File Sharing Vulnerability Discovered in Mac OS X

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,1759,1540557,00.asp

By Daniel Drew Turner 
February 27, 2004   
 
A security issue that could result in stolen passwords and data on
Friday was revealed for Apple Computer Inc.'s Apple Filing Protocol, a
component of Mac OS X 10.3.2, a k a Panther. The file protocol allows
Macintosh users to access files on remote systems.

An alert on the vulnerability was posted to the Security Focus BUGTRAQ
Alert Service.

In Mac OS X 10.2, Apple updated Apple Filing Protocol (AFP) to permit
secure connections over SSH (Secure Shell) protocol. However, Chris
Adams, a system administrator in San Diego, Calif., noted that while
users could request secure connections, the system will not issue any
alert or indication if an SSH connection is unavailable and then
defaults to a non-secure connection. He noted that the only indication
was a negative one - users must be aware that an alert "Opening Secure
Connection" did not appear.

According to Adams, this could result in users sending unencrypted
passwords over an insecure connection.

"Login credentials may be sent in cleartext or protected with one of
several different hashed exchanges or Kerberos. There does not appear
to have been any serious third-party security review of Apple's client
or server implementations," Adams wrote in his report on the
vulnerability.

Speaking with eWEEK.com, Adams said that any such activity would only
come as the result of an active attack. "OS X does warn you before
using unencrypted passwords and AFP does prevent passive password
collection by encrypting the log-in process to protect the password on
its way to the server. This problem allows you to trick it into
sending the unencrypted password to you instead of the intended
server," he said.

Adams pointed out that this sort of problem was not unique to Mac OS X.

"As with Microsoft's Windows file sharing, AFP was designed for
trusted LANs and some of the basic assumptions change when these
systems are placed on the public Internet. Users on a secured LAN face
relatively little risk; the most exposed are those using AFP over the
Internet without a VPN," he said.

Users of AFP on a secure network, Adams said, should have little to
worry about.

Adams said, systems open to remote connections, such as in educational
institutions, would be vulnerable to "man in the middle" attacks,
where a third server could intercept and harvest passwords
surreptitiously.

Compounding the problem, Adams added, was that SSH connectivity for
AFP would not work at all in the initial releases of Mac OS X 10.3 and
10.3.1.

Adams observed that the problem arises from the fact that AFP treats
SSH as an option rather than a user requirement.

Though his BUGTRAQ warning provided workarounds, such as manually
configuring a SSH tunnel or using SFTP instead, Adams suggested that
SSH should be enabled by default for both client and server and the
user interface modified to clearly warn when the system is unable to
establish an SSH tunnel.

SSH incorporates a number of extensively analyzed security
precautions. Adams said that this is merely a matter of including
those in the AFP user interface.

Though Adams said he first reported this bug to Apple in early
December 2003 and followed up weeks later, he received no response
from the computer manufacturer.

However, he told eWEEK.com that a final notice that he was going to
release the information publicly resulted in a response on Friday.

"It was what I was hoping for originally," he said, a notice that
Apple was looking into the issue and was offering to coordinate
efforts.

An Apple representative declined to expand on Adam's statement.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.