Critical Mac OS X Server Vulnerability

Monday’s Security Upate provides a fix to a critical vulnerability that allows malicious parties to trivially obtain administrative passwords.

In other words, it would behoove you to run this update sooner rather than later, or make sure you use a VPN when admining your server.This vulnerability is worth exploring in more depth in order to underscore its importance. This is the text of the original email I sent when I reported it to Apple’s Product Security group three weeks ago.

servermgrd is a modified version of apache used by Apple in Mac OS X
Server as a management back end. It uses ssl for encryption. Out of box,
every install of Mac OS X Server uses the same private key.

[SNIP: it’s stored at /etc/servermgrd/ssl.key/server.key]

Using the ssldump (http://www.rtfm.com/ssldump/)* utility I’ve several
times in the last week sat on
wireless networks and obtained administrative passwords for several Mac OS
X Servers. I’ve long figured this was possible but did not look into it adequitely until it became necessary during the production of O’Reilly’s upcoming Running Mac OS X Server.

The decrypted packet looks like this:

12 10 0.4775 (0.0007) C>S application_data --------------------------------------------------------------- POST /commands/servermgr_info HTTP/1.0 Host: gs.4am-media.com:311 Authorization: Basic xxxxxxxxxxxxxx HTTP_USER_AGENT: CFNetwork-ServerManagerDaemonSession Content-Length: 0
…where xxxxxxxxxxxxxx is the base64 encoded version of the password
specified at login.

We must assume every packet on every network is likely to be sniffed. For
the price of $500 anyone anywhere can obtain the private key used to
administer tens of thousands of servers. At the very least this should be
widely documented, yet a search at apple.com/support for servermgrd and
Server Admin SSL yield nothing. This is very briefly hinted at on page 17
of the Command Line Administration Guide. This text, though, is misleading
at best in its failure to advertise the rather insecure out of box state
of servermgrd.

*note trivial diff to get it to build on Mac OS X

crap:~/Desktop/ssldump-0.9b3 mbartosh$ diff configure configure.orig 1213,1215d1212

then mbartosh More Posts Share this: Click to share on Twitter (Opens in new window) Click to share on Facebook (Opens in new window) Related

by mbartosh Related Posts No Related Posts Leave a reply Cancel reply You must be logged in to post a comment.

Recent Forum Topics prohibit macOS/iOS from connecting to unsecure wifi OS X Server technical writer nice LaunchDaemon won't run Binding to server on a separate VLAN Recent Comments ntmatter on Name Goes Here, code bass=”clash” thebrucecarter on Name Goes Here, code bass=”clash” fidelia779 on 802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates Leon Zhang on Augmenting DNS Records Using dnsmasq matthewrknoll on 802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates