BugTraq
Issues with security software: orbicule.com "Undercover" Feb 02 2006 09:12AM
Maximillian Dornseif (dornseif informatik uni-mannheim de)
During a lab exercise one of our students found several privacy
security issues in products and services offered by http://orbicule.com.

orbicule.com offers what is claimed to be a Notebook Anti-Theft
solution for Apple MacOS X called Undercover. You install their
software on their machine, register the machine with them and then
shit happens.

A) Website.

1. Everybody can see the list of Stolen Notebooks / their Mac
Addresses. See

http://www.orbicule.com/UCservices/trace.plist
http://www.orbicule.com/UCservices/hijack.plist

2. The site contains SQL injection vulnerabilities. Try
http://www.orbicule.com/UCServices/registration.php?mac=;nastystuff

B) Binary

The binary contains - for what ever reason = the ftp username and
passwort to administer the orbicule.com Website. This allows you to
download the list of registered users and do all kind of havoc. Eg.
backdooring the binary available for download on the site.

C) Theft Protection

1. The Binary is starts via LaunchDaemon and thus can be easily
disabled - a PoC:

$ sudo chmod -x /private/etc/uc.app/Contents/MacOS/uc
$ sudo reboot

2. The IP-Address check relies on the third party Website http://
checkip.dyndns.org/ thus revealing information to a thirtd party
unnecessary without stating this in the documentation.

Timeline:
2005-01-20: Issue Reported to us by Student, verified by us
2005-01-20: info (at) orbicule (dot) com [email concealed], Peter.Schols (at) bio.kuleuven (dot) be [email concealed] contacted
2005-01-20: Reply by Peter Schols requesting further explanation,
email discussion of the issues
2005-01-20: Vendor assures us that "over the next weeks we will
increase our development efforts to get a more secure and more
reliable Undercover out as soon as possible."
2005-01-30: Vendor contacted us and assures the MAC Addresses are not
stored anymore on the server, the SQL-Injection is fixed and the
password is removed from the binary.
2005-02-01: Vendor now states our findings are wrong. Demands
"updating" of a blog entry at http://blogs.23.nu/c0re/stories/11058/
2005-02-01: Uncoordinated release after weighting damage done by non
release compared to release and considering that vednor hadn't
stopped distributing the broken software.

--
Maximillian Dornseif
Pi1 - Laboratory for Dependable Distributed Systems, University of
Mannheim, Germany
http://pi1.informatik.uni-mannheim.de/staff/home/dornseif

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?G0?0?i u®WNO:{îݼ?¬N0
 *?H?÷
0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
060119152341Z
070119152341Z0U10UThawte Freemail Member1200 *?H?÷
 #dornseif (at) informatik.uni-mannheim (dot) de0 [email concealed]?"0
 *?H?÷
?0?
?ᝠÞ??_RXõ??
aѦÛ?'?^4lù=°ã~qu¿{?Æ?°¯1OY?û¹úG7¢<!DFthB?ö{È~Ì p©ôW§vMwÁ®Äé:wª©V·? ª>7)Rhn",_Tûê¢W½?Ñ?½K¤ÿ,ç®Á·ßú²EepÄô*
?­á¢µ1?ÏÈGÿ^ÛêàFÌüSô7JTäº?ôX?@àáá?Ý­£? ¹ï#Dpt¿Ó/jL~¥Ѩ?DZA¡?¡u?üw??g=ô?@?ý-±¹Ðº?e=}?´bºÉõe|ÈdÓ&Í^¬E
£@0>0.U'0%#dornseif (at) informatik.uni-mannheim (dot) de0 [email concealed] Uÿ00
 *?H?÷
®q??bi±òºy§ù2Ø??áÚqü6r!{¥£ó2?»®)MiqÄzÜ, ½?[9º?´²üy<?¦ÄdÛ?òa>§iö?±Ò?Õo­?B??ÉÍz|¾[õÂ?§¿????êX¦«&®?%Û+À
$æ"Ã?!0??0?¨ 
0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½ :aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯< çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0 U0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷
H?ÑP?ê .Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å ?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0? 0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAu®WNO:{îݼ?¬N0 + ?o0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
060202091246Z0# *?H?÷
 1:#6E§Å>?Wô(]^Ì?æt??0? +?71x0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAu®WNO:{îݼ?¬N0? *?H?÷
  1x v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAu®WNO:{îݼ?¬N0
 *?H?÷
??«#*Á>[)?µ?8H
4ó6´¹D:Ã?ýäø*[R?tM4ä¦4EÔ¸¢â?9ÜsGp]£M4,O]_¤?ïÖhöäpIªùÒ1"?C?û*Ô¼´tD÷
! ù?Wªz[ldß½Ú¨û¸& r?ÙÆUAßô@õ_·?wÙ|T?áòÀ?Ëæèï$?¦§=ÙÝüÈÂö?ì.(ãö
?×;7ö9Âp/&¬qðËiq×$(Bé5<Å?~f?ÒRY:¡¿?¸OÃEh§ð£cØláa?1ü?*Ræ÷Ç?Ç/?8>
?L?Û¾¨¹
Öאì±?Kô­L'/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus