Vulnerability

    At Ease/Netscape File Access

Affected

    Mac

Description

    At  Ease  apparently  doesn't  patch  the kernel to introduce file
    restrictions,  but  modifies  a  library  that  programs  call  to
    display an Open File dialog box.   This bug allows a user to  read
    files and  directories he  shouldn't have  access to  under the At
    Ease system.

    Under At Ease,  files and folders  that you shouldn't  have access
    to  are  grayed  out  in  Open  File dialogs. Using a program like
    Netscape you can bypass the dialog, using a URL such as:

        file://TZHS%20HD%202/Documents/Dorfman%20Nathan

    Note  that  the  implementation  of  Netscape  used  automatically
    converted spaces to %20 combinations as required by HTTP 1.1  (RFC
    2068):

        file://TZHS HD 2/Documents/Dorfman Nathan/

    will show  the contents  of that  folder. For  non-text files, you
    can simply save the file into  a folder you DO have access  to and
    use the appropriate program to open it.

    Netscape will not let you modify the folders but a simple  program
    can be written that takes a  filename in a text-box and opens  the
    file from  its location,  without copying.  If you  can write  Mac
    code,  and  are  willing  to,  please  send  to nathan@senate.org.
    Credit for this goes to Nathan Dorfman

    Since the machine being  attacked is 'netted' (obviously,  else it
    wouldn't be  running Netscape),  there is  lots more  fun you  can
    have with it.  For  example, given an email account  somewhere you
    can use the 'mail  url' feature to send  yourself any file on  the
    system, regardless of  priviliges.  A  good file to  send would be
    the 'At Ease Preferences' file  which contains the master At  Ease
    preferences.  Once you  have obtained this, cracking  the password
    is  trivial  with  a  program  such  as DisEase, thus leading to a
    total comprimise (by Meth).

Solution

    It's Mac.  I don't know.