Security Failure: LW Installer creates "hidden" store for untrusted users

gaelicWizard · #1 (**permalink**) March 1st, 2006

The limewire installer includes the following code in its postflight script:

Code:

echo "Copying LimeWire.dmg to network share."
if [ "free" == "free" ]; then
    if [ -f ~/Desktop/LimeWireOSX.dmg ]; then
        mkdir "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare"
        chmod a+rw "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare" 
        cp ~/Desktop/LimeWireOSX.dmg "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare/LimeWireOSX4.10.9.dmg"
        chmod a+rwx "$2/Applications/LimeWire/LimeWire.app/Contents/Resources/Java/.NetworkShare/LimeWireOSX4.10.9.dmg"
    fi
fi

This code is ... nice(?) in that it makes the latest version of LimeWire available on the network, but it also raises some concerns: First, this is a hidden network share. I've never seen it in preferences. Second, it explicitly makes this directory WORLD WRITABLE, which means that any user on the machine can share things on limewire whenever *any* user is running limewire, *and* it is inside the app bundle, so a malicious user can "hide" file there, that will appear to be part of LimeWire.app.

Aside from not asking if I want to have a hidden share directory, this can be abused to hide file on a user's system. In face, it is *designed* to hide files, specifically the limewireOSX.dmg file!

JP

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
"hidden" search results	terrib62	General Mac Support	0	May 6th, 2003 09:48 PM
resuming "incompleted downloads" after power failure ?????	jeffoftheclanbruce@comcast.net	Download/Upload Problems	0	July 2nd, 2002 02:51 PM
Mac users: ".img" & ".smi" files are worthless!!	Unregistered	General Mac OSX Support	4	May 24th, 2002 05:42 PM
Mac users: ".img" & ".smi" files are worthless!!	Unregistered	General Mac Support	2	May 12th, 2002 03:51 PM