Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


Document: L0phT Security Advisory  
URL Origin: http://www.l0pht.com/advisories.html  
Release Date: October 30, 1998 (Special PumpCon Release)  
Application: FWB Hard Disk Toolkit 2.5  
Severity: Users can bypass hard disk driver level passwords  
Author: Space Rogue (spacerog@l0pht.com)  
Operating System: Mac OS  
FWB Hard Disk Toolkit 2.5 allows users to password protect hard drive  
volumes. This password has to be entered when the hard disk driver loads  
in order to allow the volume to mount. Failure to enter this password  
prevents the volume from mounting and therefore prevents access to the  
data on the device.  
By forcibly replacing the FWB driver with a different driver it is  
possible to access the data on the password protected volume without  
knowing the password.  
Most Macintosh hard drive formatting utilities will allow you to replace  
the FWB passworded driver. However they will also make any data on the  
drive unreadable without advanced data recovery software (Norton Volume  
Recover etc.). If the FWB driver is replaced with La Cie Silverlining  
then it is possible to bypass the password and still access the data.  
Our testing procedure utilized a Quadra 610 24/230, Mac OS 8.0, FWB Hard  
Disk Tool Kit 2.5, La Cie Silverlining 5.8.3, and an External 160MB SCSI  
IBM H3171-S2 hard drive.  
Our test drive was first low level formatted with FWB and a read/write  
password was assigned. Then about 10MB of various files where copied onto  
it as our test data. The machine was then powered down and rebooted. Upon  
boot up the system prompted us to enter the password. This enabled the  
system to mount the drive.  
We then launched Silverlining and updated the driver. Silverlining did  
not complain about doing this except to give us the standard dire  
warnings about possible data loss. Again we powered down and rebooted.  
This time no password was asked for and the volume mounted successfully  
with all of its data intact.  
The previous steps where repeated ten times with no discernible  
We tried various other hard drive formatting utilities in addition to  
Silverlining such as SCSI Director Pro, Anubis and others. While some of  
these other utilities where able to replace the FWB driver access to the  
data was lost. Silverlining is unique in that attempts to preserve data  
integrity while replacing the driver, other utilities do not take data  
preservation into account.  
Users should be aware that using a driver level password to protect data  
is not always a guarantee that your data is safe from prying eyes. The  
previous example can be accomplished in under five minutes with a medium  
sized drive and only requires that the malicious user have a bootable  
floppy disk with Silverlining on it. Ten minutes of unsupervised access  
to the target machine is all that is required.  
FWB gives users six options when applying a password to a volume; None,  
Read, Read/Write, Encryption Level 1, Encryption Level 2, and Encryption  
Level 3. Using one of the encryption options would possibly allow for  
greater security. The disadvantage is that using one of the encryption  
options greatly slows down the speed at which your machine can read and  
write data as it does its encryption/decryption on the fly. (It is not  
the purpose of this advisory to determine if FWBs encryption  
implementation is any better or worse than its password implementation)  
Numerous hard drive formatting utilities allow the setting of a password  
similar to FWB. Unfortunately we do not have the time to test them all.  
It should therefore not be assumed that all other driver level passwords  
are secure. This advisory should help illustrate the fact that just  
because a software package or company makes a claim of security does not  
mean that your data is 100 percent secure. Users should take this into  
account when depending on such utilities to protect their data.  
We would like to acknowledge J. Claymore who first mentioned this problem  
some time ago which made this advisory possible.  
For more Macintosh hacking information check out:  
For more L0phT (L - zero - P - H - T) advisories check out: