<<< Date Index >>>     <<< Thread Index >>>

Issues with security software: orbicule.com "Undercover"



During a lab exercise one of our students found several privacy security issues in products and services offered by http://orbicule.com.

orbicule.com offers what is claimed to be a Notebook Anti-Theft solution for Apple MacOS X called Undercover. You install their software on their machine, register the machine with them and then shit happens.

A) Website.

1. Everybody can see the list of Stolen Notebooks / their Mac Addresses. See

http://www.orbicule.com/UCservices/trace.plist
http://www.orbicule.com/UCservices/hijack.plist

2. The site contains SQL injection vulnerabilities. Try
http://www.orbicule.com/UCServices/registration.php?mac=;nastystuff

B) Binary

The binary contains - for what ever reason = the ftp username and passwort to administer the orbicule.com Website. This allows you to download the list of registered users and do all kind of havoc. Eg. backdooring the binary available for download on the site.


C) Theft Protection

1. The Binary is starts via LaunchDaemon and thus can be easily disabled - a PoC:

$ sudo chmod -x /private/etc/uc.app/Contents/MacOS/uc
$ sudo reboot

2. The IP-Address check relies on the third party Website http:// checkip.dyndns.org/ thus revealing information to a thirtd party unnecessary without stating this in the documentation.

Timeline:
2005-01-20: Issue Reported to us by Student, verified by us
2005-01-20: info@xxxxxxxxxxxx, Peter.Schols@xxxxxxxxxxxxxxx contacted
2005-01-20: Reply by Peter Schols requesting further explanation, email discussion of the issues 2005-01-20: Vendor assures us that "over the next weeks we will increase our development efforts to get a more secure and more reliable Undercover out as soon as possible." 2005-01-30: Vendor contacted us and assures the MAC Addresses are not stored anymore on the server, the SQL-Injection is fixed and the password is removed from the binary. 2005-02-01: Vendor now states our findings are wrong. Demands "updating" of a blog entry at http://blogs.23.nu/c0re/stories/11058/ 2005-02-01: Uncoordinated release after weighting damage done by non release compared to release and considering that vednor hadn't stopped distributing the broken software.


--
Maximillian Dornseif
Pi1 - Laboratory for Dependable Distributed Systems, University of Mannheim, Germany
http://pi1.informatik.uni-mannheim.de/staff/home/dornseif


Attachment: smime.p7s
Description: S/MIME cryptographic signature