At that time, David and I were the main contributors to improving FileMaker security. At this conference, we also presented two new issues that we had discovered.
The dylib hijacking vulnerability for macOS is well known and studied. But from a FileMaker developer’s point of view, I have not seen any analysis of this problem.
I will begin a little bit from afar.
Embedding into someone else’s app through modification, or running malicious code under the cover of the original app, has been one of the vectors of penetration on Apple devices.
But starting from macOS Lion (10.7), Apple added the need for developers to sign apps to confirm the authenticity of the app and protect it from modifications.
Bypass authorization of FileMaker Server or “there is no such category”
Update: This article has been updated. Apple did find the right category for this vulnerability and paid the reward. Well done!
Introduction
In the summer of 2023, I decided to investigate the internal communication protocol between FileMaker clients and the server.
This led to the discovery of perhaps the most significant vulnerability in the platform’s history.
I discovered that it is possible to connect to any database hosted on any FileMaker Server with full administrator privileges without any authorization!
I have identified a privilege escalation vulnerability in FileMaker Server for all platforms (macOS, Windows, Ubuntu)
This vulnerability allows an attacker, that has the most limited access to a remote database, hosted on FileMaker Server, to get full access privileges, with access to all data from all tables of the remote database, including the ability to edit scripts in Scripts Workspace and edit any Layout and edit any data in any table.
