RE: Apple pentesting

From: Altheide, Cory B. (IARC) (AltheideC@nv.doe.gov)
Date: Tue Apr 05 2005 - 15:14:08 EDT

• Next message: Thomas Stromberg: "Re: Apple pentesting"
• Previous message: Erik Winkler: "Re: Apple pentesting"
• Maybe in reply to: Julian Totzek: "Apple pentesting"
• Next in thread: Todd Towles: "RE: Apple pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Todd Towles [mailto:toddtowles@brookshires.com]
> Sent: Tuesday, April 05, 2005 11:59 AM
> To: Altheide, Cory B. (IARC)
> Cc: pen-test@securityfocus.com
> Subject: RE: Apple pentesting
>
> And I ask you where is the expoit information? What is the
> vulnerability? Do exploits exist? Can you test if you are
> vulnerability? These is a site that list patches..not the
> same thing. Interesting that you think they are the same.
> Apple doesn't follow Full-Disclourse, that was my point.
>
> I didn't mean they don't patch...

Please try *very hard* to comprehend what I am writing.

You said: "the problem with testing Macs is they never released
vulnerability statements..never. If a hole is found, Apple releases a patch
and no ones says anything."

This is *FALSE*.

To rebutt your current misconceptions (at least the ones applicable to this
discussion):

"What is the vulnerability?"

Clicking on the most recent security update link, located here:
http://docs.info.apple.com/article.html?artnum=301061

Gives us useful information, like CVE-IDs. Do you know what a CVE number is
used for?

Example entry:

    * AFP Server
      Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
      CVE-ID: CAN-2005-0340
      Impact: A specially crafted packet can cause a Denial of Service
against the AFP Server.
      Description: A specially crafted packet will terminate the operation
of the AFP Server due to an incorrect memory reference. Credit to Braden
Thomas for reporting this issue.

Now, we take this CVE number, look it up at http://cve.mitre.org, and we get
the following:

Name: CAN-2005-0340 (under review)
Description: Integer signedness error in Apple File Service (AFP Server)
allows remote attackers to cause a denial of service (application crash) via
a negative UAM string length in a FPLoginExt packet.
References:

    * BUGTRAQ:20050208 AppleFileServer Denial of Service.
    * URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110791369419784&w=2
    * APPLE:APPLE-SA-2005-03-21
    *
URL:http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html

If you are too obtuse to harvest this information you have no business
dealing with information (let alone the security thereof).

My favorite is this question, though:

"And I ask you where is the expoit information?"

LOL. That's adorable. ZOMG the vendor doesn't link to exploit code OB-FU!
Do any vendors (intentionally) provide explicit information on how to
exploit the very code they vend?

Before you send another email, I ask that you strap on a clue-bag, chew on
it for a while, really /digest/ the clue, then fire up that mail client.
It'll be a good thing.

Cory Altheide
Senior Network Forensics Specialist
NNSA Information Assurance Response Center (IARC)
altheidec@nv.doe.gov
"I have taken all knowledge to be my province." -- Francis Bacon

PS Don't top-post.

• Next message: Thomas Stromberg: "Re: Apple pentesting"
• Previous message: Erik Winkler: "Re: Apple pentesting"
• Maybe in reply to: Julian Totzek: "Apple pentesting"
• Next in thread: Todd Towles: "RE: Apple pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT