The Netatalk project is an implementation of AFP/DSI for UNIX platforms that was moved to SourceForge in 2000. The AFP protocol was deprecated in OS X 10.9 and AFP server was removed in OS X 11. However, SMB seems to have won the file sharing network protocols battle and AFP is less known, even if still supported in devices such as NAS. The AFP specification can be found here.ĪFP is transmitted over the Data Stream Interface (DSI) protocol, itself transmitted over TCP/IP, on TCP port 548. The Apple Filing Protocol (AFP) is an alternative to the well known Server Message Block (SMB) protocol to share files over the network. This is because we finished writing our exploit on the 21st September 2021, which happens to be the day of the Mid-Autumn Festival a.k.a Mooncake festival in 2021.
NETATALK GITHUB PRO
Note: The Western Digital My Cloud Pro Series PR4100 NAS is based on the x86_64 architecture. We have analysed and exploited the vulnerability on the 5.17.107 version, which we detail below but older versions are likely vulnerable too. This user can access private shares that would normally require authentication.
NETATALK GITHUB CODE
It allows an attacker to get remote code execution as the nobody user on the NAS. This vulnerability can be exploited remotely and does not need authentication. The afpd service is running by default on the Western Digital My Cloud Pro Series PR4100 NAS. The Netatalk code is implemented in the /usr/sbin/afpd service and the /lib64/libatalk.so library. The vulnerability is in the Netatalk project, which is an open-source implementation of the Apple Filing Protocol (AFP). As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others.
NETATALK GITHUB UPDATE
Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". We successfully exploited it at Pwn2Own 2021 competition in November 2021 when targeting the Western Digital PR4100. The below commands will setup our drive to spin down after 30 minutes of no activity.This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. Spin Down Idle Driveīecause our server will be running 24 hours a day, it's a good idea to have the backup drive spin down when not in use.
With the image mounted you will see a Time Machine Backups menu item in Finder under the Devices section. Double click on that file to mount the image. sparsebundle file, which is where your backup is stored as an image. This will allow you to browse the share which should look something like this:
Then click the Connect As button in the upper right corner and enter your login credentials to the Raspberry Pi. Open up Finder and click on the raspberrypi menu item under Shared. Once your first backup has completed you probably want to take a look at the files. Once selected, use your SSH credentials to connect. Now that you have things setup on the Raspberry Pi, we just need to open up Time Machine and add our new disk.
0 kommentar(er)
