Re: [Fed-Talk] UDP Port 111
Re: [Fed-Talk] UDP Port 111
- Subject: Re: [Fed-Talk] UDP Port 111
- From: "Michael Pike" <email@hidden>
- Date: Tue, 25 Mar 2008 11:40:23 -0600
I know its a known problem. this is from 10.4.7 - we are on 10.5.2. And the solution doesn't always work with 10.5.x.
I don't think it's a problem, I think it's something that has been forced. Anyone want to hexdump serialnumberd and try to read the assembly code? :)
Serialnumberd explicitly enables the port. I'm a developer, that is a 30 second fix in the code.. remove it... Apple has not done so for many iterations. It's not going away... unless Apple officially comments I have to believe it's done on purpose to prevent piracy. I have no problem with that.. you have to protect your assets.. but phoning home, and forcing a port open WITHOUT telling a user is pretty shady. Have it check the serial number, but if it's blocked explicitly, don't override the rules and then not tell the admin about it. At least Microsoft says, "Hey, I am making sure you are genuine."
I will be honest, this little "feature" has caused serious re-evaluation of OS X server.. possibly at looking going back to Linux (Redhat) which is where we were before OS X server.
Overflow serialnumberd with an exploit, you get root, and we know what happens from there.
mike
On Tue, Mar 25, 2008 at 11:17 AM, Peter Link <
email@hidden> wrote:
At 11:07 AM -0600 3/25/08, Michael Pike wrote:
Check out UDP port 626.... then try to
close it at the firewall level and watch the magic that OS X server
performs for you involuntarily.
You cannot block UDP 626. If you
do, serialnumberd will graciously force it back open without telling
you, and unless you know how to check a console log, would be none the
wiser.
serialnumberd runs as ROOT... seen
straight from ps aux:
root
134 0.0 0.1 76452
1036 ?? Ss 2:07PM
0:01.06 /usr/sbin/serialnumberd
Pretty scary.... if ISSO's get word of
this OS X server will be pretty difficult to get on the network.
Analysis of what serialnumberd does is also alarming. I
won't go into specifics here, but it's alarming.. but even more
alarming is the backdoor it opens despite firewall rules placed in OS
X.
Any ideas on how to close this?
Apple?
Mike
On Thu, Mar 13, 2008 at 9:55 AM, Michael
<email@hidden> wrote:
On Mar 13, 2008, at 10:20 AM, Michael wrote:
> Is anyone aware of why a machine upgraded to OSX 10.5.2 would
be
> probing all machines on local networks on UDP port 111.
>
> I know very well what UDP port 111 is normally used for, I just
have
> not seen an OS X machine actively probing that port and it
seems
> rather selective about the range of machine it is
probing--selective
> in the sense it's seems to be only machines it has seen
recently,
> not selective about operating system.
This seems to be automountd, most have seen how OS X 10.5
auto
identifies any Apple File Sharing machines on the local network.
I
guess 10.5 can also auto identify any NFS servers on the network.
Anyone know how to turn that off? The scanning lit up a
co-worker's
machine.
I blocked outgoing UDP port 111 in my custom ipfw firewall.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
"If they will come to America they will learn to speak English,
for if I was to go to Canada I would learn to speak Canadian." -
George W. Bush, 2006 - Immigration Reform
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list
(
email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to
email@hidden
--
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
--
"If they will come to America they will learn to speak English, for if I was to go to Canada I would learn to speak Canadian." - George W. Bush, 2006 - Immigration Reform
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden