Issues with security software: orbicule.com "Undercover"

[Maximillian Dornseif <dornseif () informatik uni-mannheim de>]

During a lab exercise one of our students found several privacy  
security issues in products and services offered by http://orbicule.com.

orbicule.com offers what is claimed to be a Notebook Anti-Theft  
solution for Apple MacOS X called Undercover. You install their  
software on their machine, register the machine with them and then  
shit happens.

A) Website.

1. Everybody can see the list of Stolen Notebooks / their Mac  
Addresses. See

http://www.orbicule.com/UCservices/trace.plist
http://www.orbicule.com/UCservices/hijack.plist

2. The site contains SQL injection vulnerabilities. Try
http://www.orbicule.com/UCServices/registration.php?mac=;nastystuff

B) Binary

The binary contains - for what ever reason = the ftp username and  
passwort to administer the orbicule.com Website. This allows you  to  
download the list of registered users and do all kind of havoc. Eg.  
backdooring the binary available for  download on the site.


C) Theft Protection

1. The Binary is starts via LaunchDaemon and thus can be easily  
disabled - a PoC:

$ sudo chmod -x /private/etc/uc.app/Contents/MacOS/uc
$ sudo reboot

2. The IP-Address check relies on the third party Website http:// 
checkip.dyndns.org/ thus revealing information to a thirtd party  
unnecessary without stating this in the documentation.

Timeline:
2005-01-20: Issue Reported to us by Student, verified by us
2005-01-20: info () orbicule com, Peter.Schols () bio kuleuven be contacted
2005-01-20: Reply by Peter Schols requesting further explanation,  
email discussion of the issues
2005-01-20: Vendor assures us that "over the next weeks we will  
increase our development efforts to get a more secure and more  
reliable Undercover out as soon as possible."
2005-01-30: Vendor contacted us and assures the MAC Addresses are not  
stored anymore on the server, the SQL-Injection is fixed and the  
password is removed from the binary.
2005-02-01: Vendor now states our findings are wrong. Demands  
"updating" of a blog entry at http://blogs.23.nu/c0re/stories/11058/
2005-02-01: Uncoordinated release after weighting damage done by non  
release compared to release and considering that vednor hadn't  
stopped distributing the broken software.


--
Maximillian Dornseif
Pi1 - Laboratory for Dependable Distributed Systems, University of  
Mannheim,  Germany
http://pi1.informatik.uni-mannheim.de/staff/home/dornseif

Attachment: smime.p7s
Description: