Latest Apple Sec update

[Michael Bartosh <mbartosh@xxxxxxx>]

Submitted this to Apple product security ~3weeks ago; fixed in latest 
sec update a couple of days ago.

servermgrd is a modified version of apache used by Apple in Mac OS X
Server as a management back end. It uses ssl for encryption. Out of box,
every install of Mac OS X Server uses the same private key (pasting it
here since its wide distribution can not feasibly be called private).

[SNIP]

Using the ssldump (http://www.rtfm.com/ssldump/) utility* I've several
times in the last week sat on
wireless networks and obtained administrative passwords for several Mac 
OS
X Server. I've long figured this was possible but did not really look 
into
it until I had to finish that chapter of my book (O'Reilly's Mac OS X
Server book). The decrypted packet looks like this:

12 10 0.4775 (0.0007)  C>S  application_data
    ---------------------------------------------------------------
    POST /commands/servermgr_info HTTP/1.0
    Host: gs.4am-media.com:311
    Authorization: Basic xxxxxxxxxxxxxx
    HTTP_USER_AGENT: CFNetwork-ServerManagerDaemonSession
    Content-Length: 0

...where xxxxxxxxxxxxxx is the base64 encoded version of the password
specified at login.

We must assume every packet on every network is likely to be sniffed. 
For
the price of $500 anyone anywhere can obtain the private key used to
administer tens of thousands of servers. At the very least this should 
be
widely documented, yet a search at apple.com/support for servermgrd and
Server Admin SSL yield nothing. This is very briefly hinted at on page 
17
of the Command Line Administration Guide. This text, though, is 
misleading
at best in its failure to advertise the rather insecure out of box state
of servermgrd.


[SNIP]

 *note trivial diff to get it to build on Mac OS X
crap:~/Desktop/ssldump-0.9b3 mab9718$ diff configure configure.orig
1213,1215d1212
<               if test -f $dir/libssl.dylib -a -f $dir/libcrypto.dylib;
then
<                   found_ssl="true"
<                 fi