Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Holes in the firewall of Mac OS X Leopard

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


ju at heisec

Oct 29, 2007, 2:49 PM

Post #1 of 3 (481 views)
Permalink
Holes in the firewall of Mac OS X Leopard
Hello,

we did some functional testing on the firewall of Mac OS X Leopard.
Short summary:

- the firewall is not activated by default but there are services running
even if you don't activate any sharing (as shown by netstat or lsof)

- if you set it to "Block all incoming connections" it still allows access
to certain system services. We could access the ntp daemon that is running
per default over the internet. In a LAN based scenario, we were able to
query the Netbios naming service even with full blocking enabled.

- if you set it to "Set access to specific services and programs" the
firewall permits access to listening processes startet by the user,
regardless if they are in the list of shared services. We were able to
access a service like "nc -l 1414" over the internet.


ntpd is labeled 4.2.2, the latest version is 4.2.4. It is unknown if any
of the bugs fixed in the meantime are relevant in this scenario or if
fixes have been backported.

The same applies to the Samba package (3.0.25b-apple), of which releases
3.0.25c and 3.0.26a contained numerous bug fixes.


For more information see:

A second look at the Mac OS X Leopard firewall
http://www.heise-security.co.uk/articles/98120


bye, ju

--
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


allbery at ece

Oct 29, 2007, 3:02 PM

Post #2 of 3 (458 views)
Permalink
Re: Holes in the firewall of Mac OS X Leopard [In reply to]
On Oct 29, 2007, at 17:49 , Juergen Schmidt wrote:

> - if you set it to "Block all incoming connections" it still allows
> access
> to certain system services. We could access the ntp daemon that is
> running
> per default over the internet. In a LAN based scenario, we were
> able to
> query the Netbios naming service even with full blocking enabled.

The firewall in Tiger, and presumably Leopard, only affects TCP
services by default (you can enable UDP filtering in the Advanced
settings). So no change here from the status quo.

--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery [at] kf8nh
system administrator [openafs,heimdal,too many hats] allbery [at] ece
electrical and computer engineering, carnegie mellon university KF8NH


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


ju at heisec

Oct 29, 2007, 4:55 PM

Post #3 of 3 (448 views)
Permalink
Re: Holes in the firewall of Mac OS X Leopard [In reply to]
On Mon, 29 Oct 2007, Brandon S. Allbery KF8NH wrote:

> On Oct 29, 2007, at 17:49 , Juergen Schmidt wrote:
>
> >- if you set it to "Block all incoming connections" it still allows access
> >to certain system services. We could access the ntp daemon that is running
> >per default over the internet. In a LAN based scenario, we were able to
> >query the Netbios naming service even with full blocking enabled.
>
> The firewall in Tiger, and presumably Leopard, only affects TCP services by
> default (you can enable UDP filtering in the Advanced settings). So no change
> here from the status quo.

Nope -- the behaviour we observed did not depend on the protocol by any
means. For example we were able to connect to a netcat server listening on
a TCP port despite of "Set access to specific services and programs" and
an empty list of allowed services.

There is no way to "enable UDP filtering" in Leopard either -- at least I
have not found any. In fact the firewall does not use ipfw rules at all.

bye, ju



--
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.