Re: Apple Mac DoS

[Ian Stoba <ian () BABCOCKBROWN COM>]

I have realized that my earlier post about the smurf amplification is not the
same as what The Q is describing here.

afpovertcp is the TCP/IP version of Apple's afp file services that have
traditionally run over AppleTalk. This service is enabled by turning on afp
services in the File Sharing Control Panel and ticking the "Enable File
Sharing Clients to Connect Over TCP/IP" box.

I would assume that the svrloc service running on port 427 is some sort of
server discovery protocol. I don't know this for sure since the version of
Inside AppleTalk I have at hand predates the IP services.

The workaround here is to simply uncheck the box to run afp services over IP.

Note that these services may also be expected by the Network Browser
application and the Browse Internet scriptlet thing, both of which can accept
URLs beginning with afp://

On my own Mac with these services running I was not able to telnet to port 548
(I got a connection refused). However, I did get a prompt on port 427. I typed
in about 20 characters of random garbage and got a long binary response which
I will try to capture and decode.

Jurriaan Kamer wrote:

> On Wed, Dec 13, 2000 at 09:54:58AM -0000, The Q wrote:
> >   - Ports open are
> >
> >   testhost@testhost ]$ nmap 192.168.1.96     ## IP of a mac boxen
> >
> >   Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
> >   Interesting ports on  (192.168.1.96):
> >   (The 1521 ports scanned but not shown below are in state: closed)
> >   Port       State       Service
> >   427/tcp    open        svrloc
> >   548/tcp    open        afpovertcp
> >
> >   Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
>
> As far as I know, there are no ports opened by default by Mac OS 9.
> I guess it's one of the programs running on the Mac-box causing the open
> ports, and also causing the DoS vulnerability.
>
> What applications (visible and invisble) were you running when you
> executed this nmap?
>
> Greetz,
>
> Jurriaan
> --
> ::::: Jurriaan Kamer, QaJurria, jur () blaat nl, http://www.blaat.nl/ ::::::
> ; Perl, PHP, MySQL, HTML, Webdesign, JavaScript, Security Consultancy   ;
> ; God is real, unless declared integer. vim -c :1,\$s/Windows\ NT//gi * ;
> ; perl -e 'print pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
----------------------------------------- (on tiburon)

This email message may contain information that is confidential and
proprietary to Babcock & Brown or a third party.  If you are not the
intended recipient, please contact the sender and destroy the original
and any copies of the original message.  Any review, retransmission,
dissemination or other use of, or taking any action in reliance upon,
the information contained in this message by persons other than the
intended recipient is prohibited.

While Babcock & Brown has taken reasonable steps to do so, it does not
represent, warrant and/or guarantee that the integrity of this
communication has been maintained nor that the message is free of
errors, viruses, interception or interference.

Additional Legal Notices can be found at
http://www.babcockbrown.com/email_disclaimer.html

---------------------------------------------------------