From spacerog@L0PHT.COM Sat Oct 31 03:22:01 1998
From: Space Rogue <spacerog@L0PHT.COM>
X-Sender: spacerog@199.201.145.20
To: BUGTRAQ@netspace.org
Date: Fri, 30 Oct 1998 12:25:21 -0000
Subject: [L0pht Advisory] MacOS - FWB passwords easily bypassed

         Document: L0phT Security Advisory
       URL Origin: http://www.l0pht.com/advisories.html
     Release Date: October 30, 1998 (Special PumpCon Release)
      Application: FWB Hard Disk Toolkit 2.5
         Severity: Users can bypass hard disk driver level passwords
           Author: Space Rogue (spacerog@l0pht.com)
 Operating System: Mac OS


Description
-----------

FWB Hard Disk Toolkit 2.5 allows users to password protect hard drive
volumes. This password has to be entered when the hard disk driver loads
in order to allow the volume to mount. Failure to enter this password
prevents the volume from mounting and therefore prevents access to the
data on the device.


Details
-------

By forcibly replacing the FWB driver with a different driver it is
possible to access the data on the password protected volume without
knowing the password.

Most Macintosh hard drive formatting utilities will allow you to replace
the FWB passworded driver. However they will also make any data on the
drive unreadable without advanced data recovery software (Norton Volume
Recover etc.). If the FWB driver is replaced with La Cie Silverlining
then it is possible to bypass the password and still access the data.


Testing
-------

Our testing procedure utilized a Quadra 610 24/230, Mac OS 8.0, FWB Hard
Disk Tool Kit 2.5, La Cie Silverlining 5.8.3, and an External 160MB SCSI
IBM H3171-S2 hard drive.

Our test drive was first low level formatted with FWB and a read/write
password was assigned. Then about 10MB of various files where copied onto
it as our test data. The machine was then powered down and rebooted. Upon
boot up the system prompted us to enter the password. This enabled the
system to mount the drive.

We then launched Silverlining and updated the driver. Silverlining did
not complain about doing this except to give us the standard dire
warnings about possible data loss.  Again we powered down and rebooted.
This time no password was asked for and the volume mounted successfully
with all of its data intact.

The previous steps where repeated ten times with no discernible
differences.

We tried various other hard drive formatting utilities in addition to
Silverlining such as SCSI Director Pro, Anubis and others. While some of
these other utilities where able to replace the FWB driver access to the
data was lost. Silverlining is unique in that attempts to preserve data
integrity while replacing the driver, other utilities do not take data
preservation into account.

Solution
--------

Users should be aware that using a driver level password to protect data
is not always a guarantee that your data is safe from prying eyes. The
previous example can be accomplished in under five minutes with a medium
sized drive and only requires that the malicious user have a bootable
floppy disk with Silverlining on it. Ten minutes of unsupervised access
to the target machine is all that is required.

FWB gives users six options when applying a password to a volume; None,
Read, Read/Write, Encryption Level 1, Encryption Level 2, and Encryption
Level 3.  Using one of the encryption options would possibly allow for
greater security. The disadvantage is that using one of the encryption
options greatly slows down the speed at which your machine can read and
write data as it does its encryption/decryption on the fly.  (It is not
the purpose of this advisory to determine if FWBs encryption
implementation is any better or worse than its password implementation)

Numerous hard drive formatting utilities allow the setting of a password
similar to FWB. Unfortunately we do not have the time to test them all.
It should therefore not be assumed that all other driver level passwords
are secure. This advisory should help illustrate the fact that just
because a software package or company makes a claim of security does not
mean that your data is 100 percent secure. Users should take this into
account when depending on such utilities to protect their data.


Notes
-----

We would like to acknowledge J. Claymore who first mentioned this problem
some time ago which made this advisory possible.


-----------
For more Macintosh hacking information check out:
http://www.l0pht.com/~spacerog/index.html
-----------
For more L0phT (L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
-----------