Lucene search
K

Apple Filing Protocol Server Detection

🗓️ 12 May 2001 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 76 Views

Detects Apple Filing Protocol service on remote port and retrieves server information.

Refs
Code
#
# NASL script to send a DSIGetStatus / FPGetSrvrInfo to an AppleShare IP
# server & parse the reply
#
# based on http://www.jammed.com/~jwa/hacks/security/asip/asip-status
#
#

include("compat.inc");

if (description)
{
  script_id(10666);
 	script_version ("1.33");
  script_cvs_date("Date: 2018/11/15 20:50:24");

	script_name(english: "Apple Filing Protocol Server Detection");
	script_summary(english: "Sends DSIGetStatus request.");

  script_set_attribute(attribute:"synopsis", value:
"An Apple file sharing service is listening on the remote port.");
  script_set_attribute(attribute:"description", value:
"The remote service understands the Apple Filing Protocol (AFP) and
responds to a 'FPGetSrvrInfo' ('DSIGetStatus') request with
information about itself. 

AFP is used to offer file services for Mac OS X as well as the older
Mac OS. In the past, it has also been known as 'AppleTalk Filing
Protocol' and 'AppleShare'.");
  # https://developer.apple.com/documentation/kernel
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2017425");
  script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Apple_Filing_Protocol");
  script_set_attribute(attribute:"solution", value:"n/a" );
  script_set_attribute(attribute:"risk_factor", value:"None" );

  script_set_attribute(attribute:"plugin_publication_date", value: "2001/05/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

	script_category(ACT_GATHER_INFO);
	script_family(english: "Service detection");

	script_copyright(english: "(C) 2001-2016 James W. Abendschan <[email protected]> (GPL)");

	script_dependencie("find_service1.nasl");
	script_require_ports(548);
	exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

global_var port;

function b2dw(a, b, c, d)
{
	local_var a1, b1, c1, dword;

	a1 = a * 256 * 256 * 256;
	b1 = b * 256 * 256;
	c1 = c * 256;
	dword = a1 + b1 + c1 + d;
	return(dword);
}

function b2w(low, high)	
{
	local_var word;

	word = high * 256;
	word = word + low;

	return(word);
}

# return a pascal string

function pstring(offset, packet)
{
	local_var plen, i, pstr;

	plen = ord(packet[offset]);
	#display("offset: ", offset, "  length: ", plen, "\n");
	pstr = "";	# avoid interpreter warning
	for (i=1;i<plen+1;i=i+1)
	{
		pstr = pstr + packet[offset+i];
	}
	return (pstr);
}

# pull out counted pstrings in packet starting at offset

function pluck_counted(offset, packet)
{
	local_var count, str, plucked, count_offset, j;
	count = ord(packet[offset]);
	#display("plucking ", count, " items\n");
	str = "";
	plucked = "";
	count_offset = offset + 1;
	for (j=0;j<count;j=j+1)
	{
		str = pstring(offset:count_offset, packet:packet);
		# offset + length of data + length byte
		count_offset = count_offset + strlen(str) + 1;
		plucked = plucked + str;
		# lame coz there's no != ?
		if (j < count-1)
			plucked = plucked + ", ";
	}
	return(plucked);
}


#
# parse FPGetSrvrInfo reply (starting at DSIGetRequest reply packet + 16)
#

function parse_FPGetSrvrInfo(packet)
{
	local_var afpversioncount_offset, machinetype, machinetype_offset, versions, pci_report;
	local_var report, servername, uams, uamcount_offset;
        machinetype_offset = b2w(low:ord(packet[17]), high:ord(packet[16])) + 16;
	machinetype = pstring(offset:machinetype_offset, packet:packet);

        afpversioncount_offset = b2w(low:ord(packet[19]), high:ord(packet[18])) + 16;
	versions = pluck_counted(offset:afpversioncount_offset, packet:packet);

	uamcount_offset = b2w(low:ord(packet[21]), high:ord(packet[20])) + 16;
	uams = pluck_counted(offset:uamcount_offset, packet:packet);

	servername = pstring(offset:26, packet:packet);
	if ( strlen(servername) ) set_kb_item(name:"AFP/hostname", value:servername);

	report = '\n' +
  'Nessus collected the following information about the remote AFP service :\n'+
  '\n'+
  '  Server name  : ' + servername + '\n' +
  '  Machine type : ' + machinetype + '\n' +
  '  UAMs         : ' + uams + '\n' +
  '  AFP versions : ' + versions + '\n';

set_kb_item(name:"Host/OS/AFP/fingerprint", value:versions);

if ("No User Authen" >< uams) {
	report += '\nThe server allows the "guest" user to connect.\n';
	set_kb_item(name:"AFP/GuestAllowed", value:TRUE);
}

if("Cleartxt Passwrd" >< uams)
{
	report += '\nThe server allows cleartext authentication.\n';
  pci_report = 'The remote AppleTalk service accepts cleartext logins.';
  set_kb_item(name:"PCI/ClearTextCreds/" + port, value:pci_report);
}
  security_note(port:port, extra:report);
  register_service(port:port, proto:"appleshare");
}


#
# parse ASIP reply packet
#

function parse_DSIGetStatus(packet)
{
	local_var cmd, flags, reqid, reqidH, reqidL;
	local_var datalen, edo, reserved;

	flags = ord(packet[0]);
	cmd = ord(packet[1]);
	reqidL = ord(packet[2]);
	reqidH = ord(packet[3]);

	reqid = b2w(low:reqidL, high:reqidH);

	if (!(reqid == 57005))
	{
	 exit('Unexpected requid in reply packet', 1);
	}

	# ignore error / data offset DO for now

	edo = b2dw(a:ord(packet[4]), b:ord(packet[5]), c:ord(packet[6]), d:ord(packet[7]));

	datalen = b2dw(a:ord(packet[8]), b:ord(packet[9]), c:ord(packet[10]), d:ord(packet[11]));

	reserved = b2dw(a:ord(packet[12]), b:ord(packet[13]), c:ord(packet[14]), d:ord(packet[15]));

	if (!(cmd == 3))
	{
		exit(1);
	}

	return (parse_FPGetSrvrInfo(packet:packet));
}


#
# send the DSIGetStatus packet
#

function send_DSIGetStatus(sock)
{
	local_var buf, packet;

	packet = raw_string
		(
		0x00,			# 0- request, 1-reply
		0x03,			# 3- DSIGetStatus
		0xad, 0xde, 0x00,	# request ID
		0x00, 0x00, 0x00, 0x00,	# data field
		0x00, 0x00, 0x00, 0x00,	# length of data stream header
		0x00, 0x00, 0x00, 0x00	# reserved
                );

	send (socket:sock, data:packet);
	buf = recv(socket:sock, length:8192, timeout:30);
	if (strlen(buf) == 0)
	{
		exit(1);
	}	
	return(buf);
}


#
# do it
#

function asip_status(port)
{
	local_var packet, s;
	s = open_sock_tcp(port);
	if (s)
	{
		packet = send_DSIGetStatus(sock:s);
		if(strlen(packet) > 17)
		{
		parse_DSIGetStatus(packet:packet);
		} 
		close(s);
	}
}


#
# main
#

port = 548;
if (service_is_unknown(port:port) && get_tcp_port_state(port))
{
	asip_status(port:port);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Nov 2018 20:50Current
5.5Medium risk
Vulners AI Score5.5
76