SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Staticusers.net – AtEase Security

Posted on June 2, 2001

Information

At Ease popularity has kind of died down. I remember schools using it but now they don’t seem to. It’s a product I never liked. Found it rather insecure. Millions of ways to hack around it.

Views

The New Version, Well You need to email me with information on it. I couldn’t find any on Apples website, so if you run it, Email me! I guess this product would be good for Jr High or Elementary schools.

Insecurity

At Ease Files + Hacks + Fixes:
Research Papers/Instructions:

Open Other peoples files is a email submitted from someone with malicious intent. Always know what other people are expecting so the administrator can be prepared.

  • Complete AtEase Bypassing Guide – Jibblet
  • Bypassing AtEase version 3.0 -RDK
  • Bypassing AtEase -By the Weasel
  • AtEase 5.0 Security Advisory: At Ease 5.0 will allow a user to access any user’s volume on the server.

The tested configuration is as follows:

  • MacOS 7.6.1 (should work with anything greater than 7)
  • At Ease 5.0.2 AppleShare IP 5.0.3
  • Netscape 4.0.7 (No reason it shouldn’t work from .99 to 4.5)

How to do it

Log in as any user that has access to Netscape Communicator, and type in file://Macintosh%20HD/System%20Folder/ and you are able to access the disk.

Do the same thing, except use file://At%20Ease%20Volume%20Name/At%20Ease%20%Docs/username and it’s quite easy to browse through anyone’s files.

It is possible to download files from any user’s directory. I have been unable to actually open any of the files once they are downloaded, however in an educational setting, just viewing names in a certain directory could constitute some serious problems (such as if a teacher works with Special Education students, and has a list of documents to their parents).
Apple apparently will not fix their own product.

There is a 3rd party extension available for this at: http://www.ncal.verio.com/~lsr/programs/MSIENoServers.hqx

Join our mailing list for the latest security news and deals