On Monday, Apple released Security Update 2010-006, which fixes an “error handling” issue in the AFP (Apple Filing Protocol) server that may allow an attacker to log in as another user with a malformed password, provided he has “knowledge of an account name” on the remote system:
We see enough Mac OS X systems with AFP enabled in universities to spend some time on this given flaw and revisit the Mac OS X file sharing abilities and default settings.
The flaw itself is pretty simple: send a specially malformed password to the remote server, an error occurs and the password validation routine basically returns an error code of 0 (user is authenticated) instead of -5023 (user is not authenticated), so the login process can continue and one can access remote shares. Plugin #49308 has a remote check for this.
However, to exploit this flaw, an attacker needs knowledge of a valid account on the remote system. Unfortunately, there are two ways to obtain this info “for free”.
The first way is to use the broadcasted computer name. When Mac OS X boots up for the first time, it asks you to create a user account. What it does not tell you is that this account name will be used to generate the host name: the default computer name for a Mac OS X system is under the form $USERFIRSTNAME $USERLASTNAME’s $COMPUTERTYPE (i.e.:”Billy Bob’s MacBookPro”). Once a Mac has a computer name set and file sharing is enabled, the computer is basically broadcasting its name to the local network using multicast DNS or will give it away when asked for it using the AFP protocol.
Here’s a screen capture I took at SFO airport last week:
As you can see, in addition to the popularity of Mac OS X in San Francisco, many laptops proudly broadcast their owner’s name. This is not only a privacy issue, but gives away a valid account on the remote systems. As a side note, be aware that every time you connect to an hotel wireless network, or to any kind of public access point (Starbucks, etc...) your laptop may be broadcasting your name there.
To solve this problem, go to System Preferences -> Sharing and change the hostname to something different:
If you do not use file sharing at all, you may want to use this opportunity to disable it entirely as well.
The second way is to use Guest access to obtain account names. When File Sharing is enabled, Guest access is allowed by default. While this does not give the guest full access to the remote system, it allows him to extract the list of accounts as every user has a “public folder”:
If you do not use this feature, go to System Preferences -> Accounts -> Guest and make sure that Guest cannot connect to shared folders:
As a sidenote, Guest access is also very useful when exploiting the directory traversal vulnerability solved by Mac OS X 10.6.3 (plugin#45374).
The 2010-006 vulnerability nicely illustrates how a default configuration can make a vulnerability much worse. With the default Mac OS X settings and AFP enabled, it’s possible to blindly automate the exploitation of a flaw which would have otherwise been harder to exploit.
Make sure to set up a proper name on your Mac OS X system so that it does not leak information you’d not otherwise want to see spread around everywhere you go, and as usual make sure only the required services are running on your systems.
Plugin#49308 checks for the Security Update 2010-006
Plugin#10666 detects Apple File Sharing (AFP) servers and whether guest access is enabled or not
Plugin#45380 lists all the shares available to the ‘guest’ user.