RE: Apple pentesting

From: Altheide, Cory B. (IARC) (AltheideC_at_nv.doe.gov)
Date: 04/05/05

  • Next message: Thomas Stromberg: "Re: Apple pentesting" 
    To: "'Todd Towles'" <toddtowles@brookshires.com>
Date: Tue, 5 Apr 2005 12:14:08 -0700

    > -----Original Message-----
    > From: Todd Towles [mailto:toddtowles@brookshires.com]
    > Sent: Tuesday, April 05, 2005 11:59 AM
    > To: Altheide, Cory B. (IARC)
    > Cc: pen-test@securityfocus.com
    > Subject: RE: Apple pentesting
    >
    > And I ask you where is the expoit information? What is the
    > vulnerability? Do exploits exist? Can you test if you are
    > vulnerability? These is a site that list patches..not the
    > same thing. Interesting that you think they are the same.
    > Apple doesn't follow Full-Disclourse, that was my point.
    >
    > I didn't mean they don't patch...

    Please try *very hard* to comprehend what I am writing.

    You said: "the problem with testing Macs is they never released
    vulnerability statements..never. If a hole is found, Apple releases a patch
    and no ones says anything."

    This is *FALSE*.

    To re*** your current misconceptions (at least the ones applicable to this
    discussion):

    "What is the vulnerability?"

    Clicking on the most recent security update link, located here:
    http://docs.info.apple.com/article.html?artnum=301061

    Gives us useful information, like CVE-IDs. Do you know what a CVE number is
    used for?

    Example entry:

        * AFP Server
          Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
          CVE-ID: CAN-2005-0340
          Impact: A specially crafted packet can cause a Denial of Service
    against the AFP Server.
          Description: A specially crafted packet will terminate the operation
    of the AFP Server due to an incorrect memory reference. Credit to Braden
    Thomas for reporting this issue.

    Now, we take this CVE number, look it up at http://cve.mitre.org, and we get
    the following:

    Name: CAN-2005-0340 (under review)
    Description: Integer signedness error in Apple File Service (AFP Server)
    allows remote attackers to cause a denial of service (application crash) via
    a negative UAM string length in a FPLoginExt packet.
    References:

        * BUGTRAQ:20050208 AppleFileServer Denial of Service.
        * URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110791369419784&w=2
        * APPLE:APPLE-SA-2005-03-21
        *
    URL:http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html

    If you are too obtuse to harvest this information you have no business
    dealing with information (let alone the security thereof).

    My favorite is this question, though:

    "And I ask you where is the expoit information?"

    LOL. That's adorable. ZOMG the vendor doesn't link to exploit code OB-FU!
    Do any vendors (intentionally) provide explicit information on how to
    exploit the very code they vend?

    Before you send another email, I ask that you strap on a clue-bag, chew on
    it for a while, really /digest/ the clue, then fire up that mail client.
    It'll be a good thing.

    Cory Altheide
    Senior Network Forensics Specialist
    NNSA Information Assurance Response Center (IARC)
    altheidec@nv.doe.gov
    "I have taken all knowledge to be my province." -- Francis Bacon

    PS Don't top-post.

  • Next message: Thomas Stromberg: "Re: Apple pentesting"
    • Quantcast