Date: Mon, 29 Oct 2007 22:49:18 +0100 (CET)
From: Juergen Schmidt <ju@heisec.de.>
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
Subject: Holes in the firewall of Mac OS X Leopard
In-Reply-To: <Pine.WNT.4.64.0710291257480.6076@j2.ngstest.local.>
Message-ID: <Pine.LNX.4.64.0710292225340.5763@localhost.>
References: <Pine.WNT.4.64.0710291257480.6076@j2.ngstest.local.>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Provags-ID: V01U2FsdGVkX19zcaEx00LS1bJK5VXU7jlIxDr2tXIDV2+xi6E
J8thfRdNZFxu1N/FBiUmj+L7vBh8WiFmQGzzAxVEmgBiRCUoB9
s8LRR/qCv3Ntd3AhvXKgg==
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hello,
we did some functional testing on the firewall of Mac OS X Leopard.
Short summary:
- the firewall is not activated by default but there are services running
even if you don't activate any sharing (as shown by netstat or lsof)
- if you set it to "Block all incoming connections" it still allows access
to certain system services. We could access the ntp daemon that is running
per default over the internet. In a LAN based scenario, we were able to
query the Netbios naming service even with full blocking enabled.
- if you set it to "Set access to specific services and programs" the
firewall permits access to listening processes startet by the user,
regardless if they are in the list of shared services. We were able to
access a service like "nc -l 1414" over the internet.
ntpd is labeled 4.2.2, the latest version is 4.2.4. It is unknown if any
of the bugs fixed in the meantime are relevant in this scenario or if
fixes have been backported.
The same applies to the Samba package (3.0.25b-apple), of which releases
3.0.25c and 3.0.26a contained numerous bug fixes.
For more information see:
A second look at the Mac OS X Leopard firewall
http://www.heise-security.co.uk/articles/98120
bye, ju
--
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
