. MacAdmin also
secures the Navigation services/Standard File Manager APIs in the
MacOS development toolbox, for accessing certain features
(eg.making sure hidden files don't show up, access locking).
Such features are noteable on most programs try to access the
filesystem catalog.
The problem comes in however, when certain programs at compile
time are linked against an older version of the macintosh toolkit
or other customly crafted routines, they sometimes neglect newer
features of the system eg. hidden file flags, which leads to the
disclosure of hidden files.
This in itself provides a theoretical problem, as users could
venture into hidden folders and expose hidden filenames, possibly
sensitive information, which could compromise the privacy of
other users or the system.Furthermore, users are also able to
access and even open/read such unprotected hidden files on the
system, increasing the likelihood of the user to view private
information and sensitive system information.
Indeed this is what can be achieved with MacAdmin's preference
files, resident on every computer node in its virtual
network(distribution design feature). This allows for malicious
users the possibility to disclose settings, manipulate vital
configurations of the MacAdmin system(as files do not appear to
be read-only), and even gain access to the override account name
and encrypted password, which would effectively compromise all
override accounts on connected nodes if the user in turn
compromised the password.
Part of the problem is that MacAdmin relies on using hidden files
to try secure a few sensitive/private files such as original
extensions, control panels, prefs, and user folders of other
users (user folders are however also coupled with access locking
preventing exposure of docs, but does give indication of what
login names are available). This only makes the environment more
obscure, but leaves it vulnerable to attack when exposed.
Proof of this concept can be presented by compiling the example
program "HexDump" (user account required) provided by the Think
Pascal(tm) 4.0 program package and then using it to browse
through the filesystem hierachy. Because Think Pascal provides
its own runtime library with custom routines and toolbox(released
from some OLD MacOS release)it neglects to handle hidden files
properly. The HexDump program uses the GetFile() procedure to
list and open files(it is a toolbox trap for the Navigation
Services/Standard File Manager API set itself provided), which
allows a user to explore through the system detecting hidden
files and opening them for viewing (unless prevented by the
access permission locking on files/dirs).
The likelihood is that this fault is not limited to MacAdmin
2.0.4fc4.
SOLUTION
The long and strenuous solution is for Hi Resolution Systems to
make MacAdmin secure system routines by restriction of some sort
and mandatory locking of configuration files(admins do not appear
to be able to do so by configuration currently).
Current administrators are advised to tighten configurations a
lot more by allowing a certain set of applications execution
priveleges only so rogue programs cannot be run which may pose a
security risk and perhaps update older applications in favour of
newer releases that have been compiled against a newer Mac
Toolbox. Hiding files should also not be relied on for protecting
sensitive information.