/Apple follow-up 631737871.txt Secret
Last active
September 4, 2016 04:16
Star
You must be signed in to star a gist
Apparent file sharing security vulnerability in five or more versions of Apple Mac OS X
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Apparent file sharing security vulnerability in five or more versions | |
of Apple Mac OS X | |
http://tinyurl.com/macosxsharedvolumes | |
======================================================================= | |
With Mac OS X 10.7.5 (Lion), OS X 10.8.5 (Mountain Lion) or | |
OS X 10.9.5 (Mavericks) | |
======================================================================= | |
1. in Disk Utility, partition a USB flash drive to have: | |
* a GUID Partition Table (GPT) | |
* one HFS Plus (Mac OS X Extended) volume, 'Untitled' | |
2. in Finder, add a test folder to that volume | |
3. in the Sharing pane of System Preferences, click 'File Sharing' | |
4. add the Untitled volume to the list of shared items | |
5. a restriction: set 'Everyone' to 'No Access' | |
6. if file sharing is off, enable it | |
7. at a different computer on the LAN, make a guest connection to the | |
file server | |
Expected | |
-------- | |
8. the restriction: no access to the Untitled volume. | |
Actual result | |
------------- | |
8. without a password, the guest can: | |
* access the Untitled volume | |
* read and write (delete the owner's test folder, and so on). | |
======================================================================= | |
With OS X 10.10.5 (Yosemite) or | |
prerelease build 15G7a of OS X 10.11.6 (El Capitan) | |
======================================================================= | |
Steps (1)–(6) above then | |
7. in the Users & Groups pane of System Preferences, use login options | |
to join the file server to a network account server (for example, | |
Active Directory) | |
8. at a different computer on the LAN, make a connection to the file | |
server and authenticate as a user (of, for example, Active Directory) | |
who has no account on the file server | |
Expected | |
-------- | |
9. the restriction: no access to the Untitled volume. | |
Actual result | |
------------- | |
9. the authenticated user can: | |
* access the Untitled volume | |
* read and write | |
– contrary to the restriction. | |
-------------------------------- | |
Without a network account server | |
-------------------------------- | |
Steps (1)–(6) above then at a different computer on the LAN, connect to | |
the file server as any user who should have no access to the Untitled | |
volume. That user will find inappropriate access privileges. | |
======================================================================= | |
Not properly tested | |
======================================================================= | |
Third party implementations of AFP. | |
SMB service. | |
ZFS. | |
FAT (the MS-DOS file system, with 16- and 32-bit variants). From a brief | |
test with something less than Yosemite, I suspect that guests will not | |
gain inappropriate access. | |
======================================================================= | |
UPDATE – following publication of this URL, I received a follow-up | |
from Apple. The following text is taken from my response: | |
---- | |
It seems to me that the problem is, in essence, with the Sharing pane of System Preferences, which offers no hint that an operating system default may cause user-specified restrictions to be ignored. | |
Whilst we have no reply from the opening poster at | |
http://forums.macrumors.com/threads/1821664/ I believe that the | |
:/ face | |
should be taken as representative of confusion or concern about the unexpected, inappropriate lack of privacy: | |
OSX File Sharing - everybody can see everything :/ | |
Where a server flavour of the operating system is used: similarly, there should be an unmistakable hint to the service administrator that a restriction, set in a sharing GUI, may be effectively ignored by the file sharing service. This evening I sped through https://help.apple.com/serverapp/mac/5.1.5/#/apd868B2CBC-70A8-45F7-B054-86634DD56F2E (Security considerations - Server Help) and nearby, I found no appropriate hint. | |
I do have some installations of Mac OS X Server but at the time of writing, I can not access them to tell whether there's an appropriate on-screen hint in the sharing GUI. | |
======================================================================= | |
Links | |
======================================================================= | |
OSX File Sharing - everybody can see everything :/ | MacRumors Forums | |
http://forums.macrumors.com/threads/1821664/ | |
– 2014-11-22, maybe the first public disclosure, I drew this to the | |
attention of Apple. | |
The same topic, captured in November 2015 | |
https://web.archive.org/web/20151114072159/http://forums.macrumors.com/threads/osx-file-sharing-everybody-can-see-everything.1821664/ | |
– I attempted to gain additional information from the opening poster | |
– when I began preparing for this disclosure, I arranged deletion of | |
two of my posts (I wished to avoid untimely discovery). | |
Mac Developer Library – Secure Coding Guide – Types of Security Vulnerabilities – Access Control Problems | |
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Articles/TypesSecVuln.html#//apple_ref/doc/uid/TP40002529-SW11 | |
Mac Developer Library – Apple Filing Protocol Programming Guide – AFP File Server Security – Privilege Mapping | |
https://developer.apple.com/library/mac/documentation/Networking/Conceptual/AFP/AFPSecurity/AFPSecurity.html#//apple_ref/doc/uid/TP40000854-CH232-SW14 | |
> … the server is responsible for enforcing access to any item | |
> regardless of what its POSIX permissions may show, … | |
Gaining a CVE identifier when the software vendor does not provide one | Wilders Security Forums | |
https://www.wilderssecurity.com/threads/386302/ | |
Apparent file sharing security vulnerabilities in five or more versions of Apple Mac OS X | Wilders Security Forums | |
https://www.wilderssecurity.com/threads/386596/ | |
Short URL for this page | |
http://tinyurl.com/macosxsharedvolumes | |
https://twitter.com/grahamperrin/status/743980436569862145 | |
https://alpha.app.net/grahamperrin/post/69425887 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment