:: Deepquest ::

serious problem with default permissions of the Retrospect client software, installed on Jaguar client and server (older versions of OS X may be vulnerable too).
In addition, previous versions of the Retrospect client installer may be vulnerable as well. We notified Dantz of this vulnerability a week ago, and have yet to hear from them.

DESCRIPTION:
After a clean installation we noticed the following permissions were set.

/Library/StartupItems/RetroClient

0 drwxrwxrwx 5 admin staff 170 Apr 30 10:21 RetroClient

/Library/StartupItems/RetroClient/ :

total 32

0 drwxrwxrwx 5 admin staff 170 Dec 11 21:05 .
0 drwxrwxrwx 7 admin staff 238 Feb 20 17:44 ..
16 -rw-rw-rw- 1 admin staff 6148 Jun 24 2002 .DS_Store
8 -rwxrwxrwx 1 admin staff 363 Jul 1 2002 RetroClient
8 -rwxrwxrwx 1 admin staff 208 Mar 1 2001
StartupParameters.plist

If the /Library/StartupItems does not already exist, the Retrospect

client installer creates this directory with 777 permissions. In addition, the client installer assigns permissions of the files and folders to the user that installed the software, rather than to the root user.

KNOWN VULNERABLE VERSIONS:

Dantz Retrospect Client 5.0.540 on Mac OS X 10.2.6
(previous versions of the os and client software may be vulnerable as well)

WORKAROUND*:
– secure the main /Library/StartupItems directory if the

Retrospect client installer created it:
% sudo chmod 775 /Library/StartupItems

– secure the /Library/StartupItems/RetroClient directory:
% sudo chmod 775 /Library/StartupItems/RetroClient

– secure the RetroClient startup directory
% sudo chmod 755 /Library/StartupItems/RetroClient/*

*These steps will not change group ownership, which may be necessary or desired on some systems. These are the steps that we took to secure our machines and are in no way a recommendation by Dantz.

credits: Alan McCarty