what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MacOSXAFP.txt

MacOSXAFP.txt
Posted Feb 27, 2004
Authored by Chris Adams

Paper discussing how the the standard Apple Filing Protocol (AFP) does not use encryption to protect transfered data. Login credentials may be sent in cleartext or protected with one of several different hashed exchanges or Kerberos. There does not appear to have been any serious third-party security review of Apple's client or server implementations.

tags | advisory, protocol
systems | apple
SHA-256 | 16feb9364a339129da505a3e12219691b666acf40377cf696c052a27ed62f5aa

MacOSXAFP.txt

Change Mirror Download
Multiple issues with Mac OS X AFP client

Background

The standard Apple Filing Protocol[1] (AFP) does not use
encryption to protect transfered data. Login credentials may be sent
in cleartext or protected with one of several different hashed
exchanges or Kerberos[2]. There does not appear to have been any
serious third-party security review of Apple's client or server
implementations.

Mac OS X 10.2 introduced the option of automatically tunneling
connections to an Apple file server over SSH - a commendable effort to
reuse a well-understood, tested protocol rather than another home-grown
design. Unfortunately the current implementation is marred by
significant design and implementation flaws.

A Backwards Handshake

All AFP connections start with a connection to TCP port 548. If
enabled the client may subsequently attempt to start an ssh session
depending on the server's advertised capabilities. The decision to treat
SSH tunneling as a protocol extension leads to several undesirable
outcomes, most critically that the user interface gives the impression
of using SSH (which has a very good reputation) but provides no way to
have a connection fail if SSH cannot be used rather than failing down to
a normal insecure AFP connection.

In the educational world it is common for AFP servers to be exposed
to the general internet to allow users to work remotely. Given AFP's
lack of extensive auditing and use in high-security environments it
would be preferable for the current design to be reversed and all
traffic to be tunneled over a heavily audited protocol such as SSH or
SSL. SSH is in many ways preferable given the common habit of
configuring non-public SSL services with self-signed certificates and
instructions to disable validation.

A man-in-the-middle attack can easily be used to collect passwords.
Since AFP does not attempt to validate the server's identity it is
possible to mount an active attack where the MITM host does not
advertise SSH sessions. At this point we run into the next major
problem: the client does not distinguish between any of the
non-cleartext authentication mechanisms despite significant security
implications. The protocol designers were clearly aware of this threat
as noted in the protocol documentation for both Diffie-Hellman
authentication systems[4]:

'DHX2 is strong against packet sniffing attacks but vulnerable to
active attacks such “Man in the Middle.” There is no way for the client
to verify that the server knows the password, so the server could easily
be spoofed. There is some weakness in using fixed initialization
vectors, p and g, which is alleviated by putting the random nonces first
in the encrypted portions of the messages. DHX2 is useful when the
server requires passwords in cleartext.'

Unfortunately the user interface makes no distinction between this
and the more secure Random-Number Exchange systems. Combined with the
common tendency for users to store passwords in their Keychain or
blindly enter them when prompted an automated password collection system
could easily be developed and with a relatively modest amount of
additional work it could avoid detection by transparently proxying the
connection to the real server. Given both the environments where Macs
are most commonly used and Apple's aggressive marketing of OS X Server
as easy to administer it seems extremely unlikely that the
administrators would be monitoring at the level needed to detect this.

Implementation Problems

In versions of OS X 10.3 prior to 10.3.2 the SSH feature simply did
not work: the client will silently connect without attempting to use SSH
at all

The current design is limited to volumes shared with the server
version of OS X.

The user interface provides no way to require SSH or warn that while
the option is selected it will not be used because the server does not
support it. Currently the user must notice that the separate "Opening
secure connection" window did not appear and realize that this implies a
non-SSH session.

The user interface makes no attempt to differentiate between the
non-cleartext authentication mechanisms. It would be useful to
permanently disable anything other than, say, a hashed exchange or
Kerberos.

ssh is started with "-o StrictHostKeyChecking no" which makes the
SSH session used for file sharing uniquely vulnerable to MITM attacks.
This is probably due to the lack of a graphical interface for the usual
host key dialogs.

Workarounds

Use manually-configured SSH tunnels (e.g. ssh -aCN -L
5480:afp-server:548 remote-host)

Forgo AFP if possible in favor of SFTP, optionally with a graphical
front-end such as Fugu[3]

The AFP client may be hardened somewhat by modifying the
.GlobalPreferences.plist (the AFP client does not follow Apple's
guidelines for preference files).

defaults write "Apple Global Domain" com.apple.AppleShareClientCore \
-dict-add \
afp_authtype_show -bool true \
afp_ssh_force -bool true \
afp_ssh_require -bool true

Unfortunately this does not prevent MITM attacks and introduces
potential support issues because a failed SSH connection will be
reported as a bad username/password.

Leon Towns-von Stauber reports that Apple is working with him on a
bug preventing the current SSH implementation from being used in certain
cases.


Recommendations

SSH should be enabled by default for the file server on both server
and client and both the client and server interfaces should strongly
encourage its use.

The client should allow the user to require SSH and restrict the
authentication mechanisms allowed.

The client needs a graphical interface for the normal SSH
precautions against MITM attacks.

A future version of OS X should provide a standard framework which
developers could rely on to get a decent GUI to handle host key
management and an equivalent for the traditional ssh_askpass similar to
similar to Bill Bumgarner's SSHPassKey[5]. Beyond these basics Apple
should encourage accepted security best-practices by providing a utility
to simplify the process of setting up public key authentication and
either provide seamless Keychain support or an integrated ssh-agent.

History:

Tue Dec 16 09:35:52
10.3.0-10.3.1 client bug reported by Leon Towns-von Stauber[6]

December 19, 2003 22:04:11 PST
Initial vendor email

December 23, 2003 11:06:30 PST
Followup email

February 26, 2004 0:19:35 PST
Pre-release notice to Apple containing this advisory
and offering to delay release if requested

Vendor Response:

None

References:

[1]
<http://developer.apple.com/documentation/Networking/Conceptual/AFP/>
[2]
<http://developer.apple.com/documentation/Networking/Conceptual/AFP/
Chapter_1/chapter_2_section_5.html#//apple_ref/doc/uid/TP30000196/
CHBJDAFE>
[3] <http://rsug.itd.umich.edu/software/fugu/>
[4]
<http://developer.apple.com/documentation/Networking/Conceptual/AFP/
Chapter_1/chapter_2_section_6.html#//apple_ref/doc/uid/TP30000196/
CHBBAGCB>
<http://developer.apple.com/documentation/Networking/Conceptual/AFP/
Chapter_1/chapter_2_section_6.html#//apple_ref/doc/uid/TP30000196/
CHDDAIFH>
[5] <http://www.codefab.com/unsupported/SSHPassKey_v1.1-1-README.html>
[6]
<http://www.omnigroup.com/mailman/archive/macosx-admin/2003-December/
034841.html>
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close