Our thinking

Remote root (?) exploit in Retrospect 8 for Mac OS X

So, you have to cut Retrospect a little slack, it’s been passed around like a hot potato recently and has just found a home at Roxio now that EMC have washed their hands of it.

The interface for the new version is a little rough around the edges – for instance, you can add license keys to the server, but there’s no button (or keystroke I could work out) to remove them if, for example, you want to delete an entered trial license.

There’s no save button when you’re editing a script – click around and the changes are saved as you made them with no prompting and no way to undo…

Anyway, all of these pale into insignificance when you realise that you can install the Retrospect 8 management console on your computer and connect to your server. Without entering a password. Even if you enter the wrong password.

Yep, open to all and sundry. What’s more, Roxio have a Retrospect app for the iPhone. How many admins are going to open up the Retrospect server admin ports to the internet and allow anyone who cares to try the ability to trash your server should they desire.

Trash your server – how? Make an archive set, archive everything on the server, telling Retrospect to delete files after archiving. Recycle the archive set. Done.

Leave a Reply