Detecting Apple Mac OS X AFP Vulnerability with Nmap

http://www.cqure.net/wp/2010/03/detecting-apple-mac-os-x-afp-vulnerability-cve-2010-0533-with-nmap/

During the development of my AFP library for Nmap I came a cross a critical vulnerability in Apple’s implementation of AFP on Snow Leopard. The vulnerability occurs due to improper input validation and allows an attacker to access (list, read, and/or write) files in the parent directory of any AFP sharepoint.

By default, when enabling AFP, the Public folder in each user’s home directory is shared as Public Folder. In my case “Patrik Karlsson’s Public Folder”. Since the Public folder is a subdirectory of a user’s home directory, exploiting this share provides access to all of that user’s home directory files (but not subdirectories or files with restrictive filesystem permissions).

As the name suggests, the Public shares are available to anyone without authentication. Given the default permissions on home directories (world read+execute) and the default umask (world read), this has a serious impact – as unauthenticated users can read all files in a user’s home directory. The attack also works for authenticated users against shares requiring authentication.

Technically the attack is not very challenging and relies on a classic directory traversal attack. It is strikingly similar to the famous Windows SMB filesharing vulnerability from 1995. However, sending such a path to the server without interpreting and translating it on the client is somewhat more challenging. I’ve developed a number of different scripts while researching the vulnerability that list, read and write files in the parent directory. In order to do so I’ve added the necessary code to the AFP library which is essentially the core of these NSE scripts.

At this time I’m releasing two scripts afp-path-vuln, afp-brute and library. The vulnerability detection script attempts to determine whether the scanned servers are vulnerable or not and outputs the contents of the parent directory if they are. The script and library are as of now available from the latest subversion version of Nmap and can also be downloaded here:

http://nmap.org/svn/scripts/afp-path-vuln.nse
http://nmap.org/svn/scripts/afp-brute.nse
http://nmap.org/svn/nselib/afp.lua

You can run the scripts either from your current version of Nmap or from the current subversion release. If you want to run the script with user credentials it needs the subversion release of Nmap as adding the support for AFP authentication involved patching the LUA to OpenSSL API.

For documentation on how to add scripts to your current Nmap installation have a look at Ron Bowes blog post “How-to: install an Nmap script” over here. The afp.lua library should be copied to the nselib directory which is located in the same parent directory as the scripts directory described in the blog post.