___________________________
            /        /        /        /\
     ______/    ____/    ____/        / /
    /     /        /        /    ____/ /
   /     /____    /    ____/        / / 
  / / / /        /        /        / /
 /_/_/_/________/________/________/ /
 \_____\________\________\________\/
 / . ../Macintosh  Security/.. .  /
/________________________________/
Presents:


Security Holes In FileGuard 3.0.8



Table Of Contents:

- Introduction
- Gaining Full Access
- Launching The Cracked FileGuard Application
- Password Protected Volumes
- Disclaimer
- End notes


--==< Introduction >==--

By far FileGuard is the best protection software for the Macintosh OS.  To a start it disables the debugger at operations when an attack could be expected.  So it's pretty difficult to find out what algorithm it uses to encrypt the passwords.  Not impossible but not as easy as in various other protection software for the Mac.

Lets start with analyzing what FileGuard can do to protect a computer.  Well, the appropriate question is more like, what FileGuard CAN'T do?  It can protect volumes, it can encrypt files, it can password protect applications, it can limit access to files/ folders, etc...  And it does not have the weaknesses that other security programs have.  Such as "emergency passwords" or the letting the user remove extensions with use of programs such as FileBuddy.  Shift disable works but is useless if the hard disk is password protected.


--==< Gaining Full Access >==--

So this is nice and all, as long as only the administrator can change the various access settings.  But what happens if the attack comes from the most unexpected place?  The FileGuard application itself.  This is the application that allows the administrator to change the settings to the various protection facilities.  Naturally it's protected.  It only launches if the administrator's password is entered.  However this password protection can easily be cracked.  And once it's cracked - meaning that it'll accept any password as the admin password - then anyone can do the changes to the settings that an admin could do.


--==< Launching The Cracked FileGuard Application >==--

Launching the cracked application might actually prove to be a problem depending on how limited the user's access to the computer is.  The easiest way to launch the cracked FileGuard app is through a user account with the authority to copy and launch applications.  Then the FileGuard application can be copied onto the computer and launched from there.  However, a system is still vulnerable if the user is not allowed to copy applications.  If the user has enough access to launch applications from floppy disks then the cracked FileGuard app can simply be copied to a disk and launched  from there.

This method can be exploited through the guest account (if the guest account is enabled).  The access to the computer using a guest account might be rather restricted.  For example, floppy disks might not be allowed to be inserted into the computer.  However, users will still be able to insert CDs and if it has a copy of the cracked FileGuard app on it then can be launched from there.


--==< Password Protected Volumes >==--

I remember how once my computer teacher locked the HD on his computer with FileGuard and something happened to the password.  He spent hours on the net before he found out some way of bypassing this problem.  The only way available until now was to install a new driver onto the hard drive.  Unfortunately this corrupts the disk.  

Highware has designed a program for situations such as this called EmergencyRemove.  EmergencyRemove can be used to remove the drive-protection in emergency situations.  However, even EmergencyRemove requires the appropriate password to be entered in order for the protection to be removed.  And this is where the security hole is; by cracking EmergencyRemove so that it'll accept any password anyone can remove the volume protection from any protected disk.

NOTICE:  I have not actually tried password protecting my hard disk.  So I don't actually "know" whether this method works on hard drives.  I did, however, try this method on floppy disks and each attempt was successful.


--==< Disclaimer >==--

These security holes are very real and may be exploited for "damaging" purposes.  The objective of this text file was NOT to encourage such behavior but simply to point out the existing security holes of FileGuard 3.0.8.  Therefore, neither mSec nor any of it's past, current or future members will take any responsibility for any kind of damage that may occur of any direct or indirect use of the information provided.


--==< End Notes >==--

Two patches have been included with this text file as examples of how FileGuard and EmergencyRemove can be exploited.

These security holes were found by mSec.  If you are interested in finding out more about mSec please visit our homepage at: www.msec.net.  You can also reach us and chat with the members on our Hotline server at: msec.net.

This text file was put together by ProZaq.  If you have any questions or comments my e-mail address is: prozaq@usa.net