[Dr_Doom]

Wow. Is this the first potentiol remote root vulnerability for OS X?

Cheers,

Dr_Doom

[bborofka]

Originally posted by Dr_Doom:
Wow. I this the first potentiol remote root vulnerability for OS X?

Cheers,

Dr_Doom

Does this fix the problem where, you setup an FTP server and anyone can browse your whole drive? I haven't installed it yet.

[Dr_Doom]

I think that's the chroot bug where you have to be suid root to chroot and ftp server suids to ftp before they issue chroot to the ftp dir specified. I don't know if it's related or not.

[VValdo]

My guess (from a quick google search) is that it's this bug in ftpd that appears to allow a buffer overflow. If you're not running FTPd though, I suppose it wouldn't affect you.

FTP isn't very secure anyway, is it? Doesn't it send passwords via cleartext?

W

[Arkham_c]

A detailed description is here:

http://www.derkeiler.com/Mailing-Lis...3-08/0002.html

Here is some free code that exploits said exploit:

http://www.securiteam.com/exploits/5GP021FAUI.html

[Simon]

Originally posted by VValdo:
FTP isn't very secure anyway, is it? Doesn't it send passwords via cleartext?

Yep. FTP is rather old and pretty unsecure.

If you are not absolutely forced to use it for the sake of backward-compatibility, I'd recommend you start sshd and open its port. Then use scp instead of ftp. It runs on top of ssh and is therefore encrypted.

It's much mroe safe than FTP and it works just as good.

[blackbird_1.0]

i think you're thinking about telnet, right?

it send the passwords over networks?

[Simon]

Originally posted by blackbird_1.0:
i think you're thinking about telnet, right?

it send the passwords over networks?

Both Telnet and FTP send passwords in clear text over networks.

SSH (and therefore scp) use encrypted connections so that your username and password plus any data your transmitting can't be sniffed.

[CharlesS]

Originally posted by Simon:
Yep. FTP is rather old and pretty unsecure.

If you are not absolutely forced to use it for the sake of backward-compatibility, I'd recommend you start sshd and open its port. Then use scp instead of ftp. It runs on top of ssh and is therefore encrypted.

It's much mroe safe than FTP and it works just as good.

Actually, sftp is a more complete replacement to ftp, and AFAIK most servers that support ssh also support sftp. The nice thing about sftp is that the interface is nearly identical to ftp's, so if you can use ftp, you can use sftp. The one difference, of course, is that sftp is secure, while ftp sends your password in plaintext.

[Angus_D]

Originally posted by Simon:
Both Telnet and FTP send passwords in clear text over networks.

As do POP3 and IMAP, the most common protocols for mail collection.

[Simon]

Originally posted by CharlesS:
Actually, sftp is a more complete replacement to ftp, and AFAIK most servers that support ssh also support sftp. The nice thing about sftp is that the interface is nearly identical to ftp's, so if you can use ftp, you can use sftp.

Absolutely. I agree. sftp is the secure replacement for ftp.

But, is it as easy to run on Mac OS X as sshd? The latter is just one click in the Sharing pref panel. Is sftp already built into OS X?

[Simon]

Originally posted by Angus_D:
As do POP3 and IMAP, the most common protocols for mail collection.

Only for those that use them in an insecure way. That's no argument. You can tunnel both services over ssh and then they are perfectly fine. I do that every day and it works like a charm.

I used to use ftp, telnet, smtp, pop3, etc. and even though I knew that they could be sniffed I just thought it was too complicated and nobody would go through all that work just to "listen" to my communication.

At work I had to look into a few sniffer tools I got to run under Debian Linux. When I saw that a simple command-line argument prompted my usernames, passwords, mail content, etc. in clear text I was convinced that all transmission should be encrypted. Ever since I use either decrypted standards or I tunnel through ssh.

Of course it depends on your level of paranoia, but the effort is actually not very large. Actually, it's just a little bit more than a possible "intruder" needs to spy on you.

[Powaqqatsi]

Originally posted by Simon:
Absolutely. I agree. sftp is the secure replacement for ftp.

But, is it as easy to run on Mac OS X as sshd? The latter is just one click in the Sharing pref panel. Is sftp already built into OS X?

Yep it's built in but only through the command line.

check "man sftp"

[kennedy]

Originally posted by Simon:
Only for those that use them in an insecure way. That's no argument. You can tunnel both services over ssh and then they are perfectly fine. I do that every day and it works like a charm.

Okay, I'll bite...

Given arbitrary POP service out on the internet (e.g., server mailhost.mywebhost.com, account myusername, password guessthis),
that you are accessing via Apple Mail...
how do you set it up to "tunnel over ssh"?
what do I put into Apple Mail's settings?

Thanks.

[Powaqqatsi]

Originally posted by kennedy:
Okay, I'll bite...

Given arbitrary POP service out on the internet (e.g., server mailhost.mywebhost.com, account myusername, password guessthis),
that you are accessing via Apple Mail...
how do you set it up to "tunnel over ssh"?
what do I put into Apple Mail's settings?

Thanks.

I think your ISP's mailserver has to support SSH, the chance that it supports this is about zero I would think.

[Simon]

Originally posted by Powaqqatsi:
Yep it's built in but only through the command line.

check "man sftp"

Ah, didn't know that it was already in there.

Thanks.

[Simon]

Originally posted by kennedy:
Okay, I'll bite...

Given arbitrary POP service out on the internet (e.g., server mailhost.mywebhost.com, account myusername, password guessthis),
that you are accessing via Apple Mail...
how do you set it up to "tunnel over ssh"?
what do I put into Apple Mail's settings?

Thanks.

Well, it will not work with any arbitrary server.

I run my own mail and web server. It's a Solaris box that allows ssh logins.

So, I have to have an ssh session opened to the box and then I tunnel the other traffic over it.

This is from some website I found some years ago (sorry, I don't have the link to it), but I used it as a guide how to do it when I set up my server:

- Open a Terminal
- Type the following:

ssh -L8110:yourpopserver.somewhere.com:110
yourauthserver.somewhere.com -lusername

[ on a single line of course ]

where "yourauthserver.somewhere.com" is probably the same as "yourpopserver.somewhere.com"

ssh will then ask for your passphrase which will probably be set up to be your password

after you successfully logged in this way, ssh has set up port-forwarding for POP3 connections, so all you have to do is create an account in Mail.app
with POP server set to "localhost" instead of "yourpopserver.somewhere.com" then go to the advanced options tab and specify "8110" instead of "110" as the POP port

Another possibility is to use the port 995 setting in Mail.app for pop3s instead of pop3. That is encrypted as well, but the server needs to support it.

The again, if you run your own mail server, you could just open a remote ssh session and use mutt or pine...

[VValdo]

You can set up your ssh keys so that you don't have to manually type in your password every time.

Here's what I do. Read the instructions all the way through and make sure you understand them before you try this. I can't guarantee the instructions are 100% accurate, so If you mess up your computer, don't blame me.

To set up your local computer to tunnel POP through SSH...

1. use the "ssh-keygen" command from the terminal on your local machine to create SSH keypairs (so that you don't have to manually type in the remote password every time.) Type "man ssh-keygen" from the terminal to learn more about how this works.

By default, the keys are created in:

$HOME/.ssh/

When you create the keys, don't create a passphrase. Just hit return so that no passphrase is necessary. Be aware that by not making a passphrase, you won't have to type something in every time you want to connect to the POP server securely, but that if anyone steals your computer (or the SSH keys from your computer) they will be able to access your POP mail. Considering that POP is already insecure by default, I think the convenience outweighs the risk...

2. Copy the $HOME/.ssh/identity.pub file from your local computer into the $HOME/.ssh/authorized_keys on the POP server.

(or for version 2 of SSH's protocol, copy $HOME/.ssh/id_dsa.pub to the server's $HOME/.ssh/authorized_keys)

3. On your local computer, create the following shell script:

$HOME/Library/Scripts/Securemail.sh

Code:
#!/bin/csh

# First, kill any previous SSH connection
kill -9 `ps -auxww | grep "ssh -2 -C -f -N" | grep -v grep | grep $LOGNAME | awk '{print $2}'`

# Start a new ssh tunnel and bring up mail.
nohup ssh -2 -C -f -N -L 1110:pop.popserver.com:110 pop.popserver.com;
open /Applications/Mail.app;

Obviously change "pop.popserver.com" to your pop server. You may also need to create the $HOME/Library/Scripts directory if it does not already exist.

I had to play with the various ssh settings and somehow, I can't remember why, ended up with the "-2 -C -f -N -L" you see there.

4. Now, from the terminal, type

Code:
chmod u+x ~/Library/Scripts/Securemail.sh

This makes the shell script executable.

5. In Apple's Mail program, change the settings to check mail at port 1110 instead of 110. Also tell it to check "localhost" or "127.0.0.1" instead of "pop.popserver.com"

6. Finally, download and install Apple's Script Menu icon, so you can manually re-establish the SSH link whenever you want right from the menu bar.

Done!

All you have to do to set up the secure POP connection is pull down the menu, choose "SecureMail" and you're done.

I got the idea for this off of macosxhints.com by the way, but I had to make changes to the script to get it to work for me.

Also see here or here.

W