lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 6 Oct 2004 15:37:10 -0600
From: Michael Bartosh <mbartosh@....com>
To: bugtraq@...urityfocus.com
Subject: Latest Apple Sec update


Submitted this to Apple product security ~3weeks ago; fixed in latest 
sec update a couple of days ago.

servermgrd is a modified version of apache used by Apple in Mac OS X
Server as a management back end. It uses ssl for encryption. Out of box,
every install of Mac OS X Server uses the same private key (pasting it
here since its wide distribution can not feasibly be called private).

[SNIP]

Using the ssldump (http://www.rtfm.com/ssldump/) utility* I've several
times in the last week sat on
wireless networks and obtained administrative passwords for several Mac 
OS
X Server. I've long figured this was possible but did not really look 
into
it until I had to finish that chapter of my book (O'Reilly's Mac OS X
Server book). The decrypted packet looks like this:

12 10 0.4775 (0.0007)  C>S  application_data
     ---------------------------------------------------------------
     POST /commands/servermgr_info HTTP/1.0
     Host: gs.4am-media.com:311
     Authorization: Basic xxxxxxxxxxxxxx
     HTTP_USER_AGENT: CFNetwork-ServerManagerDaemonSession
     Content-Length: 0

...where xxxxxxxxxxxxxx is the base64 encoded version of the password
specified at login.

We must assume every packet on every network is likely to be sniffed. 
For
the price of $500 anyone anywhere can obtain the private key used to
administer tens of thousands of servers. At the very least this should 
be
widely documented, yet a search at apple.com/support for servermgrd and
Server Admin SSL yield nothing. This is very briefly hinted at on page 
17
of the Command Line Administration Guide. This text, though, is 
misleading
at best in its failure to advertise the rather insecure out of box state
of servermgrd.


[SNIP]

  *note trivial diff to get it to build on Mac OS X
crap:~/Desktop/ssldump-0.9b3 mab9718$ diff configure configure.orig
1213,1215d1212
<               if test -f $dir/libssl.dylib -a -f $dir/libcrypto.dylib;
then
<                   found_ssl="true"
<                 fi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ