Penetration Testing mailing list archives
Re: Apple pentesting
From: Daniel <deeper () gmail com>
Date: Wed, 6 Apr 2005 00:35:49 +0100
I'll answer your questions individually. First thing to understand is that not all vulnerabilities have a corresponding "publicly available" exploit, yes the 0hday still exists. <<where is the expoit information?>> As i said before, not all known vulnerabilities have publicly available exploit code. I'd suggest getting kinky with Metasploit or a subscription to Canvas/that other one i cant think of right now. If they are publicly available, those crazy french peeps over at k-otik may have it (http://www.frsirt.com/english/) <<What is the vulnerability?>> if your on the pen-test mailing list, i'm gathering your a sexurity conslutant and have some idea of where security vulnerabilities are announced, if not, google/securityfocus.com/apple.com/security & full-disclosure mailing list. <<Do exploits exist? >> oh yes, they do and don't let some vendor tell you otherwise. <<Can you test if you are vulnerability?>> This is the main issue currently splitting the security consultancy industry in half at the moment, on the one hand you have people who call themselves "pen-testers" but only are able to rely on automated tools and scripts to test (therefore should be known as vulnerability assessment consultants) and then you have consultants who are able to read a vulnerability statement and have a understanding of how to look for the issue and perform a test. Here, very roughly, is how you could test: find a vulnerability that you know you have the skill set to test for, hmmm in this case i'll pick the iTunes issue found by those lovely people at iDefense http://www.idefense.com/application/poi/display?id=180&type=vulnerabilities * i'm using this one as an example, yes you need the person to click and listen to the playlist, but hell social engineering is all part of the game, so apologies to all that its not a 100% remote issue * So the issue is that iTunes gets it's knickers in a knot when parsing playlist files which may contain really long URL file entries. Well this is a simple classic issue here, well documented and armed with your copy of the shellcoders handbook, easy to create a test for. [playlist] numberofentries=1 File1=http://[P x 3333] 2233 Length1=-1 Version=2 Save that file and somehow get a person on the box to open it (pretty easy, tell them your doing a test for the IT department and this is to check to see if the microphone is enabled, as if it is a virus could record all office noise) iTunes will crash and if you took steps to actually exploit this crash, you may end up with code being executed. <<Apple doesn't follow Full-Disclourse>> And i'm 1000% supportive of this process as is Microsoft/Oracle/Sun/Sybase etc, why should they report detailed information about the security hole? They list the issue and also if it was fixed and how to go about fixing it using a supplied patch or method. Here's hoping all the questions raised have been answered? Daniel On Apr 5, 2005 7:59 PM, Todd Towles <toddtowles () brookshires com> wrote:
And I ask you where is the expoit information? What is the vulnerability? Do exploits exist? Can you test if you are vulnerability? These is a site that list patches..not the same thing. Interesting that you think they are the same. Apple doesn't follow Full-Disclourse, that was my point. I didn't mean they don't patch...-----Original Message----- From: Altheide, Cory B. (IARC) [mailto:AltheideC () nv doe gov] Sent: Tuesday, April 05, 2005 1:55 PM To: Todd Towles; Julian Totzek; pen-test () securityfocus com Subject: RE: Apple pentesting-----Original Message----- From: Todd Towles [mailto:toddtowles () brookshires com] Sent: Tuesday, April 05, 2005 10:48 AM To: Julian Totzek; pen-test () securityfocus com Subject: RE: Apple pentesting Nessus does work against Macs, the problem with testingMacs is theynever released vulnerability statements..never. If a hole is found, Apple releases a patch and no ones says anything. If Microsoft did this..everyone would go crazy.I'm gonna go out on a limb and say you don't know what you're talking about. Protip: Google for 'apple security' and this is the first hit. http://docs.info.apple.com/article.html?artnum=61798 Cory Altheide Senior Network Forensics Specialist NNSA Information Assurance Response Center (IARC) altheidec () nv doe gov "I have taken all knowledge to be my province." -- Francis Bacon
Current thread:
- Apple pentesting Julian Totzek (Apr 05)
- Re: Apple pentesting Erik Winkler (Apr 05)
- Re: Apple pentesting Mike (Apr 06)
- <Possible follow-ups>
- RE: Apple pentesting Todd Towles (Apr 05)
- Re: Apple pentesting Daniel (Apr 05)
- Re: Apple pentesting sam f. stover (Apr 05)
- Re: Apple pentesting Thomas Stromberg (Apr 05)
- Re: Apple pentesting Thomas Hardly (Apr 06)
- RE: Apple pentesting Altheide, Cory B. (IARC) (Apr 05)
- RE: Apple pentesting Todd Towles (Apr 05)
- Re: Apple pentesting Daniel (Apr 06)
- RE: Apple pentesting Altheide, Cory B. (IARC) (Apr 05)
- RE: Apple pentesting Todd Towles (Apr 06)
- Re: Apple pentesting Javier Blanque (Apr 08)