Plugin directory security weakness - check your plugin directory permissions
Is your Pro Tools plugin directory writable by anybody? You might want to fix that....
--- I wanted to make other users aware that some Pro Tools for Mac installs prior to 2019.12 seem to have effectively no file security to protect plugins from possible malicious abuse. That was a concerning security issue for me. I noticed this on earlier 2019 release, it may have been around for years, I have no idea. This was a surprise to me when I noticed, I let Avid know several months ago and they addressed this in 2019.12. Unfortunately I don't see any mention of this in the release notes or any warning about this to users of older versions of Pro Tools. Hence this post... You probably don't ever want an untrusted plugin installed by somebody else into Pro Tools and possibly doing whatever it wants. It might be able to do potentially anything, ... maybe exfiltrate you or your clients assets, launch a content encryption/ransomware attack, or mess with you in other ways etc. ... thats' just a nightmare fantasy list, I have no proof of exploit or any idea if there is an exploit using this weakness. Good security relies on multiple layers of defense here, including say network security, perimeter protection on the computer, code signing for plugins, and basic UNIX security file permissions once inside the computer that would prevent malicious actors say being able to trivially install new plugins. My specific concert is a failure in that later point, that the Pro Tools Installer used to create the plugin /Library/Application Support/Avid/Audio/Plug-Ins writable by all. If you run the 2019.12 installer with a previous version installed it will remove the write permission for "all" on the Plug-Ins and Plug-Ins (Unused) directories. This is what you will see: # After Pro Tools 2019.6 Install... $ ls -ld /Library/Application\ Support/Avid/Audio/* drwxrwxrwx 7 root admin 224 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins drwxrwxrwx 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused) -- the last "w" on the permissions for each directory there is the problem. # After Pro Tools 2019.12 Install... $ ls -ld /Library/Application\ Support/Avid/Audio/* drwxrwxr-x 7 root admin 224 Jan 19 15:23 /Library/Application Support/Avid/Audio/Plug-Ins drwxrwxr-x 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused) You can fix this write all permission issues on the Plugin folder with the following $ cd /Library/Application\ Support/Avid/Audio $ sudo chmod a-w * To be clear I have absolutely no indication of an actual exploit here. An exploit is unlikely to be simple, would likely need access to plugin SDKs, pretty deep knowledge of stuff, and PACE signing of the plugin (or bypassing that). But again good security is build in-layers and in-depth, and this is just such a glaring silly thing it needs to be fixed. --- Surprisingly the changes in 2019.12 Avid still leaves the higher level /Library/Application Support/Avid directory writable by all, its less of an issue that leaving the Plug-Ins directory writable by all. It's also intersting to me that the /Library/Application Support/PACE Anti-Security/ directory also gets installed writable by all. I am just at a loss why this sloppiness exists. I suggest folks check permissions on their Plugin directories, plugin files and other directories and files like /Library/Application Support/Avid and remove write permission to all there as well). If this causes later installer errors etc. too bad. If you are in a large studio/corporate environment with a strict security requirements you may want to discuss how to deal with this with your IT security staff. I have not looked at Windows installs to know if there are any issues there, or other products like Media Composer. (Edit: I do below, it's been broken at least in the past as well). |
Re: Plugin directory security weakness - check your plugin directory permissions
Whoa, dude.. I had to check myself. I am 100% sure I had not hacked this after 2019.12 install but..
Code:
admin@91-153-197-51 Audio % ls -ld * |
Re: Plugin directory security weakness - check your plugin directory permissions
... OK a quick look, as much time as I can spend looking at Windows. I have a Windows systems that used to have a recent-ish install (2019.6??) on it..and the old plugin directories still there, and it seems has a similar issue as well at least in that past install, I can't run a 2019.12 install there now.
Code:
C:\Program Files\Common Files\Avid\Audio>icacls Plug-Ins |
Re: Plugin directory security weakness - check your plugin directory permissions
That is not good. I'd be chmod'ing those directories :-(
Quote:
I checked several times running installers here, interestingly on the first try I though the installer as was still broken, then it worked. Guess I'll try again, curious what others see. |
Re: Plugin directory security weakness - check your plugin directory permissions
After leaving the beta team, I have very rarely had a clean PT install. Always just install new veresion over previous one. First launch takes care of plugin versions.
|
Re: Plugin directory security weakness - check your plugin directory permissions
This is beyond brain dead.
With inspiration from Janne's post I went looking more. e.g. Install 2019.6 on Mojave. the following directories are writable by other /Library/Application Support/Avid /Library/Application Support/Avid/Audio/Plug-Ins /Library/Application Support/Avid/Audio/Plug-Ins (Unused) Install 2019.12 on Mojave (clean or over 2019.6) Plugin-Ins and Plugins (Unused) are now not writable by other. /Library/Application Support/Avid still is writable by others. But now install the latest Avid Complete Plugin Bundle 18.10 installer and it makes Plug-Ins and Plug-Ins (Unused) writable by others again. And some of the plugin bundles themselves within the Plug-In folder are actually writable as well.... Code:
$ ls -ld * Oh and Jesus, there are dynamic libraries wide open writable to the world in the cloud collaboration stuff. Code:
$ cd /Library/Application\ Support/Avid/Cloud\ Client\ Services/ Did nobody at Avid actually bother to think and this through and check stuff when I reported this months ago? What a ****ing mess. |
Re: Plugin directory security weakness - check your plugin directory permissions
And they wonder why no one in post is using the cloud collaboration? Actually, why anyone at all is using the cloud collaboration feature.
Imagine how long ago we would have had track folders if they hadn’t bothered with that crap. Sent from my iPhone using Tapatalk |
Re: Plugin directory security weakness - check your plugin directory permissions
Quote:
|
Re: Plugin directory security weakness - check your plugin directory permissions
Been looking at the screenshots and am wondering - how do you get this data? I don't think anyone has explained that part. Looks like more than a simple 'get info' thing. Terminal somehow and if so - how?
|
Re: Plugin directory security weakness - check your plugin directory permissions
Terminal commands are there in the code blocks. Basically if you don't understand what is going on in there, don't do it. Whatever you do in Terminal, especially when someone says you should "sudo" something, you need to know what you are doing and not just simply follow instructions.
|
All times are GMT -7. The time now is 03:38 AM. |
Powered by: vBulletin, Copyright ©2000 - 2008, Jelsoft Enterprises Limited. Forum Hosted By: URLJet.com