FileMaker Pro and FileMaker Server Send Unencrypted Passwords Via the Network
|
|
SecurityTracker Alert ID: 1006553 |
|
SecurityTracker URL: http://securitytracker.com/id/1006553
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 11 2003
|
Impact:
Disclosure of authentication information, User access via network
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): FileMaker Pro 6.0 and prior versions, FileMaker Pro 6.0 Unlimited and prior versions, and FileMaker Server 5.5 and prior versions
|
Description:
A vulnerability was reported in FileMaker Pro, FileMaker Pro Unlimited, and FileMaker Server. A remote user with the ability to sniff the network can obtain passwords.
It is reported that when a remote client connects to a shared database, the FileMaker network protocol sends encoded but unencrypted passwords via the network. According to the report, the server will send a complete list of passwords to the client and relies on the client to validate the user's authentication.
A remote user with access to the network traffic stream between a client and a server can sniff the network and gain access to the complete list of passwords.
The vendor reports that hosted database files using the FileMaker Pro peer-to-peer sharing feature and FileMaker Servers that are hosting databases to FileMaker Pro clients are affected.
|
Impact:
A remote user with the ability to monitor (sniff) the network between a client and server can obtain all user passwords.
|
Solution:
No solution was available at the time of this entry. The vendor reportedly plans to correct the flaw in the next release.
The author of the advisory has provided some suggested workarounds [see the Source Message]. The vendor has also provided some suggested workarounds, available in the vendor's advisory at:
http://www.filemaker.com/ti/108462.html
|
Vendor URL: www.filemaker.com/ti/108462.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Red Hat Linux), MacOS, UNIX (OS X), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 10 Apr 2003 13:37:14 +0100
Subject: [Macsec] FileMaker Pro network protocol sends passwords to any client attempting to connect to a shared database.
|
I recently discovered a serious bug in FileMaker Pro's database sharing.
FileMaker have released an advisory about this on their security
pages:
http://www.filemaker.com/support/security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Subject: FileMaker Pro network protocol sends passwords to any client
attempting to connect to a shared database.
Date: 8 April 2003
Author: Stephen White <swhite+fmbug@ox.compsoc.net>
Application: FileMaker Pro, FileMaker Server
Vendor: FileMaker Inc. http://www.filemaker.com/
Versions: 5.0, 5.5, 6.0. All platforms.
verified on FileMaker Pro 5.0/Windows 2000,
FileMaker Pro 6.0/Windows 2000,
FileMaker Server 5.5/Linux.
Bug: Remotely obtain passwords - clients connecting via TCP/IP are sent complete list of database passwords.
Remote: Yes.
Local: It is already known that local users can obtain database passwords,
eg. software from http://www.lostpassword.com/filemaker.htm
Overview
- --------
Vulnerable organisations: those using FileMaker Pro TCP/IP network sharing
(including FileMaker Server).
Impact: Having obtained a list of passwords for a given database an attacker
could use them to either read or modify the potentially sensitive data
contained in the database. If, against best practises, the same passwords are
used elsewhere within the organisation an attacker could use them as a basis
for attacking other systems.
Fix / Workaround
- ----------------
FileMaker were contacted about this issue on the March 8, 2003. FileMaker have
stated that they intend to fix this issue for their next release, they have not
stated when this next release will be. They do not appear to intend to produce
an update or fix for current releases.
Solutions:
* Disable 'multi user' or 'TCP/IP' access to FileMaker databases.
* If sharing via FileMaker networking (peer-to-peer or client/server) is
required ensure that FileMaker Pro hosts and servers are only accessible
to trusted intra-net systems through an appropriate Firewall setup.
External access could be arranged by using VPN or TCP tunnelling software.
* Share data using alternative means, such as web publishing with 'Web
Companion' or Lasso, or other middleware or 3rd party plug-ins. I have not
tested these so am not in a position to provide specific recommendations
* Use alternative database software if these solutions do not address your
requirements.
Discussion
- ----------
FileMaker Pro communicates with servers or multi user databases shared via
TCP/IP using a proprietary network protocol. A full analysis of this protocol
is not possible due to it's proprietary nature, however it appears that the
server exploits the proprietary nature of the protocol by trusting the client
to carry out tasks such as validating passwords. In the course of the network
communication the server will send the client the list of obscured passwords.
The client will then prompt the user to enter a password, which is checked
against this list before continuing - a classic example of 'Security by
Obscurity'.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+kqj9OzpPCseeW2oRAg2HAJ0Znn4QIRAKUXVrzv54TlP8jFFqdgCgsprD
xIm0UuRSFSZVVarmCeLBLzs=
=aRI3
-----END PGP SIGNATURE-----
_______________________________________________
Macsec mailing list
Macsec@macsecurity.org
http://www.macsecurity.org/mailman/listinfo/macsec
|
|
