Multiple issues with Mac OS X AFP client Background The standard Apple Filing Protocol[1] (AFP) does not use encryption to protect transfered data. Login credentials may be sent in cleartext or protected with one of several different hashed exchanges or Kerberos[2]. There does not appear to have been any serious third-party security review of Apple's client or server implementations. Mac OS X 10.2 introduced the option of automatically tunneling connections to an Apple file server over SSH - a commendable effort to reuse a well-understood, tested protocol rather than another home-grown design. Unfortunately the current implementation is marred by significant design and implementation flaws. A Backwards Handshake All AFP connections start with a connection to TCP port 548. If enabled the client may subsequently attempt to start an ssh session depending on the server's advertised capabilities. The decision to treat SSH tunneling as a protocol extension leads to several undesirable outcomes, most critically that the user interface gives the impression of using SSH (which has a very good reputation) but provides no way to have a connection fail if SSH cannot be used rather than failing down to a normal insecure AFP connection. In the educational world it is common for AFP servers to be exposed to the general internet to allow users to work remotely. Given AFP's lack of extensive auditing and use in high-security environments it would be preferable for the current design to be reversed and all traffic to be tunneled over a heavily audited protocol such as SSH or SSL. SSH is in many ways preferable given the common habit of configuring non-public SSL services with self-signed certificates and instructions to disable validation. A man-in-the-middle attack can easily be used to collect passwords. Since AFP does not attempt to validate the server's identity it is possible to mount an active attack where the MITM host does not advertise SSH sessions. At this point we run into the next major problem: the client does not distinguish between any of the non-cleartext authentication mechanisms despite significant security implications. The protocol designers were clearly aware of this threat as noted in the protocol documentation for both Diffie-Hellman authentication systems[4]: 'DHX2 is strong against packet sniffing attacks but vulnerable to active attacks such “Man in the Middle.” There is no way for the client to verify that the server knows the password, so the server could easily be spoofed. There is some weakness in using fixed initialization vectors, p and g, which is alleviated by putting the random nonces first in the encrypted portions of the messages. DHX2 is useful when the server requires passwords in cleartext.' Unfortunately the user interface makes no distinction between this and the more secure Random-Number Exchange systems. Combined with the common tendency for users to store passwords in their Keychain or blindly enter them when prompted an automated password collection system could easily be developed and with a relatively modest amount of additional work it could avoid detection by transparently proxying the connection to the real server. Given both the environments where Macs are most commonly used and Apple's aggressive marketing of OS X Server as easy to administer it seems extremely unlikely that the administrators would be monitoring at the level needed to detect this. Implementation Problems In versions of OS X 10.3 prior to 10.3.2 the SSH feature simply did not work: the client will silently connect without attempting to use SSH at all The current design is limited to volumes shared with the server version of OS X. The user interface provides no way to require SSH or warn that while the option is selected it will not be used because the server does not support it. Currently the user must notice that the separate "Opening secure connection" window did not appear and realize that this implies a non-SSH session. The user interface makes no attempt to differentiate between the non-cleartext authentication mechanisms. It would be useful to permanently disable anything other than, say, a hashed exchange or Kerberos. ssh is started with "-o StrictHostKeyChecking no" which makes the SSH session used for file sharing uniquely vulnerable to MITM attacks. This is probably due to the lack of a graphical interface for the usual host key dialogs. Workarounds Use manually-configured SSH tunnels (e.g. ssh -aCN -L 5480:afp-server:548 remote-host) Forgo AFP if possible in favor of SFTP, optionally with a graphical front-end such as Fugu[3] The AFP client may be hardened somewhat by modifying the .GlobalPreferences.plist (the AFP client does not follow Apple's guidelines for preference files). defaults write "Apple Global Domain" com.apple.AppleShareClientCore \ -dict-add \ afp_authtype_show -bool true \ afp_ssh_force -bool true \ afp_ssh_require -bool true Unfortunately this does not prevent MITM attacks and introduces potential support issues because a failed SSH connection will be reported as a bad username/password. Leon Towns-von Stauber reports that Apple is working with him on a bug preventing the current SSH implementation from being used in certain cases. Recommendations SSH should be enabled by default for the file server on both server and client and both the client and server interfaces should strongly encourage its use. The client should allow the user to require SSH and restrict the authentication mechanisms allowed. The client needs a graphical interface for the normal SSH precautions against MITM attacks. A future version of OS X should provide a standard framework which developers could rely on to get a decent GUI to handle host key management and an equivalent for the traditional ssh_askpass similar to similar to Bill Bumgarner's SSHPassKey[5]. Beyond these basics Apple should encourage accepted security best-practices by providing a utility to simplify the process of setting up public key authentication and either provide seamless Keychain support or an integrated ssh-agent. History: Tue Dec 16 09:35:52 10.3.0-10.3.1 client bug reported by Leon Towns-von Stauber[6] December 19, 2003 22:04:11 PST Initial vendor email December 23, 2003 11:06:30 PST Followup email February 26, 2004 0:19:35 PST Pre-release notice to Apple containing this advisory and offering to delay release if requested Vendor Response: None References:[1] <http://developer.apple.com/documentation/Networking/Conceptual/AFP/> [2] <http://developer.apple.com/documentation/Networking/Conceptual/AFP/ Chapter_1/chapter_2_section_5.html#//apple_ref/doc/uid/TP30000196/ CHBJDAFE>
[3] <http://rsug.itd.umich.edu/software/fugu/>[4] <http://developer.apple.com/documentation/Networking/Conceptual/AFP/ Chapter_1/chapter_2_section_6.html#//apple_ref/doc/uid/TP30000196/ CHBBAGCB> <http://developer.apple.com/documentation/Networking/Conceptual/AFP/ Chapter_1/chapter_2_section_6.html#//apple_ref/doc/uid/TP30000196/ CHDDAIFH>
[5] <http://www.codefab.com/unsupported/SSHPassKey_v1.1-1-README.html>[6] <http://www.omnigroup.com/mailman/archive/macosx-admin/2003-December/ 034841.html>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature