OS X DirectoryService attack {Updated}

[Neeko Oni <neeko () haackey com>]

Thanks to Patrick M McNeal and Subversive, we've got a clearer idea of the
factors involved in the DirectoryService OS X compromise.

Quoting out an off-list message with Mr. McNeal:

<snip>
 From our testing and some discussions we've had, only OS X server binds
to port 625:

> DirectoryService will only listen on that port if
>
> /Library/Preferences/DirectoryService/.DSTCPListening
>
> exists.
>
> This is not the default state (and I believe probably not supported)
> on Mac OS X client. On Mac OS X Server, however, most if not all of
> the graphical management depend on port 625 being open. I know for
> certain WorkGroup Manager authenticates over 625.

..
 From what I know, no one has been able to crash DirectoryServices on
the client machine.
</snip>

So it appears the distinction between binding/non-binding DirectoryService
processes is in the client/server and .DSTCPListening difference(s).
I know several people have contact me about asking for information about this
when it comes to me, and I hope this helps you guys out.  Thanks again to
those previously mentioned that have provided me with information.

.Neeko Oni

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html