Detecting Apple Mac OS X AFP vulnerability CVE-2010-0533 with Nmap

During the development of my AFP library for Nmap I came a cross a critical vulnerability in Apple’s implementation of AFP on Snow Leopard. The vulnerability occurs due to improper input validation and allows an attacker to access (list, read, and/or write) files in the parent directory of any AFP sharepoint.

By default, when enabling AFP, the Public folder in each user’s home directory is shared as <Usernames> Public Folder. In my case “Patrik Karlsson’s Public Folder”. Since the Public folder is a subdirectory of a user’s home directory, exploiting this share provides access to all of that user’s home directory files (but not subdirectories or files with restrictive filesystem permissions).

As the name suggests, the Public shares are available to anyone without authentication. Given the default permissions on home directories (world read+execute) and the default umask (world read), this has a serious impact – as unauthenticated users can read all files in a user’s home directory. The attack also works for authenticated users against shares requiring authentication.

Technically the attack is not very challenging and relies on a classic directory traversal attack. It is strikingly similar to the famous Windows SMB filesharing vulnerability from 1995. However, sending such a path to the server without interpreting and translating it on the client is somewhat more challenging. I’ve developed a number of different scripts while researching the vulnerability that list, read and write files in the parent directory. In order to do so I’ve added the necessary code to the AFP library which is essentially the core of these NSE scripts.

At this time I’m releasing two scripts afp-path-vuln, afp-brute and library. The vulnerability detection script attempts to determine whether the scanned servers are vulnerable or not and outputs the contents of the parent directory if they are. The script and library are as of now available from the latest subversion version of Nmap and can also be downloaded here:

You can run the scripts either from your current version of Nmap or from the current subversion release. If you want to run the script with user credentials it needs the subversion release of Nmap as adding the support for AFP authentication involved patching the LUA to OpenSSL API.

For documentation on how to add scripts to your current Nmap installation have a look at Ron Bowes blog post “How-to: install an Nmap script” over here. The afp.lua library should be copied to the nselib directory which is located in the same parent directory as the scripts directory described in the blog post.

Last, but not least, here is the syntax for running the scripts against a system or network to detect vulnerable hosts:

If the server is vulnerable it will show the following output:

548/tcp open  afp
| afp-path-vuln:
|   Patrik’s Public Folder/../ (5 first items)
|     .bash_history
|     .bash_profile
|     .CFUserTextEncoding
|     .config/
|     .crash_report_checksum
|_AFP path traversal (CVE-2010-0533): VULNERABLE

Apple has released Mac OS X 10.6.3 which addresses the vulnerability. It can be downloaded from here:

Thanks to Fyodor and David Fifield for great suggestions, moral support, and review of the code.

2010-02-10 – Security vulnerability disclosed to Apple together with PoC
2010-02-10 – Apple responds and have been able to reproduce vulnerability
2010-02-15 – Request of status update
2010-02-18 – Request of status update
2010-02-22 – Request of status update
2010-02-22 – Apple responds with DRAFT advisory and timing for disclosure (week starting 02/28)
2010-03-06 – Disclosure date overdue, request for status update
2010-03-08 – Apple responds with a new date for disclosure (week starting 03/15)
2010-03-17 – Request status update
2010-03-17 – Apple responds with a new date for disclosure (week starting 03/23)
2010-03-17 – Apple corrects the disclosure date to the 29th of March