Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

OSX 10.3 Personal Firewall.

From: B-r00t <br00t () blueyonder co uk>
Date: Wed, 29 Oct 2003 03:02:06 +0000 (GMT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1





Panther OSX 10.3 (Firewall Configuration App)

OSX Personal Firewall gives false sense of security
due to lack of ICMP and UDP protocol filtering.

maki:~ br00t$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.3
BuildVersion:   7B85

Quoting Apple: http://www.apple.com/macosx/features/security/

Personal Firewall
The Mac OS X personal firewall protects your computer from
unauthorized access by monitoring all incoming network traffic.
When you enable the personal firewall in Mac OS X, all inbound
connections are denied except for those that you explicitly permit.

Activating the OSX firewall via: -
System Preferences => Sharing => Firewall [START]

Performing an Nmap TCP port scan reveals: -

[root@desktop]# nmap -sS -p 1-65535 -vv maki
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host maki (192.168.0.69) appears to be up ... good.
Initiating SYN Stealth Scan against maki (192.168.0.69)
The SYN Stealth Scan took 2779 seconds to scan 65535 ports.
All 65535 scanned ports on maki (192.168.0.69) are: filtered
Nmap run completed -- 1 IP address (1 host up) scanned in 2779 seconds

The output results are as expected with all ports being reported
as 'filtered'. However, ICMP and UDP protocols produce the following
results.

ICMP: -
[root@desktop]# ping -c 1 maki
PING maki (192.168.0.69) 56(84) bytes of data.
64 bytes from maki (192.168.0.69): icmp_seq=1 ttl=64 time=2.71 ms
- --- maki ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.713/2.713/2.713/0.000 ms

UDP: -
[root@desktop]# nmap -sU -p 1-65535 -v maki
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host maki (192.168.0.69) appears to be up ... good.
Initiating UDP Scan against maki (192.168.0.69)
The UDP Scan took 434 seconds to scan 65535 ports.
Interesting ports on maki (192.168.0.69):
(The 65531 ports scanned but not shown below are in state: closed)
Port       State       Service
68/udp     open        dhcpclient
123/udp    open        ntp
514/udp    open        syslog
5353/udp   open        unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 435 seconds

The important word being 'closed' and NOT 'filtered'!

I know that the underlying ipfw is capable of being configured
accordingly, but shouldnt the overlying firewall configuration
application at least activate appropriate UDP and ICMP filtering?

Especially since the majority of OSX users will employ the GUI
firewall configuration application as their primary form of
Internet protection.

Remember kidz, use either ICMP or UDP backdoor code!

Just my opinion.

B#.
- --

- ----------------------------------------------------
Email : B-r00t <br00t () blueyonder co uk>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
                  ED33 AD56 9E97 7101 5462

"There's no way a highschool punk can put a dime
into a telephone and break into our system."
- -----------------------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE/ny21rVael3EBVGIRAs8zAJwOObJtmOKDPshVc5du4QXPQhFM0ACgmWhb
XLnokNmynZIOndoUqTeJ+n8=
=Vad8
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: