From spacerog@L0PHT.COM Sat Oct 31 03:22:01 1998 From: Space Rogue X-Sender: spacerog@199.201.145.20 To: BUGTRAQ@netspace.org Date: Fri, 30 Oct 1998 12:25:21 -0000 Subject: [L0pht Advisory] MacOS - FWB passwords easily bypassed Document: L0phT Security Advisory URL Origin: http://www.l0pht.com/advisories.html Release Date: October 30, 1998 (Special PumpCon Release) Application: FWB Hard Disk Toolkit 2.5 Severity: Users can bypass hard disk driver level passwords Author: Space Rogue (spacerog@l0pht.com) Operating System: Mac OS Description ----------- FWB Hard Disk Toolkit 2.5 allows users to password protect hard drive volumes. This password has to be entered when the hard disk driver loads in order to allow the volume to mount. Failure to enter this password prevents the volume from mounting and therefore prevents access to the data on the device. Details ------- By forcibly replacing the FWB driver with a different driver it is possible to access the data on the password protected volume without knowing the password. Most Macintosh hard drive formatting utilities will allow you to replace the FWB passworded driver. However they will also make any data on the drive unreadable without advanced data recovery software (Norton Volume Recover etc.). If the FWB driver is replaced with La Cie Silverlining then it is possible to bypass the password and still access the data. Testing ------- Our testing procedure utilized a Quadra 610 24/230, Mac OS 8.0, FWB Hard Disk Tool Kit 2.5, La Cie Silverlining 5.8.3, and an External 160MB SCSI IBM H3171-S2 hard drive. Our test drive was first low level formatted with FWB and a read/write password was assigned. Then about 10MB of various files where copied onto it as our test data. The machine was then powered down and rebooted. Upon boot up the system prompted us to enter the password. This enabled the system to mount the drive. We then launched Silverlining and updated the driver. Silverlining did not complain about doing this except to give us the standard dire warnings about possible data loss. Again we powered down and rebooted. This time no password was asked for and the volume mounted successfully with all of its data intact. The previous steps where repeated ten times with no discernible differences. We tried various other hard drive formatting utilities in addition to Silverlining such as SCSI Director Pro, Anubis and others. While some of these other utilities where able to replace the FWB driver access to the data was lost. Silverlining is unique in that attempts to preserve data integrity while replacing the driver, other utilities do not take data preservation into account. Solution -------- Users should be aware that using a driver level password to protect data is not always a guarantee that your data is safe from prying eyes. The previous example can be accomplished in under five minutes with a medium sized drive and only requires that the malicious user have a bootable floppy disk with Silverlining on it. Ten minutes of unsupervised access to the target machine is all that is required. FWB gives users six options when applying a password to a volume; None, Read, Read/Write, Encryption Level 1, Encryption Level 2, and Encryption Level 3. Using one of the encryption options would possibly allow for greater security. The disadvantage is that using one of the encryption options greatly slows down the speed at which your machine can read and write data as it does its encryption/decryption on the fly. (It is not the purpose of this advisory to determine if FWBs encryption implementation is any better or worse than its password implementation) Numerous hard drive formatting utilities allow the setting of a password similar to FWB. Unfortunately we do not have the time to test them all. It should therefore not be assumed that all other driver level passwords are secure. This advisory should help illustrate the fact that just because a software package or company makes a claim of security does not mean that your data is 100 percent secure. Users should take this into account when depending on such utilities to protect their data. Notes ----- We would like to acknowledge J. Claymore who first mentioned this problem some time ago which made this advisory possible. ----------- For more Macintosh hacking information check out: http://www.l0pht.com/~spacerog/index.html ----------- For more L0phT (L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html -----------