Skip to content

Instantly share code, notes, and snippets.

@grahamperrin
Last active September 4, 2016 04:16
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save grahamperrin/0c05a92c685cc86123d0f67e4ab6596a to your computer and use it in GitHub Desktop.
Apparent file sharing security vulnerability in five or more versions of Apple Mac OS X
Apparent file sharing security vulnerability in five or more versions
of Apple Mac OS X
http://tinyurl.com/macosxsharedvolumes
=======================================================================
With Mac OS X 10.7.5 (Lion), OS X 10.8.5 (Mountain Lion) or
OS X 10.9.5 (Mavericks)
=======================================================================
1. in Disk Utility, partition a USB flash drive to have:
* a GUID Partition Table (GPT)
* one HFS Plus (Mac OS X Extended) volume, 'Untitled'
2. in Finder, add a test folder to that volume
3. in the Sharing pane of System Preferences, click 'File Sharing'
4. add the Untitled volume to the list of shared items
5. a restriction: set 'Everyone' to 'No Access'
6. if file sharing is off, enable it
7. at a different computer on the LAN, make a guest connection to the
file server
Expected
--------
8. the restriction: no access to the Untitled volume.
Actual result
-------------
8. without a password, the guest can:
* access the Untitled volume
* read and write (delete the owner's test folder, and so on).
=======================================================================
With OS X 10.10.5 (Yosemite) or
prerelease build 15G7a of OS X 10.11.6 (El Capitan)
=======================================================================
Steps (1)–(6) above then
7. in the Users & Groups pane of System Preferences, use login options
to join the file server to a network account server (for example,
Active Directory)
8. at a different computer on the LAN, make a connection to the file
server and authenticate as a user (of, for example, Active Directory)
who has no account on the file server
Expected
--------
9. the restriction: no access to the Untitled volume.
Actual result
-------------
9. the authenticated user can:
* access the Untitled volume
* read and write
– contrary to the restriction.
--------------------------------
Without a network account server
--------------------------------
Steps (1)–(6) above then at a different computer on the LAN, connect to
the file server as any user who should have no access to the Untitled
volume. That user will find inappropriate access privileges.
=======================================================================
Not properly tested
=======================================================================
Third party implementations of AFP.
SMB service.
ZFS.
FAT (the MS-DOS file system, with 16- and 32-bit variants). From a brief
test with something less than Yosemite, I suspect that guests will not
gain inappropriate access.
=======================================================================
UPDATE – following publication of this URL, I received a follow-up
from Apple. The following text is taken from my response:
----
It seems to me that the problem is, in essence, with the Sharing pane of System Preferences, which offers no hint that an operating system default may cause user-specified restrictions to be ignored.
Whilst we have no reply from the opening poster at
http://forums.macrumors.com/threads/1821664/ I believe that the
:/ face
should be taken as representative of confusion or concern about the unexpected, inappropriate lack of privacy:
OSX File Sharing - everybody can see everything :/
Where a server flavour of the operating system is used: similarly, there should be an unmistakable hint to the service administrator that a restriction, set in a sharing GUI, may be effectively ignored by the file sharing service. This evening I sped through https://help.apple.com/serverapp/mac/5.1.5/#/apd868B2CBC-70A8-45F7-B054-86634DD56F2E (Security considerations - Server Help) and nearby, I found no appropriate hint.
I do have some installations of Mac OS X Server but at the time of writing, I can not access them to tell whether there's an appropriate on-screen hint in the sharing GUI.
=======================================================================
Links
=======================================================================
OSX File Sharing - everybody can see everything :/ | MacRumors Forums
http://forums.macrumors.com/threads/1821664/
– 2014-11-22, maybe the first public disclosure, I drew this to the
attention of Apple.
The same topic, captured in November 2015
https://web.archive.org/web/20151114072159/http://forums.macrumors.com/threads/osx-file-sharing-everybody-can-see-everything.1821664/
– I attempted to gain additional information from the opening poster
– when I began preparing for this disclosure, I arranged deletion of
two of my posts (I wished to avoid untimely discovery).
Mac Developer Library – Secure Coding Guide – Types of Security Vulnerabilities – Access Control Problems
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Articles/TypesSecVuln.html#//apple_ref/doc/uid/TP40002529-SW11
Mac Developer Library – Apple Filing Protocol Programming Guide – AFP File Server Security – Privilege Mapping
https://developer.apple.com/library/mac/documentation/Networking/Conceptual/AFP/AFPSecurity/AFPSecurity.html#//apple_ref/doc/uid/TP40000854-CH232-SW14
> … the server is responsible for enforcing access to any item
> regardless of what its POSIX permissions may show, …
Gaining a CVE identifier when the software vendor does not provide one | Wilders Security Forums
https://www.wilderssecurity.com/threads/386302/
Apparent file sharing security vulnerabilities in five or more versions of Apple Mac OS X | Wilders Security Forums
https://www.wilderssecurity.com/threads/386596/
Short URL for this page
http://tinyurl.com/macosxsharedvolumes
https://twitter.com/grahamperrin/status/743980436569862145
https://alpha.app.net/grahamperrin/post/69425887
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment