lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <78CF15D6-EED8-4120-8B3B-594306438E92@informatik.uni-mannheim.de>
Date: Thu, 2 Feb 2006 10:12:45 +0100
From: Maximillian Dornseif <dornseif@...ormatik.uni-mannheim.de>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Issues with security software: orbicule.com "Undercover"

During a lab exercise one of our students found several privacy  
security issues in products and services offered by http://orbicule.com.

orbicule.com offers what is claimed to be a Notebook Anti-Theft  
solution for Apple MacOS X called Undercover. You install their  
software on their machine, register the machine with them and then  
shit happens.

A) Website.

1. Everybody can see the list of Stolen Notebooks / their Mac  
Addresses. See

http://www.orbicule.com/UCservices/trace.plist
http://www.orbicule.com/UCservices/hijack.plist

2. The site contains SQL injection vulnerabilities. Try
http://www.orbicule.com/UCServices/registration.php?mac=;nastystuff

B) Binary

The binary contains - for what ever reason = the ftp username and  
passwort to administer the orbicule.com Website. This allows you  to  
download the list of registered users and do all kind of havoc. Eg.  
backdooring the binary available for  download on the site.


C) Theft Protection

1. The Binary is starts via LaunchDaemon and thus can be easily  
disabled - a PoC:

$ sudo chmod -x /private/etc/uc.app/Contents/MacOS/uc
$ sudo reboot

2. The IP-Address check relies on the third party Website http:// 
checkip.dyndns.org/ thus revealing information to a thirtd party  
unnecessary without stating this in the documentation.

Timeline:
2005-01-20: Issue Reported to us by Student, verified by us
2005-01-20: info@...icule.com, Peter.Schols@....kuleuven.be contacted
2005-01-20: Reply by Peter Schols requesting further explanation,  
email discussion of the issues
2005-01-20: Vendor assures us that "over the next weeks we will  
increase our development efforts to get a more secure and more  
reliable Undercover out as soon as possible."
2005-01-30: Vendor contacted us and assures the MAC Addresses are not  
stored anymore on the server, the SQL-Injection is fixed and the  
password is removed from the binary.
2005-02-01: Vendor now states our findings are wrong. Demands  
"updating" of a blog entry at http://blogs.23.nu/c0re/stories/11058/
2005-02-01: Uncoordinated release after weighting damage done by non  
release compared to release and considering that vednor hadn't  
stopped distributing the broken software.


-- 
Maximillian Dornseif
Pi1 - Laboratory for Dependable Distributed Systems, University of  
Mannheim,  Germany
http://pi1.informatik.uni-mannheim.de/staff/home/dornseif



Download attachment "smime.p7s" of type "application/pkcs7-signature" (2453 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ