==Phrack Inc.== Volume Four, Issue Forty-One, File 9 of 13 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - Security Shortcomings of AppleShare Networks By Bobby Zero November 28, 1992 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - The purpose of this file is to inform all those underpaid Mac network administrators or other interested parties of the problems with Macintosh AppleShare and how to address those problems. AppleShare is quite respectable in both its implementation and usage, blending seamlessly with the Macintosh OS such that the casual user has no idea of the complexity behind the elegance. For all its elegance, however, it does have some severe drawbacks in terms of security-- nearly all of which are fixable, requiring a combination of common sense and RTFM: Read The Fucking Manual. This is in no way to be considered as a "How To" for persons of questionable ethics and/or motives. That being said, however, I feel the following is in order: PROSECUTOR: [To WITNESS] ...And you are? WITNESS: Miss America. [Singing] PROSECUTOR: Would you please tell the court why you feel Fielding Mellish is a traitor to this country? WITNESS: I feel that Fielding Mellish is a traitor to this country because his views are different from the views of the President, and others of his kind. Differences of views should be tolerated, but not when they are too different. Then he becomes a subversive mother. -- Woody Allen, "Bananas" This file is divided into 5 sections: (1) the "AppleShare Prep" file, (2) the "AShare File Srv" application, (3) Mixing VAXens & AppleShare, (4) System 7 FileSharing, and (5) NCSA Telnet weaknesses. The fifth does not particularly relate to AppleShare, but its security can be exploited via method #4, so I thought to include it. If there is sufficient interest, I will make a "Part II" [or three or four or five..] detailing more problems. Send feedback to Phrack Loopback; being a regular reader, I will respond accordingly. While writing this, I was unsure of the approach -- either bland technical or "gh0d-these-people- are-dumb" statements. I decided to just combine them, chao-like. Well, enough of my rambling. On with the file! - = - = - = - = - THE "APPLESHARE PREP" FILE ~~~ ~~~~~~~~~~ ~~~~ ~~~~ (1) The "AppleShare Prep" file under both System 6 and 7 contains a BMLS resource; this resource contains various information required to mount a volume on startup. While this is an optional feature, many people choose it either by accident or for convenience. * The downside to this convenience is the fact that the user's name and password for a server are stored in this file. Anyone with a copy of ResEdit can open this file up, and view the BMLS resource. * It's so easy to create a Trojan horse and slip it into a program or Hypercard stack to copy the BMLS resource from the target's AppleShare Prep file and copy it into a hidden file on the server drive where it can be retrieved at a later date. If Mr. Ed is well-written, he would be nearly undetectable as it takes but an eyeblink to copy the rez. Trojan horses aren't as sexy as viruses and don't get much publicity, but it is exceedingly easy to fool a Macintosh user [or any user, for that matter] into running something he or she shouldn't. HOW TO SOLVE: Educate users of this flaw and urge them to log into the file server manually. If computers in an open lab setting are used, configure them to automatically log in as a guest, thereby circumventing the entire issue of passwords entirely. Encryption of the BMLS resource is entirely up to Apple or someone with enough knowledge of AppleShare to write a patch -- certainly not me [yet...]. THE "ASHARE FILE SRV" SERVER ~~~ ~~~~~~ ~~~~ ~~~ ~~~~~~ (2) On AppleShare File Servers running v2.0: * The file "Users & Groups" within the Server/System Folder contains the data required for maintaining folder privileges & ownership. It also contains user's names and passwords, in an unencrypted format. While obtaining this file would be somewhat difficult [one must physically be able to access the server: shut it down, restart it with a floppy, copy the file, reboot the machine], the "rewards" would be considerably worthwhile, as one would now have a copy of every user name and password, including that of the Administrator. Once physical access is secured, one could conceivably write a program to install on the server that would periodically make a copy of the file and put it on the "server" side of the disk, and give it an innocuous name... an INIT which would perform on every startup, or install a Time Task to do it daily, or even going so far as to patch the AppleShare Admin program to update this file every time a user is added or modified. It is also common knowledge that users use the same passwords on different machines; armed with a list of names & passwords for one machine, one could then enter another computer with the same user/pass combination. * There is no automatic lockout for users who enter an incorrect password. With a bit o' knowledge and a copy of "Inside AppleTalk," a program could be written that could use a dictionary of common passwords in conjunction with a list of user names to try to manually "hack out" a valid user/password combination. The speed of this varies greatly on the speed of and load on the server, the speed of and load on the network, and the speed of the "attacking" computer. A typical "hack" can take anywhere from .5 to 5 seconds, but there is no need to tie up the attacking computer for that period of time; the program can use both asynchronous AFPCommand calls and exist under Multifinder to allow for complete "background hacking." It should be noted, however, that Apple has incorporated a lockout into the hideously overpriced AppleShare 3.0 -- its hardware requirements, however, seem to leave it out of the budgets of most sane individuals. * A group of individuals armed with the above program could go into a computer lab, fire up said program, and then launch a word processing application and seem to be doing homework while in reality they would be hacking passwords. * The "Copy Protect File" in AppleShare Admin disallows using the Finder to copy a "Protected" program. That does not deter, however, a "normal" copy program such as DiskTop from copying the file. [That is about as lame as the ol' "Bozo Bit."] HOW TO SOLVE: Insure that physical access to the fileserver is impossible for all but trusted persons. Upgrade to AppleShare 3.0 [$$ gag $$], which allows "locking" of accounts after a certain number of bad attempts, or obtain a logging program to keep track of invalid attempts and origins, then track down the offenders. There's no way to stop the violation of the "Copy Protection" -- it deters only those easily dismayed. All I can suggest is you keep your non-PD programs away from Guests or other "non-trusted" persons. VAXSHARE, PCLINK, AND OTHER VAX/APPLESHARE SERVER APPS ~~~~~~~~~ ~~~~~~~ ~~~ ~~~~~ ~~~ ~~~~~~~~~~ ~~~~~~ ~~~~ (3) There are various forms of AppleShare that can be run from a VAX; many versions of these programs have severe flaws which can also be exploited. * The prime example is the existence of "default" accounts: while "Guest" logins might be disallowed, logging in as DEFAULT, password USER has been known to be effective in "getting in" -- even FIELD, SERVICE has worked. Pathetic, isn't it, that these guys haven't picked up on these things? * The existence of a VAXShare [or similar] account used for AppleShare access can oft times be used to access the VAX. For instance, if one is aware that a VAX is being used in an open lab as an AppleShare File Server, one can use method #1 to extract a username/password combination from the Prep file and use that password to gain entrance to the VAX. HOW TO SOLVE: Disallow interactive logins on the VAX-side of the account and disable or repassword all "default" accounts. If your version of VAX/AppleShare requires an interactive login, have a "special" program be run whenever the user logs in, recording the date, time, and origin of login before disconnecting. SYSTEM 7 FILE SHARING ~~~~~~ ~ ~~~~ ~~~~~~~ (4) With the advent of System 7.0 and "File Sharing," many users simply put their machines "on the net" without taking proper measures to disallow unauthorized access to their machine. Several people turn Sharing on while their drive is selected, unwittingly allowing others to read, write, copy, delete, or modify the information on the drive. Oddly enough, by default, the "Trash" folder is locked out, while the System Folder is, by default, left wide open. A major oversight on Apple's part... I suppose it was to discourage the perceived threat of "digital dumpster diving" ...? Even I cannot fathom that one. * Many times the "System Folder" is left unprotected, meaning various system resources can be copied or modified. One can leech the AppleTalk Remote Access files, any Timbuk2 or Timbuk2/Remote programs, etc. and use them to further penetration. * The "Users & Groups" file can be copied, then modified "at home" by a user running 7.0 [or by the attacking machine, if it is running 7.0] -- adding another "owner" account, for instance, to act as a "back door" in the event guest privileges are locked out by a wiser individual. * The integrity of important files can be challenged; the System file can have resources moved in and out of it by the attacking computer -- one of these resources could be a virus, a Trojan horse, or a really stupid font [like New York -- ugh!]. * The disk is usually populated by copyrighted software; one could easily make pirated copies of that software. * The disk may be home to personal or otherwise "private" files -- files that can be read, copied, deleted, or even modified. There was an instance in which a file on a shared folder was found to contain user names and passwords to a UNIX box on the campus network... incredibly foolish. Fortunately, the proper persons were informed and the files were moved to a [presumably] safer location. * The attacker could have a malicious streak and choose to delete all that he sees. HOW TO SOLVE: Take a giant wooden plank and soundly whack all offending users. Tell them of the intelligent way to use filesharing, and inform them that *anyone* can go in and read their resume, love notes, financial info, erotic poetry, etc.. that usually gets their attention. Tell them to, instead of sharing the entire hard drive, create a folder and entitle it "Shares" or something appropriately witty; then select the folder and go to "Sharing..." To further security, disallow the (Guest) logins. To better keep track of who's using the Macintosh, keep the "File Sharing Monitor" open or get a program like NokNok which notifies you when someone is using your Mac. NCSA TELNET ~~~~ ~~~~~~ 5) The NCSA Telnet application allows a user to use his or her Mac as a telnet client and wander around the Internet. NCSA Telnet also handles incoming FTP requests. While this FTP function is easily disabled, many users keep it on because they either use it regularly or don't even know it exists. * Anyone with a valid username/password can log in to the Mac via FTP and then change to the "root" directory and perform the normal FTP functions.. both send and receive. This means that *every* file on the Mac can be accessed from *anywhere* on the Internet. It should be noted that NCSA Telnet does not log the "who & where" information, meaning there is no log of who used the machine, meaning there is no way for an intruder to be "caught." * The file "ftppass" contains the list of users allowed to use FTP on that Macintosh. If, by using one of the methods mentioned above, someone is able to access it, it is easily cracked as it has a rather pathetic encryption scheme: the data fork contains the user's name, a colon, and then an encrypted password. The password is easily decrypted; unless it is the entire 10 characters, the last few characters are in order. That is, the next ASCII code is 1 + the previous, etc. Observe this from my "ftppass" file: sample:ucetcr&'() The first part, "sample," is the user's name. The colon is the basic UNIX-like delimiter, the rest is the password. The "real" part of the password is the characters "ucetcr" ... the remaining "&'()" are just spaces... how do you tell? It's in ASCII order. Look up "&" on an ASCII chart and "'" will follow, then "(" then ")" .. you get the idea. This password can be discovered by short program XORing the encrypted characters with a number between 0 and 255. The program can either a) dump all XOR results or b) if the password is not the maximum length, the program can simply scan for a "space" [ASCII 032 decimal] in the password and print it. The following "cracking" program is written in BASIC [hey, does anyone use that any more?] and will allow you to decrypt the passwords. If you can tell that the password has spaces at the end, you can go ahead and delete line 110. Otherwise, leave that line in and use your brain [remember your brain?] to determine if the encrypted goop is a "real" word or just goop. 5 REM "ftppass" brute-force hacker 10 INPUT "Encrypted password:";I$ 20 FOR X=1 TO 255 30 FOR Y=1 TO LEN(I$) 40 Y$=MID$(I$,Y,1) 50 YA=ASC(Y$) 60 N=X XOR YA 70 IF N=32 THEN F=1 80 N$=N$+CHR$(N) 90 NEXT Y 100 IF F THEN ?"Possible password:"N$ 110 ?I$" 'encrypts' to "N$: REM U can delete this line if len<10 120 N$="":F=0 130 NEXT X 140 ?"Finished." Sample run: [with line 110 deleted] Encrypted password:ucetcr&'() [gotta type the whole thing] Possible password:secret !./ [boy, that was tough!] Possible password:rdbsdu! /. Possible password:}km|kz./ ! [etc.. just smack ^C at this point.] So the password is "secret" [clever, no?] It should be noted that this program is rather inelegant as I haven't really reversed the algorithm, just written a brute-force "hacker" for it. This is due to laziness on my part. If I really wanted to do this properly, I would FTP to the NCSA anonymous site and leech the 700k+ of source and "reverse" it thataway. I don't feel like doing that. I am lazy. This program works just dandy for me... [I suspect the encryption program uses the users' name to encrypt it, but I don't care enough to find out.] I should say that I don't wish to offend the makers of NCSA Telnet or call the application crap. It is, indeed, an impressive piece of work; I simply feel that there are some aspects of it which could use improvement... if not in terms of security, then at least allowing the user to save selections to disk! BTW- I know that NCSA Telnet is also available for the IBM. I haven't tested these with an IBM, but if it's a "true" port, these flaws should exist under the IBM version as well. - = - = - = - = - Well, that does it. If you're a network coordinator and you're *still* sitting on your skinny ass after reading this, get the hell up and fix the problems. Don't be surprised to find someone running anonymously through your net, leeching files and generally contributing to moral laxity ... I've seen it before -- it's not a pretty sight. And of course, if you run a network of any sort, you must encourage users to use different passwords on different machines and passwords that don't exist in a dictionary [gh0ds are we sick of hearing that!].. it will work wonders for security. Every hacker knows the number of people who use ONE password to all of their different accounts is unbelievably high... and they make very good use of this oversight. - = - = - = - = - = - = - = - =- = - = - = - =- = - = - = - =- = - = - = - = -