mailing list archives
Re: Mac OS X Server
From: "smenard" <smenard () nbnet nb ca>
Date: Sun, 16 Feb 2003 14:02:01 -0400
It seems that OS X _is_ vulnerablerable to most everything
other unixes are
Good starting points
Last updated 2003-02-14 15:00 Z
Obtaining Mac OS X
Information on obtaining Mac OS X can be found on the Mac OS X website
Information on obtaining Mac OS X Server can be found on the Mac OS X
Server website (http://www.apple.com/macosx/server/).
Software updates are available via:
a.. The Software Update pane in System Preferences
b.. Apple Software Downloads (http://www.apple.com/swupdates/)
Security updates are listed below according to the software release in
which they first appeared. Where possible, CVE IDs
(http://cve.mitre.org/cve/) are used to reference the vulnerabilities for
Mac OS X 10.2.4
a.. Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before
8.12.5, when configured to use a custom DNS map to query TXT records, could
permit a denial of service attack and possibly allow execution of arbitrary
code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to
also address CAN-2002-1165.
b.. AFP: Fixes CAN-2003-0049 "AFP login permissions for the system
administrator". Provides an option whereby a system administrator may or may
not be allowed to log in as a user, authenticating via their admin password.
Previously, administrators could always log in as a user, authenticating via
their own admin password.
c.. Classic: Fixes CAN-2003-0088, where an attacker may change an
environment variable to create arbitrary files or overwrite existing files,
which could lead to obtaining elevated privileges. Credit to Dave G. from
@stake, Inc. for discovering this issue.
d.. Samba: Previous releases of Mac OS X are not vulnerable to
CAN-2002-1318, an issue in Samba's length checking for encrypted password
changes. Mac OS X currently uses Directory Services for authentication, and
does not call the vulnerable Samba function. However, to prevent a potential
future exploit via this function, the patch from Samba 2.2.7 was applied
although the version of Samba was not changed for this update release.
Further information is available from:
Mac OS X 10.2.3
a.. fetchmail: Fixes CAN-2002-1174 and CAN-2002-1175 that could lead to
a potential denial of service when using the fetchmail command-line tool.
fetchmail is updated to version 6.1.2+IMAP-GSS+SSL+INET6
b.. CUPS: Provides fixes for the following potential issues that could
be exploited remotely when Printer Sharing is enabled. Printer Sharing is
not enabled by default on Mac OS X or Mac OS X Server.
CAN-2002-1383: Multiple Integer Overflows
CAN-2002-1366: /etc/cups/certs/ Race Condition
CAN-2002-1367: Adding Printers with UDP Packets
CAN-2002-1368: Negative Length Memcpy() Calls
CAN-2002-1384: Integer Overflows in pdftops Filter and Xpdf
CAN-2002-1369: Unsafe Strncat Function Call in jobs.c
CAN-2002-1370: Root Certificate Design Flaw
CAN-2002-1371: Zero Width Images in filters/image-gif.c
CAN-2002-1372: File Descriptor Resource Leaks
Security Update 2002-11-21
BIND: Updated to version 8.3.4 to fix potential vulnerabilities in the
domain server and client library from Internet Software Consortium (ISC)
that comes with Mac OS X and Mac OS X Server. BIND is not turned on by
default on Mac OS X or Mac OS X Server.
CVE IDs: CAN-2002-1219, CAN-2002-1220, CAN-2002-1221, CAN-2002-0029
Further information is available at:
Mac OS X 10.2.2
This update addresses the following potential security issues:
a.. CAN-2002-1266: Local User Privilege Elevation via Disk Image File It
is possible for a local user to obtain elevated privileges on a system by
opening a disk image file that was created on another computer with
administrator level privileges.
b.. CAN-2002-0830: This is FreeBSD-SA-02:36.nfs, a potential
vulnerability in the Network File System (NFS) where a remote attacker could
cause a denial of service.
c.. IP Firewall: Under certain circumstances, the ipfw firewall built
into Mac OS X may block packets that are explictly allowed by the firewall
rules. This does not meet the formal requirements of a security
vulnerability and does not obtain a CVE ID.
d.. CAN-2002-1267: CUPS Printing Web Administration is Remotely
Accessible A malicious user could access the port to run the CUPS Printing
Web Administration utility. It would then be possible to cause a denial of
service to a printer.
e.. CAN-2002-1268: User Privilege Elevation via Mounting an ISO 9600 CD
Users could gain elevated privileges when logged into a system that has an
ISO 9600 CD available to the file system.
f.. CAN-2002-1269: NetInfo Manager Application could allow filesystem
access A security vulnerability in the NetInfo Manager application could
allow a malicious user to navigate the file system.
g.. CAN-2002-1270: map_fd() Mach system call can allow a file to be read
The map_fd() Mach system call can allow a caller to read a file for which
they only have write access.
h.. CAN-2002-1265: TCP issue in RPC The RPC-based libc implementation
could fail to properly read data from TCP connections. As a result, a remote
attacker could deny service to system daemons. Further information is
available in CERT VU#266817 at: http://www.kb.cert.org/vuls/id/266817
i.. CAN-2002-0839, CAN-2002-0840, CAN-2002-0843: Apache Apache is
updated to version 1.3.27 to address a number of issues.
Mac OS X Server 10.2.2
a.. Includes all security fixes noted in Mac OS X 10.2.2, plus
CAN-2002-0661, CAN-2002-0654, CAN-2002-0654: Apache 2 Apache 2 is provided
with Mac OS X Server, but not enabled by default. The version is updated to
Apache 2.0.42 to address a number of issues.
StuffIt Expander Security Update 2002-10-15
a.. Stuffit Expander: CAN-2002-0370. This update resolves a potential
security vulnerability in versions 6.5.2 and earlier of Stuffit Expander.
Further information is available at: http://www.kb.cert.org/vuls/id/383779 .
Internet Explorer 5.2.2 2002-10-01
a.. Internet Explorer: CAN-2002-0862. This update resolves potential
security vulnerabilities with the validation of digital certificate chains
in previous versions of Internet Explorer 5. Further information is
available from Microsoft Security Bulletin MS02-050
Security Update 2002-09-20
a.. Terminal: This update fixes a potential vulnerability introduced in
Terminal version 1.3 (v81) that shipped with Mac OS X 10.2 that could allow
an attacker to remotely execute arbitrary commands on the user's system.
Terminal is updated to version 1.3.1 (v82) with this Security Update.
Security Update 2002-08-23
a.. This security update is for Mac OS X 10.2 and applies the fixes
contained in Security Update 2002-08-02 which was for Mac OS X 10.1.5.
Security Update 2002-08-20
a.. Secure Transport: This update enhances the certificate verification
in OS X and is now in full compliance with the Internet X.509 Public Key
Infrastructure Certificate and CRL Profile (RFC2459).
Security Update 2002-08-02
This update addresses the following security vulnerabilities, which affect
current shipping versions of Mac OS X Server. These services are turned off
by default in Mac OS X client, however if these services are turned on then
the client becomes vulnerable. Users of Mac OS X client should also install
a.. OpenSSL: Fixes security vulnerabilities CAN-2002-0656,
CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via:
b.. mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in
mod_ssl Apache module. Details are available via:
c.. Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
decoder. Details are available via:
Security Update 7-18-02 (2002-07-18)
a.. Software Update: Contains Software Update client 1.4.7 which adds
cryptographic signature verification to the softwareupdate command line
tool. This provides an additional means to perform software updates in a
secure manner, along with the existing Software Update capability contained
in System Preferences.
Security Update 7-12-02 (2002-07-12)
a.. Software Update: Fixes CVE ID CAN-2002-0676 to increase the security
of the Software Update process for systems with Software Update client 1.4.5
or earlier. Packages presented via the Software Update mechanism are now
cryptographically signed, and the new Software Update client 1.4.6 checks
for a valid signature before installing new packages.
Security Update July 2002 (2002-07)
a.. Apache: Fixes CVE ID CAN-2002-0392 which allows remote attackers to
cause a denial of service and possibly execute arbitrary code. Further
details are available from: http://www.cert.org/advisories/CA-2002-17.html
b.. OpenSSH: Fixes two vulnerabilities, CAN-2002-0639 and CAN-2002-0640,
where a remote intruder may be able to execute arbitrary code on the local
system. Further details are available from:
Mac OS X 10.1.5
a.. sudo - Fixes CAN-2002-0184, where a heap overflow in sudo may allow
local users to gain root privileges via special characters in the -p
b.. sendmail - Fixes CVE-2001-0653, where an input validation error
exists in Sendmail's debugging functionality which could lead to a system
Internet Explorer 5.1 Security Update (2002-04)
a.. This addresses a vulnerability that could allow an attacker to take
over your computer. The update is available via the Mac OS X Software Update
Preference pane, and also via:
Mac OS X 10.1.4
a.. TCP/IP broadcast: Addresses CAN-2002-0381 such that TCP/IP
connections now check and block broadcast or multicast IP destination
addresses. Further details at:
Security Update - April 2002 (2002-04)
a.. Apache - updated to version 1.3.23 in order to incorporate the
mod_ssl security fix.
b.. Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address the
buffer overflow vulnerability CAN-2002-0082 which could potentially be used
to run arbitrary code. Further Details at:
c.. groff - updated to version 1.17.2 to address the vulnerability
CAN-2002-0003, where an attacker could gain rights as the 'lp' user
remotely. Further details at:
d.. mail_cmds - updated to fix a vulnerability where users could be
added to the mail group
e.. OpenSSH -- updated to version 3.1p1 to address the vulnerability
CAN-2002-0083, where an attacker could influence the contents of the memory.
Further details at: http://www.pine.nl/advisories/pine-cert-20020301.html
f.. PHP - updated to version 4.1.2 to address the vulnerability
CAN-2002-0081, which could allow an intruder to execute arbitrary code with
the privileges of the web server. Further details at:
g.. rsync - updated to version 2.5.2 to address the vulnerability
CAN-2002-0048 which could lead to corruption of the stack and possibly to
execution of arbitrary code as the root user. Further details at:
h.. sudo - updated to version 1.6.5p2 to address the vulnerability
CAN-2002-0043, where a local user may obtain superuser privileges. Further
Mac OS X 10.1.3
a.. openssh - Updated to version 3.0.2p1 to address several
vulnerabilities in the previous version. For details, please refer to:
b.. WebDAV - Extended the Digest Authentication mode to work with
Mac OS X 10.1 Security Update 10-19-01 (2001-10-19)
a.. Fixes the vulnerability described in
http://www.stepwise.com/Articles/Admin/2001-10-15.01.html where an
application can be granted root access privileges.
Internet Explorer 5.1.1
a.. IE 5.1.1 - Fixes a problem with IE 5.1 bundled with Mac OS X v10.1
where Internet Explorer executes downloaded software automatically, which
could result in data loss or other harm. More information is available in
technical document 106503, "Mac OS X 10.1: Internet Explorer Executes
Downloaded Software Automatically".
Mac OS X 10.1
a.. crontab - Fixes the vulnerability described in FreeBSD-SA-01:09
v1.1.asc) where local users can read arbitrary local files that conform to a
valid crontab file syntax.
a.. Fixes the buffer overflow vulnerability described in
b.. Fixes the large header problem described in BugTraq
MDKSA-2001:063: fetchmail (http://www.securityfocus.com/advisories/3426)
c.. Fixes the memory overwrite vulnerability described in BugTraq
c.. ipfw - Fixes the vulnerability described in FreeBSD-SA-01:08.ipfw
) where a remote attack may be constructed with TCP packets with the ECE
d.. java - Fixes the vulnerability described
type=0&nav=sec.sbl&ttl=sec.sbl where an untrusted applet may monitor
requests to and responses from an HTTP proxy server.
e.. open() syscall - Fixes the vulnerability described in
.asc) where another user on the system could do unauthorized I/O
f.. OpenSSL - Included version 0.9.6b which contains a number of fixes
from the previous version. See http://www.openssl.org/ for details.
g.. procmail - Fixed the vulnerability described in Red Hat
where signals are not handled correctly.
h.. rwhod - Fixes the vulnerability described in FreeBSD-SA-01:29.rwhod
c) where remote users can cause the rwhod daemon to crash, denying service
i.. setlocale() string overflow - Fixes the vulnerability described in
ocale) where the setlocale() call contains a number of potential exploits
through string overflows during environment variable expansion
j.. sort - Fixes the vulnerability described in CERT Vulnerability Note
VU#417216 (http://www.kb.cert.org/vuls/id/417216) where an intruder may be
able to block the operation of system administration programs by crashing
the sort utility.
k.. system clipboard / J2SE - Fixes a security issue that permitted
unauthorized applets access to the system clipboard.
l.. tcpdump - Fixes the vulnerability described in FreeBSD-SA-01:48
asc) where remote users can cause the local tcpdump process to crash, and
may be able to cause arbitrary code to be executed.
m.. TCP Initial Sequence Numbers - Fixes the potential vulnerability
described in FreeBSD-SA-00:52
asc) where the algorithm to generate the number the system will use for the
next incoming TCP connection was not sufficiently random
n.. tcsh '>>' operator - Fixes the vulnerability described in
.asc) where unprivileged local users can cause an arbitrary file to be
overwritten when another person invokes the '<<' operator in tcsh (e.g. from
within a shell script)
o.. telnetd - Fixes the vulnerability described in FreeBSD-SA-01:49
v1.1.asc) where remote users can cause arbitrary code to be executed as the
user running telnetd.
p.. timed - Fixes the vulnerability described in FreeBSD-SA-01:28
c) where remote users can cause the timed daemon to crash, denying service
Mac OS X Server 10.1
a.. MySQL 3.23.42 - Contains a number of fixes from the previous
version. See the 3.23.42 section on the MySQL site
(http://www.mysql.com/downloads/mysql-3.23.html) for details.
b.. Tomcat 3.2.3 - Contains a number of fixes from the previous version.
See the Tomcat site (http://jakarta.apache.org/tomcat/) for details.
c.. Apache - Fixed the .DS_Store file vulnerability described in
d.. Apache - Fixed the potential vulnerability where .htaccess files
might be visible to web browsers if created on HFS+ volumes. The files
directive in the http.conf file was modified to block from visibility to web
browsers all files whose names begin with .ht, regardless of case.
Mac OS X Web Sharing Update 1.0
a.. Apache 1.3.19 - Fixes security issues with sites use of the mass
virtual hosting module mod_vhost_alias or mod_rewrite.
b.. mod_hfs_apple - Addresses Apache case-insensitivity problems on Mac
OS Extended (HFS+) volumes.
c.. OpenSSH 2.9p2 - Fixes SSH1 vulnerability described in
d.. sudo - Fixes the buffer overflow vulnerability described in
Mac OS X 10.0.4 Server Update
a.. Samba 2.0.9 - Addresses the macro vulnerability described in
b.. sudo - Fixes the buffer overflow vulnerability described in
Mac OS X 10.0.2
a.. FTP - Fixes the File Globbing vulnerability described in CERT(R)
Advisory CA-2001-07 (http://www.cert.org/advisories/CA-2001-07.html)
b.. NTP - Fixes the buffer overflow vulnerability described in
Mac OS X 10.0.1
a.. OpenSSH-2.3.0p1 - SSH services are enabled via the Sharing pane in
Mac OS Runtime for Java (MRJ) 2.2.5
a.. MRJ 2.2.5 - Fixes a security issue that permitted unauthorized
applets access to the system clipboard.
----- Original Message -----
From: "James Chamier" <secnotify () chamier co uk>
To: <pen-test () securityfocus com>
Sent: Thursday, February 13, 2003 11:03 AM
Subject: Mac OS X Server
Has anyone done a pen test of a Mac OS X server remotely ? Are there any
freely available clients for the apple file transfer over ip, or anything
obvious I should see ?
This list is provided by the SecurityFocus Security Intelligence Alert
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
CORE IMPACT does.
- Mac OS X Server James Chamier (Feb 13)
- Re: Mac OS X Server smenard (Feb 19)