Re: Apple pentesting

[Daniel <deeper () gmail com>]

I'll answer your questions individually.

First thing to understand is that not all vulnerabilities have a
corresponding "publicly available" exploit, yes the 0hday still
exists.

<<where is the expoit information?>>

As i said before, not all known vulnerabilities have publicly
available exploit code. I'd suggest getting kinky with Metasploit or a
subscription to Canvas/that other one i cant think of right now. If
they are publicly available, those crazy french peeps over at k-otik
may have it (http://www.frsirt.com/english/)

<<What is the vulnerability?>>
if your on the pen-test mailing list, i'm gathering your a sexurity
conslutant and have some idea of where security vulnerabilities are
announced, if not, google/securityfocus.com/apple.com/security &
full-disclosure mailing list.

<<Do exploits exist? >>
oh yes, they do and don't let some vendor tell you otherwise. 

<<Can you test if you are vulnerability?>>

This is the main issue currently splitting the security consultancy
industry in half at the moment, on the one hand you have people who
call themselves "pen-testers" but only are able to rely on automated
tools and scripts to test (therefore should be known as vulnerability
assessment consultants) and then you have consultants who are able to
read a vulnerability statement and have a understanding of how to look
for the issue and perform a test.

Here, very roughly, is how you could test:

find a vulnerability that you know you have the skill set to test for,
hmmm in this case i'll pick the iTunes issue found by those lovely
people at iDefense

http://www.idefense.com/application/poi/display?id=180&type=vulnerabilities

* i'm using this one as an example, yes you need the person to click
and listen to the playlist, but hell social engineering is all part of
the game, so apologies to all that its not a 100% remote issue *

So the issue is that iTunes gets it's knickers in a knot when parsing
playlist files which may contain really long URL file entries. Well
this is a simple classic issue here, well documented and armed with
your copy of the shellcoders handbook, easy to create a test for.

[playlist]
numberofentries=1
File1=http://[P x 3333] 2233 
Length1=-1
Version=2

Save that file and somehow get a person on the box to open it (pretty
easy, tell them your doing a test for the IT department and this is to
check to see if the microphone is enabled, as if it is a virus could
record all office noise)

iTunes will crash and if you took steps to actually exploit this
crash, you may end up with code being executed.


<<Apple doesn't follow Full-Disclourse>>

And i'm 1000% supportive of this process as is
Microsoft/Oracle/Sun/Sybase etc, why should they report detailed
information about the security hole? They list the issue and also if
it was fixed and how to go about fixing it using a supplied patch or
method.

Here's hoping all the questions raised have been answered?

Daniel






On Apr 5, 2005 7:59 PM, Todd Towles <toddtowles () brookshires com> wrote:
> And I ask you where is the expoit information? What is the
> vulnerability? Do exploits exist? Can you test if you are vulnerability?
> These is a site that list patches..not the same thing.  Interesting that
> you think they are the same. Apple doesn't follow Full-Disclourse, that
> was my point.
>
> I didn't mean they don't patch...
>
> > -----Original Message-----
> > From: Altheide, Cory B. (IARC) [mailto:AltheideC () nv doe gov]
> > Sent: Tuesday, April 05, 2005 1:55 PM
> > To: Todd Towles; Julian Totzek; pen-test () securityfocus com
> > Subject: RE: Apple pentesting
> >
> > > -----Original Message-----
> > > From: Todd Towles [mailto:toddtowles () brookshires com]
> > > Sent: Tuesday, April 05, 2005 10:48 AM
> > > To: Julian Totzek; pen-test () securityfocus com
> > > Subject: RE: Apple pentesting
> > >
> > >
> > > Nessus does work against Macs, the problem with testing
> > Macs is they
> > > never released vulnerability statements..never. If a hole is found,
> > > Apple releases a patch and no ones says anything. If Microsoft did
> > > this..everyone would go crazy.
> >
> > I'm gonna go out on a limb and say you don't know what you're
> > talking about.
> >
> > Protip:  Google for 'apple security' and this is the first hit.
> >
> > http://docs.info.apple.com/article.html?artnum=61798
> >
> >
> > Cory Altheide
> > Senior Network Forensics Specialist
> > NNSA Information Assurance Response Center (IARC)
> > altheidec () nv doe gov "I have taken all knowledge to be my
> > province." -- Francis Bacon