Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mac/At Ease/Netscape File Access Exploit

From: method () YIKES COM (Dan Fleisher)
Date: Tue, 20 May 1997 22:09:16 -0700

That's just the tip of the iceberg.  Since the machine being attacked is
'netted' (obviously, else it wouldn't be running Netscape), there is lots
more fun you can have with it.  For example, given an email account
somewhere you can use the 'mail url' feature to send yourself any file on
the system, regardless of priviliges.  A good file to send would be the
'At Ease Preferences' file which contains the master At Ease preferences.
Once you have obtained this, cracking the password is trivial with a
program such as DisEase, thus leading to a total comprimise.

Meth
method () yikes com

On Tue, 20 May 1997, Nathan Dorfman wrote:


Please don't flame me for posting Mac stuff to a UNIX list I see NT
crap here all the time, and thought some admins may think twice before
running At Ease (or before running Macs in the first place).

SYNOPSIS: At Ease apparently doesn't patch the kernel to introduce file
restrictions, but modifies a library that programs call to display an
Open File dialog box.

IMPACT: This bug allows a user to read files and directories he shouldn't
have access to under the At Ease system.

DESCRIPTION: Under At Ease, files and folders that you shouldn't have access
to are grayed out in Open File dialogs. Using a program like Netscape you
can bypass the dialog, using a URL such as:

file://TZHS%20HD%202/Documents/Dorfman%20Nathan

Note that the implementation of Netscape used automatically converted
spaces to %20 combinations as required by HTTP 1.1 (RFC 2068):

file://TZHS HD 2/Documents/Dorfman Nathan/

Will show the contents of that folder. For non-text files, you can simply
save the file into a folder you DO have access to and use the appropriate
program to open it.

EXTRA NOTES: Netscape will not let you modify the folders but a simple program
can be written that takes a filename in a text-box and opens the file from its
location, without copying. If you can write Mac code, and are willing to,
please send to nathan () senate org.
Previous By Date Next
Previous By Thread Next

Current thread: