Issues with security software: orbicule.com "Undercover"

During a lab exercise one of our students found several privacy security issues in products and services offered by http://orbicule.com.
orbicule.com offers what is claimed to be a Notebook Anti-Theft  
solution for Apple MacOS X called Undercover. You install their  
software on their machine, register the machine with them and then  
shit happens.
A) Website.

1. Everybody can see the list of Stolen Notebooks / their Mac Addresses. See

2. The site contains SQL injection vulnerabilities. Try

B) Binary

The binary contains - for what ever reason = the ftp username and passwort to administer the orbicule.com Website. This allows you to download the list of registered users and do all kind of havoc. Eg. backdooring the binary available for download on the site.

C) Theft Protection

1. The Binary is starts via LaunchDaemon and thus can be easily disabled - a PoC:
$ sudo chmod -x /private/etc/uc.app/Contents/MacOS/uc
$ sudo reboot

2. The IP-Address check relies on the third party Website http:// checkip.dyndns.org/ thus revealing information to a thirtd party unnecessary without stating this in the documentation.
2005-01-20: Issue Reported to us by Student, verified by us
2005-01-20: info@xxxxxxxxxxxx, Peter.Schols@xxxxxxxxxxxxxxx contacted
2005-01-20: Reply by Peter Schols requesting further explanation, email discussion of the issues 2005-01-20: Vendor assures us that "over the next weeks we will increase our development efforts to get a more secure and more reliable Undercover out as soon as possible." 2005-01-30: Vendor contacted us and assures the MAC Addresses are not stored anymore on the server, the SQL-Injection is fixed and the password is removed from the binary. 2005-02-01: Vendor now states our findings are wrong. Demands "updating" of a blog entry at http://blogs.23.nu/c0re/stories/11058/ 2005-02-01: Uncoordinated release after weighting damage done by non release compared to release and considering that vednor hadn't stopped distributing the broken software.

Maximillian Dornseif
Pi1 - Laboratory for Dependable Distributed Systems, University of Mannheim, Germany

