It seems that OS X _is_ vulnerablerable to most everything other unixes are Good starting points steve http://docs.info.apple.com/article.html?artnum=61798 Last updated 2003-02-14 15:00 Z Security Updates Obtaining Mac OS X Information on obtaining Mac OS X can be found on the Mac OS X website (http://www.apple.com/macosx/). Information on obtaining Mac OS X Server can be found on the Mac OS X Server website (http://www.apple.com/macosx/server/). Software updates are available via: a.. The Software Update pane in System Preferences b.. Apple Software Downloads (http://www.apple.com/swupdates/) Security updates Security updates are listed below according to the software release in which they first appeared. Where possible, CVE IDs (http://cve.mitre.org/cve/) are used to reference the vulnerabilities for further information. Mac OS X 10.2.4 a.. Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, could permit a denial of service attack and possibly allow execution of arbitrary code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address CAN-2002-1165. b.. AFP: Fixes CAN-2003-0049 "AFP login permissions for the system administrator". Provides an option whereby a system administrator may or may not be allowed to log in as a user, authenticating via their admin password. Previously, administrators could always log in as a user, authenticating via their own admin password. c.. Classic: Fixes CAN-2003-0088, where an attacker may change an environment variable to create arbitrary files or overwrite existing files, which could lead to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for discovering this issue. d.. Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318, an issue in Samba's length checking for encrypted password changes. Mac OS X currently uses Directory Services for authentication, and does not call the vulnerable Samba function. However, to prevent a potential future exploit via this function, the patch from Samba 2.2.7 was applied although the version of Samba was not changed for this update release. Further information is available from: http://samba.org/samba/whatsnew/samba-2.2.7.html Mac OS X 10.2.3 a.. fetchmail: Fixes CAN-2002-1174 and CAN-2002-1175 that could lead to a potential denial of service when using the fetchmail command-line tool. fetchmail is updated to version 6.1.2+IMAP-GSS+SSL+INET6 b.. CUPS: Provides fixes for the following potential issues that could be exploited remotely when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server. CAN-2002-1383: Multiple Integer Overflows CAN-2002-1366: /etc/cups/certs/ Race Condition CAN-2002-1367: Adding Printers with UDP Packets CAN-2002-1368: Negative Length Memcpy() Calls CAN-2002-1384: Integer Overflows in pdftops Filter and Xpdf CAN-2002-1369: Unsafe Strncat Function Call in jobs.c CAN-2002-1370: Root Certificate Design Flaw CAN-2002-1371: Zero Width Images in filters/image-gif.c CAN-2002-1372: File Descriptor Resource Leaks Security Update 2002-11-21 BIND: Updated to version 8.3.4 to fix potential vulnerabilities in the domain server and client library from Internet Software Consortium (ISC) that comes with Mac OS X and Mac OS X Server. BIND is not turned on by default on Mac OS X or Mac OS X Server. CVE IDs: CAN-2002-1219, CAN-2002-1220, CAN-2002-1221, CAN-2002-0029 Further information is available at: http://www.cert.org/advisories/CA-2002-31.html http://www.kb.cert.org/vuls/id/457875 Mac OS X 10.2.2 This update addresses the following potential security issues: a.. CAN-2002-1266: Local User Privilege Elevation via Disk Image File It is possible for a local user to obtain elevated privileges on a system by opening a disk image file that was created on another computer with administrator level privileges. b.. CAN-2002-0830: This is FreeBSD-SA-02:36.nfs, a potential vulnerability in the Network File System (NFS) where a remote attacker could cause a denial of service. c.. IP Firewall: Under certain circumstances, the ipfw firewall built into Mac OS X may block packets that are explictly allowed by the firewall rules. This does not meet the formal requirements of a security vulnerability and does not obtain a CVE ID. d.. CAN-2002-1267: CUPS Printing Web Administration is Remotely Accessible A malicious user could access the port to run the CUPS Printing Web Administration utility. It would then be possible to cause a denial of service to a printer. e.. CAN-2002-1268: User Privilege Elevation via Mounting an ISO 9600 CD Users could gain elevated privileges when logged into a system that has an ISO 9600 CD available to the file system. f.. CAN-2002-1269: NetInfo Manager Application could allow filesystem access A security vulnerability in the NetInfo Manager application could allow a malicious user to navigate the file system. g.. CAN-2002-1270: map_fd() Mach system call can allow a file to be read The map_fd() Mach system call can allow a caller to read a file for which they only have write access. h.. CAN-2002-1265: TCP issue in RPC The RPC-based libc implementation could fail to properly read data from TCP connections. As a result, a remote attacker could deny service to system daemons. Further information is available in CERT VU#266817 at: http://www.kb.cert.org/vuls/id/266817 i.. CAN-2002-0839, CAN-2002-0840, CAN-2002-0843: Apache Apache is updated to version 1.3.27 to address a number of issues. Mac OS X Server 10.2.2 a.. Includes all security fixes noted in Mac OS X 10.2.2, plus CAN-2002-0661, CAN-2002-0654, CAN-2002-0654: Apache 2 Apache 2 is provided with Mac OS X Server, but not enabled by default. The version is updated to Apache 2.0.42 to address a number of issues. StuffIt Expander Security Update 2002-10-15 a.. Stuffit Expander: CAN-2002-0370. This update resolves a potential security vulnerability in versions 6.5.2 and earlier of Stuffit Expander. Further information is available at: http://www.kb.cert.org/vuls/id/383779 . Internet Explorer 5.2.2 2002-10-01 a.. Internet Explorer: CAN-2002-0862. This update resolves potential security vulnerabilities with the validation of digital certificate chains in previous versions of Internet Explorer 5. Further information is available from Microsoft Security Bulletin MS02-050 (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M S02-050.asp). Security Update 2002-09-20 a.. Terminal: This update fixes a potential vulnerability introduced in Terminal version 1.3 (v81) that shipped with Mac OS X 10.2 that could allow an attacker to remotely execute arbitrary commands on the user's system. Terminal is updated to version 1.3.1 (v82) with this Security Update. Security Update 2002-08-23 a.. This security update is for Mac OS X 10.2 and applies the fixes contained in Security Update 2002-08-02 which was for Mac OS X 10.1.5. Security Update 2002-08-20 a.. Secure Transport: This update enhances the certificate verification in OS X and is now in full compliance with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC2459). Security Update 2002-08-02 This update addresses the following security vulnerabilities, which affect current shipping versions of Mac OS X Server. These services are turned off by default in Mac OS X client, however if these services are turned on then the client becomes vulnerable. Users of Mac OS X client should also install this update. a.. OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: http://www.cert.org/advisories/CA-2002-23.html b.. mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in mod_ssl Apache module. Details are available via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653 c.. Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823 Security Update 7-18-02 (2002-07-18) a.. Software Update: Contains Software Update client 1.4.7 which adds cryptographic signature verification to the softwareupdate command line tool. This provides an additional means to perform software updates in a secure manner, along with the existing Software Update capability contained in System Preferences. Security Update 7-12-02 (2002-07-12) a.. Software Update: Fixes CVE ID CAN-2002-0676 to increase the security of the Software Update process for systems with Software Update client 1.4.5 or earlier. Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages. Security Update July 2002 (2002-07) a.. Apache: Fixes CVE ID CAN-2002-0392 which allows remote attackers to cause a denial of service and possibly execute arbitrary code. Further details are available from: http://www.cert.org/advisories/CA-2002-17.html b.. OpenSSH: Fixes two vulnerabilities, CAN-2002-0639 and CAN-2002-0640, where a remote intruder may be able to execute arbitrary code on the local system. Further details are available from: http://www.cert.org/advisories/CA-2002-18.html Mac OS X 10.1.5 a.. sudo - Fixes CAN-2002-0184, where a heap overflow in sudo may allow local users to gain root privileges via special characters in the -p (prompt) argument. b.. sendmail - Fixes CVE-2001-0653, where an input validation error exists in Sendmail's debugging functionality which could lead to a system compromise. Internet Explorer 5.1 Security Update (2002-04) a.. This addresses a vulnerability that could allow an attacker to take over your computer. The update is available via the Mac OS X Software Update Preference pane, and also via: http://www.microsoft.com/security/security_bulletins/ms02019_mac.asp Mac OS X 10.1.4 a.. TCP/IP broadcast: Addresses CAN-2002-0381 such that TCP/IP connections now check and block broadcast or multicast IP destination addresses. Further details at: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022 Security Update - April 2002 (2002-04) a.. Apache - updated to version 1.3.23 in order to incorporate the mod_ssl security fix. b.. Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address the buffer overflow vulnerability CAN-2002-0082 which could potentially be used to run arbitrary code. Further Details at: http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html c.. groff - updated to version 1.17.2 to address the vulnerability CAN-2002-0003, where an attacker could gain rights as the 'lp' user remotely. Further details at: http://online.securityfocus.com/advisories/3859 d.. mail_cmds - updated to fix a vulnerability where users could be added to the mail group e.. OpenSSH -- updated to version 3.1p1 to address the vulnerability CAN-2002-0083, where an attacker could influence the contents of the memory. Further details at: http://www.pine.nl/advisories/pine-cert-20020301.html f.. PHP - updated to version 4.1.2 to address the vulnerability CAN-2002-0081, which could allow an intruder to execute arbitrary code with the privileges of the web server. Further details at: http://www.cert.org/advisories/CA-2002-05.html g.. rsync - updated to version 2.5.2 to address the vulnerability CAN-2002-0048 which could lead to corruption of the stack and possibly to execution of arbitrary code as the root user. Further details at: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:10.rsync.asc h.. sudo - updated to version 1.6.5p2 to address the vulnerability CAN-2002-0043, where a local user may obtain superuser privileges. Further details at: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:06.sudo.asc Mac OS X 10.1.3 a.. openssh - Updated to version 3.0.2p1 to address several vulnerabilities in the previous version. For details, please refer to: http://www.openssh.com/security.html b.. WebDAV - Extended the Digest Authentication mode to work with additional servers Mac OS X 10.1 Security Update 10-19-01 (2001-10-19) a.. Fixes the vulnerability described in http://www.stepwise.com/Articles/Admin/2001-10-15.01.html where an application can be granted root access privileges. Internet Explorer 5.1.1 a.. IE 5.1.1 - Fixes a problem with IE 5.1 bundled with Mac OS X v10.1 where Internet Explorer executes downloaded software automatically, which could result in data loss or other harm. More information is available in technical document 106503, "Mac OS X 10.1: Internet Explorer Executes Downloaded Software Automatically". Mac OS X 10.1 a.. crontab - Fixes the vulnerability described in FreeBSD-SA-01:09 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:09.crontab. v1.1.asc) where local users can read arbitrary local files that conform to a valid crontab file syntax. b.. fetchmail a.. Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:43 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:43.fetchmai l.asc) b.. Fixes the large header problem described in BugTraq MDKSA-2001:063: fetchmail (http://www.securityfocus.com/advisories/3426) c.. Fixes the memory overwrite vulnerability described in BugTraq ESA-20010816-01: fetchmail-ssl (http://www.securityfocus.com/advisories/3502) c.. ipfw - Fixes the vulnerability described in FreeBSD-SA-01:08.ipfw (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:08.ipfw.asc ) where a remote attack may be constructed with TCP packets with the ECE flag set. d.. java - Fixes the vulnerability described in:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216& type=0&nav=sec.sbl&ttl=sec.sbl where an untrusted applet may monitor requests to and responses from an HTTP proxy server. e.. open() syscall - Fixes the vulnerability described in FreeBSD-SA-97:05.open (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-97:05.open .asc) where another user on the system could do unauthorized I/O instructions f.. OpenSSL - Included version 0.9.6b which contains a number of fixes from the previous version. See http://www.openssl.org/ for details. g.. procmail - Fixed the vulnerability described in Red Hat RHSA-2001:093-03 (http://www.redhat.com/support/errata/RHSA-2001-093.html) where signals are not handled correctly. h.. rwhod - Fixes the vulnerability described in FreeBSD-SA-01:29.rwhod (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:29.rwhod.as c) where remote users can cause the rwhod daemon to crash, denying service to clients. i.. setlocale() string overflow - Fixes the vulnerability described in FreeBSD-SA-97:01.setlocale (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-97:01.setl ocale) where the setlocale() call contains a number of potential exploits through string overflows during environment variable expansion j.. sort - Fixes the vulnerability described in CERT Vulnerability Note VU#417216 (http://www.kb.cert.org/vuls/id/417216) where an intruder may be able to block the operation of system administration programs by crashing the sort utility. k.. system clipboard / J2SE - Fixes a security issue that permitted unauthorized applets access to the system clipboard. l.. tcpdump - Fixes the vulnerability described in FreeBSD-SA-01:48 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump. asc) where remote users can cause the local tcpdump process to crash, and may be able to cause arbitrary code to be executed. m.. TCP Initial Sequence Numbers - Fixes the potential vulnerability described in FreeBSD-SA-00:52 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss. asc) where the algorithm to generate the number the system will use for the next incoming TCP connection was not sufficiently random n.. tcsh '>>' operator - Fixes the vulnerability described in FreeBSD-SA-00:76 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:76.tcsh-csh .asc) where unprivileged local users can cause an arbitrary file to be overwritten when another person invokes the '<<' operator in tcsh (e.g. from within a shell script) o.. telnetd - Fixes the vulnerability described in FreeBSD-SA-01:49 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd. v1.1.asc) where remote users can cause arbitrary code to be executed as the user running telnetd. p.. timed - Fixes the vulnerability described in FreeBSD-SA-01:28 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:28.timed.as c) where remote users can cause the timed daemon to crash, denying service to clients. Mac OS X Server 10.1 a.. MySQL 3.23.42 - Contains a number of fixes from the previous version. See the 3.23.42 section on the MySQL site (http://www.mysql.com/downloads/mysql-3.23.html) for details. b.. Tomcat 3.2.3 - Contains a number of fixes from the previous version. See the Tomcat site (http://jakarta.apache.org/tomcat/) for details. c.. Apache - Fixed the .DS_Store file vulnerability described in http://securityfocus.com/bid/3324 d.. Apache - Fixed the potential vulnerability where .htaccess files might be visible to web browsers if created on HFS+ volumes. The files directive in the http.conf file was modified to block from visibility to web browsers all files whose names begin with .ht, regardless of case. Mac OS X Web Sharing Update 1.0 a.. Apache 1.3.19 - Fixes security issues with sites use of the mass virtual hosting module mod_vhost_alias or mod_rewrite. b.. mod_hfs_apple - Addresses Apache case-insensitivity problems on Mac OS Extended (HFS+) volumes. c.. OpenSSH 2.9p2 - Fixes SSH1 vulnerability described in http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt. d.. sudo - Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:38 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:38.sudo.asc ) Mac OS X 10.0.4 Server Update a.. Samba 2.0.9 - Addresses the macro vulnerability described in us1.samba.org/samba/whatsnew/macroexploit.html b.. sudo - Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:38 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:38.sudo.asc ) Mac OS X 10.0.2 a.. FTP - Fixes the File Globbing vulnerability described in CERT(R) Advisory CA-2001-07 (http://www.cert.org/advisories/CA-2001-07.html) b.. NTP - Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:31 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:31.ntpd.asc ) Mac OS X 10.0.1 a.. OpenSSH-2.3.0p1 - SSH services are enabled via the Sharing pane in System Preferences Mac OS Runtime for Java (MRJ) 2.2.5 a.. MRJ 2.2.5 - Fixes a security issue that permitted unauthorized applets access to the system clipboard. ----- Original Message ----- From: "James Chamier" <secnotifyat_private> To: <pen-testat_private> Sent: Thursday, February 13, 2003 11:03 AM Subject: Mac OS X Server > > Has anyone done a pen test of a Mac OS X server remotely ? Are there any > freely available clients for the apple file transfer over ip, or anything > obvious I should see ? > > thanks, > James > -- > James Chamier > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 13:29:33 PST