Check for updates daily! The “weekly” default got my Xserve cracked.First things first: Go to each of your systems running Leopard Server, up through release 10.5.2, and make sure that Security Update 2008-002 is installed. Download it from https://www.apple.com/support and install it manually if you’re not sure. There is no harm in attempting to install an Apple update twice. There is great potential danger in leaving a Leopard Server system on-line without it.In mid-April, I was set upon by some ‘nethole that I managed to flush out of my Xserve while he was still wriggling and, by luck, before he had made my server his own. Or so I thought. I documented this attack in some detail prior to investigating its cause, an investigation I recently found time to complete. The results afforded me some insight into the realization, life, death and resurrection of a potential exploit, and the effects that each stage brings with it. The potential exploit at issue is listed in the US-CERT National Vulnerability Database as CVE-2007-4560. As reported by the person credited with its discovery, inbound e-mail received via a mail transfer agent (the MTA queues incoming e-mail for local delivery, relay or bounce) and filtered through the ClamAV anti-virus “milter” daemon could allow execution of arbitrary shell commands. To be vulnerable, ClamAV has to be operating in black hole mode, which attempts to discard undeliverable messages without scanning them or passing them down to your mail delivery agent. To achieve this, um, efficiency, ClamAV must run at the elevated privileges of your mail delivery agent (e.g. Sendmail) so that ClamAV can access mail files directly to judge deliverability.ClamAV’s black hole mode bypasses SMTP logs, making the tracing of the problem loads of fun.Flipping black hole mode on wasn’t my idea. ClamAV is one thing I trusted to the checkbox in Server Admin. I didn’t really need ClamAV, which functions primarily to protect Windows users from mail-borne malware. CERT rated this ClamAV exploit’s risk at HIGH, while rating its complexity HIGH as well, meaning that it’s a trick that only the brighter among delinquents can carry from potential to live exploit status. The dyslexic enuretics that commit most Internet felonies couldn’t get a bowling ball through a doggie door without a gift-wrapped exploit script and a pack of IRC LOL-lies tutoring them on its use.Here’s the interesting bit. The CERT advisory for this potential exploit is dated August 27, 2007, by which time ClamAV had already issued its fix. Various affected Linux distributions swapped in the updated version of ClamAV that incorporated the fix, while more independent Linux-ens and BSD-ers downloaded and compiled the sources from clamav.org. It’s a credit to these communities that notices are issued and hatches are welded shut so quickly.Apple’s fix for this ClamAV issue was made available via Software Update on March 18, 2008, almost eight months after the CERT advisory. Why the delay? Apple prefers to leave us guessing on matters such as this. Guessing can be enlightening as well as entertaining, so let’s give it a go. Remember those words “potential exploit?” That’s security-speak for a flaw that’s been identified, and usually demonstrated, but not seen in the wild. There are thousands of potential exploits on file. Some of them are so scary that after reading the list, you’d never want to turn on your computer. But being on constant alert for all potentially extreme dangers is a sorry way to live. Do you nervously anticipate disasters that rate 10 on a scale of 10 (or a scale of 5), like F5 tornadoes, someone’s Lithium notebook battery pack exploding mid-flight, or the formation of the island of California? We rate potential threats on a likelihood scale.My Xserve was boarded via the ClamAV exploit on March 21, 2008, three days after Apple issued its fix. I had my server set to check for updates weekly, and it hadn’t pulled in the Security Update 2008-002 yet. It was during the interval between the fix’s issuance and my Software Update client’s polling for it that I got nailed. How could a cracker achieve such clever timing?My bet: Apple’s announcement of its fix for the ClamAV exploit was a signal that there remained a relatively small class of vulnerable servers in the wild. Learning that there were Leopard servers without the Security Update made it worth a fresh hunt. I initially thought myself extraordinarily lucky that I foiled the attacker before he could plant a backdoor allowing him root access. Root access for the sake of it really wasn’t what he was after. Read on. Software Development