|
Avid Pro Audio CommunityHow to Join & Post • Community Terms of Use • Help Us Help YouKnowledge Base Search • Community Search • Learn & Support |
|
|
Thread Tools | Search this Thread | Display Modes |
#1
|
|||
|
|||
Plugin directory security weakness - check your plugin directory permissions
Is your Pro Tools plugin directory writable by anybody? You might want to fix that....
--- I wanted to make other users aware that some Pro Tools for Mac installs prior to 2019.12 seem to have effectively no file security to protect plugins from possible malicious abuse. That was a concerning security issue for me. I noticed this on earlier 2019 release, it may have been around for years, I have no idea. This was a surprise to me when I noticed, I let Avid know several months ago and they addressed this in 2019.12. Unfortunately I don't see any mention of this in the release notes or any warning about this to users of older versions of Pro Tools. Hence this post... You probably don't ever want an untrusted plugin installed by somebody else into Pro Tools and possibly doing whatever it wants. It might be able to do potentially anything, ... maybe exfiltrate you or your clients assets, launch a content encryption/ransomware attack, or mess with you in other ways etc. ... thats' just a nightmare fantasy list, I have no proof of exploit or any idea if there is an exploit using this weakness. Good security relies on multiple layers of defense here, including say network security, perimeter protection on the computer, code signing for plugins, and basic UNIX security file permissions once inside the computer that would prevent malicious actors say being able to trivially install new plugins. My specific concert is a failure in that later point, that the Pro Tools Installer used to create the plugin /Library/Application Support/Avid/Audio/Plug-Ins writable by all. If you run the 2019.12 installer with a previous version installed it will remove the write permission for "all" on the Plug-Ins and Plug-Ins (Unused) directories. This is what you will see: # After Pro Tools 2019.6 Install... $ ls -ld /Library/Application\ Support/Avid/Audio/* drwxrwxrwx 7 root admin 224 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins drwxrwxrwx 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused) -- the last "w" on the permissions for each directory there is the problem. # After Pro Tools 2019.12 Install... $ ls -ld /Library/Application\ Support/Avid/Audio/* drwxrwxr-x 7 root admin 224 Jan 19 15:23 /Library/Application Support/Avid/Audio/Plug-Ins drwxrwxr-x 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused) You can fix this write all permission issues on the Plugin folder with the following $ cd /Library/Application\ Support/Avid/Audio $ sudo chmod a-w * To be clear I have absolutely no indication of an actual exploit here. An exploit is unlikely to be simple, would likely need access to plugin SDKs, pretty deep knowledge of stuff, and PACE signing of the plugin (or bypassing that). But again good security is build in-layers and in-depth, and this is just such a glaring silly thing it needs to be fixed. --- Surprisingly the changes in 2019.12 Avid still leaves the higher level /Library/Application Support/Avid directory writable by all, its less of an issue that leaving the Plug-Ins directory writable by all. It's also intersting to me that the /Library/Application Support/PACE Anti-Security/ directory also gets installed writable by all. I am just at a loss why this sloppiness exists. I suggest folks check permissions on their Plugin directories, plugin files and other directories and files like /Library/Application Support/Avid and remove write permission to all there as well). If this causes later installer errors etc. too bad. If you are in a large studio/corporate environment with a strict security requirements you may want to discuss how to deal with this with your IT security staff. I have not looked at Windows installs to know if there are any issues there, or other products like Media Composer. (Edit: I do below, it's been broken at least in the past as well). Last edited by Darryl Ramm; 01-20-2020 at 01:03 AM. |
#2
|
||||
|
||||
Re: Plugin directory security weakness - check your plugin directory permissions
Whoa, dude.. I had to check myself. I am 100% sure I had not hacked this after 2019.12 install but..
Code:
admin@91-153-197-51 Audio % ls -ld * drwxrwxrwx 251 root admin 8032 Jan 18 14:11 Plug-Ins drwxrwxrwx 8 root admin 256 Aug 12 17:37 Plug-Ins (Unused) admin@91-153-197-51 Audio %
__________________
Janne What we do in life, echoes in eternity. |
#3
|
|||
|
|||
Re: Plugin directory security weakness - check your plugin directory permissions
... OK a quick look, as much time as I can spend looking at Windows. I have a Windows systems that used to have a recent-ish install (2019.6??) on it..and the old plugin directories still there, and it seems has a similar issue as well at least in that past install, I can't run a 2019.12 install there now.
Code:
C:\Program Files\Common Files\Avid\Audio>icacls Plug-Ins Plug-Ins Everyone:(F) <--- Oops ! Everyone:(OI)(CI)(IO)(DE,Rc,WDAC,WO,GW,GE,GA,RD,WD,AD,REA,WEA,X,DC,RA,WA) Everyone:(I)(F) Everyone:(I)(OI)(CI)(IO)(DE,Rc,WDAC,WO,GW,GE,GA,RD,WD,AD,REA,WEA,X,DC,RA,WA) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files C:\Program Files\Common Files\Avid\Audio>cd Plug-Ins C:\Program Files\Common Files\Avid\Audio\Plug-Ins>whoami darryl-w10\g # Thats a "guest" account "g" with no administrator privileges C:\Program Files\Common Files\Avid\Audio\Plug-Ins>copy nul test 1 file(s) copied. |
#4
|
|||
|
|||
Re: Plugin directory security weakness - check your plugin directory permissions
That is not good. I'd be chmod'ing those directories :-(
Quote:
I checked several times running installers here, interestingly on the first try I though the installer as was still broken, then it worked. Guess I'll try again, curious what others see. |
#5
|
||||
|
||||
Re: Plugin directory security weakness - check your plugin directory permissions
After leaving the beta team, I have very rarely had a clean PT install. Always just install new veresion over previous one. First launch takes care of plugin versions.
__________________
Janne What we do in life, echoes in eternity. |
#6
|
|||
|
|||
Re: Plugin directory security weakness - check your plugin directory permissions
This is beyond brain dead.
With inspiration from Janne's post I went looking more. e.g. Install 2019.6 on Mojave. the following directories are writable by other /Library/Application Support/Avid /Library/Application Support/Avid/Audio/Plug-Ins /Library/Application Support/Avid/Audio/Plug-Ins (Unused) Install 2019.12 on Mojave (clean or over 2019.6) Plugin-Ins and Plugins (Unused) are now not writable by other. /Library/Application Support/Avid still is writable by others. But now install the latest Avid Complete Plugin Bundle 18.10 installer and it makes Plug-Ins and Plug-Ins (Unused) writable by others again. And some of the plugin bundles themselves within the Plug-In folder are actually writable as well.... Code:
$ ls -ld * drwxrwxr-x 3 root admin 96 Dec 20 2018 304C.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 304E.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 AutoPan.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 BBD Delay.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 BF-2A.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 BF-3A.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 BF-76.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 Black Op Distortion.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 Black Shiny Wah.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 Black Spring.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 C1 Chorus.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 ChannelStrip.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 ClickII.aaxplugin drwxrwxr-x 3 root admin 96 Dec 20 2018 DC Distortion.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 DVerb.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 Dither.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 DownMixer.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 DynamicsIII.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 EQIII.aaxplugin drwxrwxrwx 3 root admin 96 Jun 20 2019 Eleven Lite.aaxplugin .... Oh and Jesus, there are dynamic libraries wide open writable to the world in the cloud collaboration stuff. Code:
$ cd /Library/Application\ Support/Avid/Cloud\ Client\ Services/ $ ls -ld * drwxrwxrwx 11 root admin 352 Jan 20 01:07 AVX2_Plug-ins -rwxrwxrwx 1 root admin 232342 Nov 9 2017 AddTrustExternalCARoot.crt drwxrwxrwx 4 root admin 128 Jan 20 00:24 AppData -rwxrwxrwx 1 root admin 3940096 Nov 9 2017 Hub -rwxrwxrwx 1 root admin 4830 Nov 9 2017 Hub.properties -rwxrwxrwx@ 1 root admin 120314 Nov 9 2017 Icon? drwxrwxrwx 3 root admin 96 Jan 20 01:07 Images drwxrwxrwx 4 root admin 128 Jan 20 01:07 LicenseFiles -rwxrwxrwx 1 root admin 7995344 Nov 9 2017 TransportClient -rwxrwxrwx 1 root admin 2991 Nov 9 2017 TransportClient.properties -rwxrwxrwx 1 root admin 44654768 Apr 3 2017 libicudataAvid.51.2.dylib -rwxrwxrwx 1 root admin 2871860 Apr 3 2017 libicuucAvid.51.2.dylib Did nobody at Avid actually bother to think and this through and check stuff when I reported this months ago? What a ****ing mess. Last edited by Darryl Ramm; 01-20-2020 at 01:41 AM. |
#7
|
|||
|
|||
Re: Plugin directory security weakness - check your plugin directory permissions
And they wonder why no one in post is using the cloud collaboration? Actually, why anyone at all is using the cloud collaboration feature.
Imagine how long ago we would have had track folders if they hadn’t bothered with that crap. Sent from my iPhone using Tapatalk |
#8
|
|||
|
|||
Re: Plugin directory security weakness - check your plugin directory permissions
Quote:
|
#9
|
|||
|
|||
Re: Plugin directory security weakness - check your plugin directory permissions
Been looking at the screenshots and am wondering - how do you get this data? I don't think anyone has explained that part. Looks like more than a simple 'get info' thing. Terminal somehow and if so - how?
|
#10
|
||||
|
||||
Re: Plugin directory security weakness - check your plugin directory permissions
Terminal commands are there in the code blocks. Basically if you don't understand what is going on in there, don't do it. Whatever you do in Terminal, especially when someone says you should "sudo" something, you need to know what you are doing and not just simply follow instructions.
__________________
Janne What we do in life, echoes in eternity. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Xpand directory for PT First | headlap | Pro Tools | Intro Discussion | 5 | 11-14-2018 06:09 AM |
PT Installation Directory | Longcut | Pro Tools 12 | 9 | 04-10-2018 12:15 AM |
OSX Open Directory | SteveH44 | Post - Surround - Video | 7 | 07-27-2006 07:16 AM |
Alternate DaE plugin directory for pro tools | GamerGee | Pro Tools TDM Systems (Win) | 1 | 06-06-2006 05:17 PM |
5.1 directory issues | lupe | Pro Tools TDM Systems (Mac) | 0 | 04-15-2001 10:37 AM |