Re: Apple pentesting

From: Daniel (deeper_at_gmail.com)
Date: 04/06/05

  • Next message: David Cravshaw: "Re: Samba hacking ?" 
    Date: Wed, 6 Apr 2005 00:35:49 +0100
To: Todd Towles <toddtowles@brookshires.com>

    I'll answer your questions individually.

    First thing to understand is that not all vulnerabilities have a
    corresponding "publicly available" exploit, yes the 0hday still
    exists.

    <<where is the expoit information?>>

    As i said before, not all known vulnerabilities have publicly
    available exploit code. I'd suggest getting kinky with Metasploit or a
    subscription to Canvas/that other one i cant think of right now. If
    they are publicly available, those crazy french peeps over at k-otik
    may have it (http://www.frsirt.com/english/)

    <<What is the vulnerability?>>
    if your on the pen-test mailing list, i'm gathering your a sexurity
    conslutant and have some idea of where security vulnerabilities are
    announced, if not, google/securityfocus.com/apple.com/security &
    full-disclosure mailing list.

    <<Do exploits exist? >>
    oh yes, they do and don't let some vendor tell you otherwise.

    <<Can you test if you are vulnerability?>>

    This is the main issue currently splitting the security consultancy
    industry in half at the moment, on the one hand you have people who
    call themselves "pen-testers" but only are able to rely on automated
    tools and scripts to test (therefore should be known as vulnerability
    assessment consultants) and then you have consultants who are able to
    read a vulnerability statement and have a understanding of how to look
    for the issue and perform a test.

    Here, very roughly, is how you could test:

    find a vulnerability that you know you have the skill set to test for,
    hmmm in this case i'll pick the iTunes issue found by those lovely
    people at iDefense

    http://www.idefense.com/application/poi/display?id=180&type=vulnerabilities

    * i'm using this one as an example, yes you need the person to click
    and listen to the playlist, but hell social engineering is all part of
    the game, so apologies to all that its not a 100% remote issue *

    So the issue is that iTunes gets it's knickers in a knot when parsing
    playlist files which may contain really long URL file entries. Well
    this is a simple classic issue here, well documented and armed with
    your copy of the shellcoders handbook, easy to create a test for.

    [playlist]
    numberofentries=1
    File1=http://[P x 3333] 2233
    Length1=-1
    Version=2

    Save that file and somehow get a person on the box to open it (pretty
    easy, tell them your doing a test for the IT department and this is to
    check to see if the microphone is enabled, as if it is a virus could
    record all office noise)

    iTunes will crash and if you took steps to actually exploit this
    crash, you may end up with code being executed.

    <<Apple doesn't follow Full-Disclourse>>

    And i'm 1000% supportive of this process as is
    Microsoft/Oracle/Sun/Sybase etc, why should they report detailed
    information about the security hole? They list the issue and also if
    it was fixed and how to go about fixing it using a supplied patch or
    method.

    Here's hoping all the questions raised have been answered?

    Daniel

    On Apr 5, 2005 7:59 PM, Todd Towles <toddtowles@brookshires.com> wrote:
    > And I ask you where is the expoit information? What is the
    > vulnerability? Do exploits exist? Can you test if you are vulnerability?
    > These is a site that list patches..not the same thing. Interesting that
    > you think they are the same. Apple doesn't follow Full-Disclourse, that
    > was my point.
    >
    > I didn't mean they don't patch...
    >
    > > -----Original Message-----
    > > From: Altheide, Cory B. (IARC) [mailto:AltheideC@nv.doe.gov]
    > > Sent: Tuesday, April 05, 2005 1:55 PM
    > > To: Todd Towles; Julian Totzek; pen-test@securityfocus.com
    > > Subject: RE: Apple pentesting
    > >
    > > > -----Original Message-----
    > > > From: Todd Towles [mailto:toddtowles@brookshires.com]
    > > > Sent: Tuesday, April 05, 2005 10:48 AM
    > > > To: Julian Totzek; pen-test@securityfocus.com
    > > > Subject: RE: Apple pentesting
    > > >
    > > >
    > > > Nessus does work against Macs, the problem with testing
    > > Macs is they
    > > > never released vulnerability statements..never. If a hole is found,
    > > > Apple releases a patch and no ones says anything. If Microsoft did
    > > > this..everyone would go crazy.
    > >
    > > I'm gonna go out on a limb and say you don't know what you're
    > > talking about.
    > >
    > > Protip: Google for 'apple security' and this is the first hit.
    > >
    > > http://docs.info.apple.com/article.html?artnum=61798
    > >
    > >
    > > Cory Altheide
    > > Senior Network Forensics Specialist
    > > NNSA Information Assurance Response Center (IARC)
    > > altheidec@nv.doe.gov "I have taken all knowledge to be my
    > > province." -- Francis Bacon
    > >
    > >
    >

  • Next message: David Cravshaw: "Re: Samba hacking ?"
    • Quantcast