Merge pull request #2055 from HackTricks-wiki/research_update_src_network-services-pentesting_584-pentesting-afp_20260326_134223

Research Update Enhanced src/network-services-pentesting/584...

Author: carlospolop

src/network-services-pentesting/584-pentesting-afp.md

@@ -50,6 +50,19 @@ The NSE brute-force script can be combined with Hydra/Medusa if more control is
 hydra -L users.txt -P passwords.txt afp://<IP>
 ```
 
+If you already have credentials, **Nmap's AFP scripts become much more useful** because `afp-serverinfo` leaks the advertised **UAMs** (auth methods), while `afp-showmount` and `afp-ls` can enumerate reachable shares, ACLs and interesting files:
+
+```bash
+nmap -p 548 --script afp-serverinfo,afp-showmount,afp-ls \
+  --script-args 'afp.username=<USER>,afp.password=<PASS>,ls.maxdepth=2,ls.maxfiles=50' <IP>
+```
+
+Pay attention to:
+
+* **Machine Type: Netatalk** in `afp-serverinfo` output, which usually means a NAS / Unix host rather than Apple's own AFP implementation.
+* **UAMs** such as `DHX`, `DHX2`, `Cleartxt` or `Guest`, because they directly hint at the reachable login paths and whether legacy / weak auth is enabled.
+* **Share ACLs** from `afp-showmount`; world-readable or drop-box style shares often expose backups, `.appl` files, and user metadata before you ever mount the volume.
+
 ### Interacting with shares
 
 *macOS*
@@ -71,6 +84,14 @@ afp_client <IP>
 
 Once mounted, remember that classic Mac resource-forks are stored as hidden `._*` AppleDouble files – these often hold interesting metadata that DFIR tools miss.
 
+On Netatalk targets this metadata backend also matters for exploitability:
+
+* `ea = ad` means metadata is stored in **AppleDouble v2** files / `.AppleDouble` directories.
+* `ea = sys` or `ea = samba` stores metadata in filesystem extended attributes instead.
+* In **Netatalk 4.2+** the old `appledouble` option was removed and the backend is controlled solely through the `ea` option.
+
+From an offensive perspective, this lets you quickly decide whether **AppleDouble-oriented bugs** are more likely to be reachable on the server.
+
 ---
 
 ## Common Vulnerabilities & Exploitation
@@ -95,11 +116,24 @@ If the target runs an affected QNAP/Synology firmware, successful exploitation y
 
 Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the **DSI OpenSession** handler allowing unauthenticated code execution (**CVE-2018-1160**). A detailed analysis and PoC were published by Tenable Research.
 
+### Newer Netatalk attack surface (2022-2024)
+
+Recent Netatalk advisories show that the attack surface is no longer limited to `parse_entries()` and OpenSession handling:
+
+* **CVE-2022-45188**: a specially crafted `.appl` file can trigger a heap overflow in `afp_getappl`; this is especially relevant if you can **write files into a share** and the server runs FCE / notify features.
+* **CVE-2023-42464**: a **type confusion** bug in the **Spotlight RPC** handlers can become reachable when `spotlight = yes` is enabled in `afp.conf` (disabled by default).
+* **CVE-2024-38439 / CVE-2024-38440 / CVE-2024-38441**: one-byte heap out-of-bounds writes in login-related paths fixed in **Netatalk 2.4.1 / 3.1.19 / 3.2.1**. These bugs are interesting because exploitability depends on the configured **UAMs**:
+  * `uams_clrtxt.so` + PAM-backed ClearTxt login exposes the `FPLoginExt` path relevant to **CVE-2024-38439**.
+  * `uams_dhx.so` + PAM-backed DHX login reaches the vulnerable path for **CVE-2024-38440**.
+  * `uams_guest.so` keeps the **Guest** login path reachable for **CVE-2024-38441**.
+
+This means the output of `afp-serverinfo` is not just fingerprinting data; it helps you decide which **login parser** is exposed before spending time on exploit development or NAS firmware triage.
+
 ### Other notable issues
 
 * **CVE-2022-22995** – Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
 * **CVE-2010-0533** – Directory traversal in Apple Mac OS X 10.6 AFP (detected by `afp-path-vuln.nse`).
-* Multiple memory-safety bugs were fixed in **Netatalk 4.x (2024)** – recommend upgrading rather than patching individual CVEs.
+* Multiple memory-safety bugs were fixed again during the **2024 Netatalk releases**; if you identify `Netatalk` in `afp-serverinfo`, spend a minute correlating the exposed UAMs / Spotlight / metadata backend with the server version before assuming only the 2018/2022 bugs matter.
 
 ---
 
@@ -121,4 +155,6 @@ Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the *
 
 * Netatalk Security Advisory CVE-2022-23121 – "Arbitrary code execution in parse_entries" <https://netatalk.io/security/CVE-2022-23121>
 * Tenable Research – "Exploiting an 18-Year-Old Bug (CVE-2018-1160)" <https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172>
+* Netatalk Security Advisories index <https://netatalk.io/security.html>
+* Netatalk 4.2.0 Release Notes <https://netatalk.io/4.2/ReleaseNotes4.2.0>
 {{#include ../banners/hacktricks-training.md}}