Macintosh At Ease Apple Share automated login "feature"

Date: Wed, 21 May 1997 08:31:41 -0400
From: Paul Melson <melson@SCNC.HOLT.K12.MI.US>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Mac/At Ease/Netscape File Access Exploit

> That's just the tip of the iceberg.  Since the machine being attacked is
> 'netted' (obviously, else it wouldn't be running Netscape), there is lots
> more fun you can have with it.  For example, given an email account
> somewhere you can use the 'mail url' feature to send yourself any file on
> the system, regardless of priviliges.  A good file to send would be the
> 'At Ease Preferences' file which contains the master At Ease preferences.
> Once you have obtained this, cracking the password is trivial with a
> program such as DisEase, thus leading to a total comprimise.
>
> Meth
> method@yikes.com


        Yep, and it gets worse.  If you use an AppleShare server
        (NetWare running APPLETLK.NLM or Linux running atalkd
         would also count) as At Ease's startup volume, then At
        Ease will automate the login process to the server.  This
        is be nasty because whoever is logged in when At Ease
        is set up would automatically be logged in to the file
        server every time At Ease starts up thereafter.  But it
        gets worse - the login information (ServerID, UserID,
         Password) is stored in the 'At Ease Preferences' file.

        This can be disabled from within the 'At Ease Setup
        (Workgroups)' utility by simply un-checking the box
        labeled 'Always remember the user's last-used AppleShare
        logins.'  But since the default is to use the auto-login
        feature, I figured it was worth mentioning.  FYI, disabling
        this feature doesn't remove the original copy of the
        AppleShare login information from the preferences file.



Paul

--
                                                        _____________________
                                                        melson@holt.k12.mi.us