COMMAND

    MacAdministrator

SYSTEMS AFFECTED

    Hi Resolution System Ltd's MacAdministrator 2.0.4fc4

PROBLEM

    'MD5'  found  following.   MacAdministrator  2.0  is  a   powerful
    management tool for computers  running MacOS(tm).  It  provides an
    extensive  range  of  features,  under  administrator control, for
    large and small networks independent of server type.

    MacAdmin  2.0  provides  the   utilization  of  the  hidden   file
    attribute  on  the   HFS  catalog  system   providing  a  way   of
    maintaining and administrating  a network of  multiple users.   It
    also provides the administrator  with an override account  on each
    node  connected  to  MacAdmin's  virtual  network.   MacAdmin also
    secures the Navigation services/Standard File Manager APIs in  the
    MacOS  development   toolbox,  for   accessing  certain   features
    (eg.making  sure  hidden  files  don't  show  up, access locking).
    Such features  are noteable  on most  programs try  to access  the
    filesystem catalog.

    The problem  comes in  however, when  certain programs  at compile
    time are linked against an older version of the macintosh  toolkit
    or other customly crafted  routines, they sometimes neglect  newer
    features of the system eg.  hidden file flags, which leads  to the
    disclosure of hidden files.

    This  in  itself  provides  a  theoretical problem, as users could
    venture into hidden folders and expose hidden filenames,  possibly
    sensitive  information,  which  could  compromise  the  privacy of
    other  users  or  the  system.Furthermore,  users are also able to
    access and  even open/read  such unprotected  hidden files  on the
    system,  increasing  the  likelihood  of  the user to view private
    information and sensitive system information.

    Indeed this  is what  can be  achieved with  MacAdmin's preference
    files,  resident   on  every   computer  node   in  its    virtual
    network(distribution design feature).   This allows for  malicious
    users  the  possibility  to  disclose  settings,  manipulate vital
    configurations of the  MacAdmin system(as files  do not appear  to
    be read-only), and even gain  access to the override account  name
    and  encrypted  password,  which  would effectively compromise all
    override  accounts  on  connected  nodes  if  the  user  in   turn
    compromised the password.

    Part of the problem is that MacAdmin relies on using hidden  files
    to  try  secure  a  few  sensitive/private  files such as original
    extensions,  control  panels,  prefs,  and  user  folders of other
    users (user folders are  however also coupled with  access locking
    preventing  exposure  of  docs,  but  does give indication of what
    login names are available).  This only makes the environment  more
    obscure, but leaves it vulnerable to attack when exposed.

    Proof of this  concept can be  presented by compiling  the example
    program "HexDump"  (user account  required) provided  by the Think
    Pascal(tm)  4.0  program  package  and  then  using  it  to browse
    through the  filesystem hierachy.   Because Think  Pascal provides
    its own runtime library with custom routines and  toolbox(released
    from some  OLD MacOS  release)it neglects  to handle  hidden files
    properly.   The HexDump  program uses  the GetFile()  procedure to
    list  and  open  files(it  is  a  toolbox  trap for the Navigation
    Services/Standard  File  Manager  API  set itself provided), which
    allows  a  user  to  explore  through  the system detecting hidden
    files  and  opening  them  for  viewing  (unless  prevented by the
    access permission locking on files/dirs).

    The  likelihood  is  that  this  fault  is not limited to MacAdmin
    2.0.4fc4.

SOLUTION

    The long and  strenuous solution is  for Hi Resolution  Systems to
    make MacAdmin secure system  routines by restriction of  some sort
    and mandatory locking of configuration files(admins do not  appear
    to be able to do so by configuration currently).

    Current  administrators  are  advised  to tighten configurations a
    lot  more  by  allowing  a  certain  set of applications execution
    priveleges only so rogue programs  cannot be run which may  pose a
    security risk and perhaps  update older applications in  favour of
    newer  releases  that  have  been  compiled  against  a  newer Mac
    Toolbox.  Hiding files should also not be relied on for protecting
    sensitive information.