Vulnerability Development mailing list archives
Re: Apple Mac DoS
From: Ian Stoba <ian () BABCOCKBROWN COM>
Date: Thu, 14 Dec 2000 10:04:46 -0800
I have realized that my earlier post about the smurf amplification is not the same as what The Q is describing here. afpovertcp is the TCP/IP version of Apple's afp file services that have traditionally run over AppleTalk. This service is enabled by turning on afp services in the File Sharing Control Panel and ticking the "Enable File Sharing Clients to Connect Over TCP/IP" box. I would assume that the svrloc service running on port 427 is some sort of server discovery protocol. I don't know this for sure since the version of Inside AppleTalk I have at hand predates the IP services. The workaround here is to simply uncheck the box to run afp services over IP. Note that these services may also be expected by the Network Browser application and the Browse Internet scriptlet thing, both of which can accept URLs beginning with afp:// On my own Mac with these services running I was not able to telnet to port 548 (I got a connection refused). However, I did get a prompt on port 427. I typed in about 20 characters of random garbage and got a long binary response which I will try to capture and decode. Jurriaan Kamer wrote:
On Wed, Dec 13, 2000 at 09:54:58AM -0000, The Q wrote:- Ports open are testhost@testhost ]$ nmap 192.168.1.96 ## IP of a mac boxen Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.96): (The 1521 ports scanned but not shown below are in state: closed) Port State Service 427/tcp open svrloc 548/tcp open afpovertcp Nmap run completed -- 1 IP address (1 host up) scanned in 8 secondsAs far as I know, there are no ports opened by default by Mac OS 9. I guess it's one of the programs running on the Mac-box causing the open ports, and also causing the DoS vulnerability. What applications (visible and invisble) were you running when you executed this nmap? Greetz, Jurriaan -- ::::: Jurriaan Kamer, QaJurria, jur () blaat nl, http://www.blaat.nl/ :::::: ; Perl, PHP, MySQL, HTML, Webdesign, JavaScript, Security Consultancy ; ; God is real, unless declared integer. vim -c :1,\$s/Windows\ NT//gi * ; ; perl -e 'print pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
----------------------------------------- (on tiburon) This email message may contain information that is confidential and proprietary to Babcock & Brown or a third party. If you are not the intended recipient, please contact the sender and destroy the original and any copies of the original message. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon, the information contained in this message by persons other than the intended recipient is prohibited. While Babcock & Brown has taken reasonable steps to do so, it does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the message is free of errors, viruses, interception or interference. Additional Legal Notices can be found at http://www.babcockbrown.com/email_disclaimer.html ---------------------------------------------------------
Current thread:
- Apple Mac DoS The Q (Dec 15)
- Re: Apple Mac DoS Jurriaan Kamer (Dec 15)
- Re: Apple Mac DoS Ian Stoba (Dec 15)
- Re: Apple Mac DoS Daniel J. Luke (Dec 15)
- Re: Apple Mac DoS Daniel Harrison (Dec 15)
- Re: Apple Mac DoS Martin Sunnerdahl (Dec 15)
- Re: Apple Mac DoS Ian Stoba (Dec 15)
- Re: Apple Mac DoS Daniel J. Luke (Dec 15)
- Re: Apple Mac DoS 3APA3A (Dec 15)
- Re: Apple Mac DoS Ian Stoba (Dec 15)
- <Possible follow-ups>
- Re: Apple Mac DoS Matteo,Marc A. (Dec 17)
- Re: Apple Mac DoS Daniel J. Luke (Dec 18)
- Re: Apple Mac DoS Matteo,Marc A. (Dec 18)
- Re: Apple Mac DoS Daniel J. Luke (Dec 18)
- Re: Apple Mac DoS Jurriaan Kamer (Dec 15)