Plugin directory security weakness - check your plugin directory permissions

[Darryl Ramm]

Is your Pro Tools plugin directory writable by anybody? You might want to fix that....

---

I wanted to make other users aware that some Pro Tools for Mac installs prior to 2019.12 seem to have effectively no file security to protect plugins from possible malicious abuse. That was a concerning security issue for me. I noticed this on earlier 2019 release, it may have been around for years, I have no idea.

This was a surprise to me when I noticed, I let Avid know several months ago and they addressed this in 2019.12. Unfortunately I don't see any mention of this in the release notes or any warning about this to users of older versions of Pro Tools. Hence this post...

You probably don't ever want an untrusted plugin installed by somebody else into Pro Tools and possibly doing whatever it wants. It might be able to do potentially anything, ... maybe exfiltrate you or your clients assets, launch a content encryption/ransomware attack, or mess with you in other ways etc. ... thats' just a nightmare fantasy list, I have no proof of exploit or any idea if there is an exploit using this weakness.

Good security relies on multiple layers of defense here, including say network security, perimeter protection on the computer, code signing for plugins, and basic UNIX security file permissions once inside the computer that would prevent malicious actors say being able to trivially install new plugins.

My specific concert is a failure in that later point, that the Pro Tools Installer used to create the plugin /Library/Application Support/Avid/Audio/Plug-Ins writable by all.

If you run the 2019.12 installer with a previous version installed it will remove the write permission for "all" on the Plug-Ins and Plug-Ins (Unused) directories. This is what you will see:

# After Pro Tools 2019.6 Install...
$ ls -ld /Library/Application\ Support/Avid/Audio/*
drwxrwxrwx 7 root admin 224 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins
drwxrwxrwx 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused)

-- the last "w" on the permissions for each directory there is the problem.

# After Pro Tools 2019.12 Install...
$ ls -ld /Library/Application\ Support/Avid/Audio/*
drwxrwxr-x 7 root admin 224 Jan 19 15:23 /Library/Application Support/Avid/Audio/Plug-Ins
drwxrwxr-x 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused)

You can fix this write all permission issues on the Plugin folder with the following

$ cd /Library/Application\ Support/Avid/Audio
$ sudo chmod a-w *

To be clear I have absolutely no indication of an actual exploit here. An exploit is unlikely to be simple, would likely need access to plugin SDKs, pretty deep knowledge of stuff, and PACE signing of the plugin (or bypassing that). But again good security is build in-layers and in-depth, and this is just such a glaring silly thing it needs to be fixed.

---

Surprisingly the changes in 2019.12 Avid still leaves the higher level /Library/Application Support/Avid directory writable by all, its less of an issue that leaving the Plug-Ins directory writable by all. It's also intersting to me that the /Library/Application Support/PACE Anti-Security/ directory also gets installed writable by all. I am just at a loss why this sloppiness exists.

I suggest folks check permissions on their Plugin directories, plugin files and other directories and files like /Library/Application Support/Avid and remove write permission to all there as well). If this causes later installer errors etc. too bad.

If you are in a large studio/corporate environment with a strict security requirements you may want to discuss how to deal with this with your IT security staff.

I have not looked at Windows installs to know if there are any issues there, or other products like Media Composer. (Edit: I do below, it's been broken at least in the past as well).

[JFreak]

Whoa, dude.. I had to check myself. I am 100% sure I had not hacked this after 2019.12 install but..

Code:

admin@91-153-197-51 Audio % ls -ld *
drwxrwxrwx  251 root  admin  8032 Jan 18 14:11 Plug-Ins
drwxrwxrwx    8 root  admin   256 Aug 12 17:37 Plug-Ins (Unused)
admin@91-153-197-51 Audio %

[Darryl Ramm]

... OK a quick look, as much time as I can spend looking at Windows. I have a Windows systems that used to have a recent-ish install (2019.6??) on it..and the old plugin directories still there, and it seems has a similar issue as well at least in that past install, I can't run a 2019.12 install there now.

Code:

C:\Program Files\Common Files\Avid\Audio>icacls Plug-Ins
Plug-Ins Everyone:(F) <--- Oops !
         Everyone:(OI)(CI)(IO)(DE,Rc,WDAC,WO,GW,GE,GA,RD,WD,AD,REA,WEA,X,DC,RA,WA)
         Everyone:(I)(F)
         Everyone:(I)(OI)(CI)(IO)(DE,Rc,WDAC,WO,GW,GE,GA,RD,WD,AD,REA,WEA,X,DC,RA,WA)
         NT SERVICE\TrustedInstaller:(I)(F)
         NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
         BUILTIN\Administrators:(I)(F)
         BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
         BUILTIN\Users:(I)(RX)
         BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
         CREATOR OWNER:(I)(OI)(CI)(IO)(F)
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files\Common Files\Avid\Audio>cd Plug-Ins

C:\Program Files\Common Files\Avid\Audio\Plug-Ins>whoami
darryl-w10\g         # Thats a "guest" account "g" with no administrator privileges

C:\Program Files\Common Files\Avid\Audio\Plug-Ins>copy nul test
        1 file(s) copied.

[Darryl Ramm]

That is not good. I'd be chmod'ing those directories :-(

Quote:

Originally Posted by JFreak

Whoa, dude.. I had to check myself. I am 100% sure I had not hacked this after 2019.12 install but..

Code:

admin@91-153-197-51 Audio % ls -ld *
drwxrwxrwx  251 root  admin  8032 Jan 18 14:11 Plug-Ins
drwxrwxrwx    8 root  admin   256 Aug 12 17:37 Plug-Ins (Unused)
admin@91-153-197-51 Audio %

Was that a full clean install or an install over a previous Pro Tools install? And previous plugin folders?

I checked several times running installers here, interestingly on the first try I though the installer as was still broken, then it worked. Guess I'll try again, curious what others see.

[JFreak]

After leaving the beta team, I have very rarely had a clean PT install. Always just install new veresion over previous one. First launch takes care of plugin versions.

[Darryl Ramm]

This is beyond brain dead.

With inspiration from Janne's post I went looking more.

e.g. Install 2019.6 on Mojave. the following directories are writable by other

/Library/Application Support/Avid
/Library/Application Support/Avid/Audio/Plug-Ins
/Library/Application Support/Avid/Audio/Plug-Ins (Unused)

Install 2019.12 on Mojave (clean or over 2019.6) Plugin-Ins and Plugins (Unused) are now not writable by other.

/Library/Application Support/Avid still is writable by others.

But now install the latest Avid Complete Plugin Bundle 18.10 installer and it makes Plug-Ins and Plug-Ins (Unused) writable by others again.

And some of the plugin bundles themselves within the Plug-In folder are actually writable as well....

Code:

$ ls -ld *
drwxrwxr-x  3 root  admin  96 Dec 20  2018 304C.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 304E.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 AutoPan.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 BBD Delay.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 BF-2A.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 BF-3A.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 BF-76.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 Black Op Distortion.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 Black Shiny Wah.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 Black Spring.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 C1 Chorus.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 ChannelStrip.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 ClickII.aaxplugin
drwxrwxr-x  3 root  admin  96 Dec 20  2018 DC Distortion.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 DVerb.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 Dither.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 DownMixer.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 DynamicsIII.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 EQIII.aaxplugin
drwxrwxrwx  3 root  admin  96 Jun 20  2019 Eleven Lite.aaxplugin
....

I would manually chmod all those as well.

Oh and Jesus, there are dynamic libraries wide open writable to the world in the cloud collaboration stuff.

Code:

$ cd /Library/Application\ Support/Avid/Cloud\ Client\ Services/
$ ls -ld *
drwxrwxrwx  11 root  admin       352 Jan 20 01:07 AVX2_Plug-ins
-rwxrwxrwx   1 root  admin    232342 Nov  9  2017 AddTrustExternalCARoot.crt
drwxrwxrwx   4 root  admin       128 Jan 20 00:24 AppData
-rwxrwxrwx   1 root  admin   3940096 Nov  9  2017 Hub
-rwxrwxrwx   1 root  admin      4830 Nov  9  2017 Hub.properties
-rwxrwxrwx@  1 root  admin    120314 Nov  9  2017 Icon?
drwxrwxrwx   3 root  admin        96 Jan 20 01:07 Images
drwxrwxrwx   4 root  admin       128 Jan 20 01:07 LicenseFiles
-rwxrwxrwx   1 root  admin   7995344 Nov  9  2017 TransportClient
-rwxrwxrwx   1 root  admin      2991 Nov  9  2017 TransportClient.properties
-rwxrwxrwx   1 root  admin  44654768 Apr  3  2017 libicudataAvid.51.2.dylib
-rwxrwxrwx   1 root  admin   2871860 Apr  3  2017 libicuucAvid.51.2.dylib

Never noticed this before because I automatically remove all the Avid cloud crap. Well it's now Avid cloud security hole crap.

Did nobody at Avid actually bother to think and this through and check stuff when I reported this months ago? What a ****ing mess.

[Sardi]

And they wonder why no one in post is using the cloud collaboration? Actually, why anyone at all is using the cloud collaboration feature.

Imagine how long ago we would have had track folders if they hadn’t bothered with that crap.


Sent from my iPhone using Tapatalk

[Darryl Ramm]

Quote:

Originally Posted by Sardi

And they wonder why no one in post is using the cloud collaboration? Actually, why anyone at all is using the cloud collaboration feature.

Imagine how long ago we would have had track folders if they hadn’t bothered with that crap.


Sent from my iPhone using Tapatalk

That may well be true, but right now I'm more concerned with these glaring security issues in software that is in use at major studios and with valuable/confidential content. For a start I hope everybody is uninstalling that cloud collaboration software. The beginner level security failures here, coupled with all the ongoing problems with collaboration software inspires no confidence that this stuff is not also laced with other security problems.

[musicman691]

Been looking at the screenshots and am wondering - how do you get this data? I don't think anyone has explained that part. Looks like more than a simple 'get info' thing. Terminal somehow and if so - how?

[JFreak]

Terminal commands are there in the code blocks. Basically if you don't understand what is going on in there, don't do it. Whatever you do in Terminal, especially when someone says you should "sudo" something, you need to know what you are doing and not just simply follow instructions.