Mac OS X vpnd local format string May 29 2007 11:26AM
NGSSoftware Insight Security Research (nisr ngssoftware com) (1 replies)
Re: Mac OS X vpnd local format string May 29 2007 03:56PM
Kevin Finisterre (lists) (kf_lists digitalmunition com)
OSX client is also vulnerable.... and exploitable.

-KF

On May 29, 2007, at 7:26 AM, NGSSoftware Insight Security Research
wrote:

> =======
> Summary
> =======
> Name: Mac OS X vpnd local format string
> Release Date: 29 May 2007
> Reference: NGS00496
> Discover: Chris Anley <chris (at) ngssoftware (dot) com [email concealed]>
> Vendor: Apple
> Vendor Reference: 26417237
> CVE-ID: CVE-2007-0753
> Systems Affected: OS X Server 10.4.9 and prior
> Risk: High
> Status: Published
>
> ========
> TimeLine
> ========
> Discovered: 15 March 2007
> Reported: 19 March 2007
> Fixed: 24 May 2007
> Published: 29 May 2007
>
> ===========
> Description
> ===========
> The 'vpnd' command shipped with OS X runs setuid root, and is
> vulnerable
> to a format string attack.
>
> =================
> Technical Details
> =================
> The vpnd command, when run with the '-i' parameter, is vulnerable to a
> format string attack. The command is setuid root, and is world-
> executable.
>
> This allows any local user to execute arbitrary code as root,
> though the
> vulnerable code is only accessible by default on server versions of OS
> X. It is possible for a client version of OS X to be configured in a
> vulnerable manner, though this requires extensive configuration
> changes
> and is unlikely to happen by accident.
>
> Demonstration:
>
> Apple:~ shellcoders$ sw_vers
> ProductName: Mac OS X Server
> ProductVersion: 10.4.9
> BuildVersion: 8P135
> Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x
> 2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting...
> 2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid
> 2007-03-15 17:07:07 GMT Error processing prefs file
>
>
> (gdb) bt
> #0 0x90011cb8 in __vfprintf ()
> #1 0x9002a90c in vsnprintf ()
> #2 0x9002a41c in vsyslog ()
> #3 0x00003150 in vpnlog ()
> #4 0x00004b80 in process_prefs ()
> #5 0x000028d4 in main ()
>
> The source code for vpnd is available from the Apple Darwin source
> code
> download site. The relevant code is in the ppp package. The code is
> distributed under the Apple Public Source License, available at
> http://www.opensource.apple.com/apsl/
>
> The bug occurs in the process_prefs() function in vpnoptions.c.
>
> The user-specified server name is passed into the snprintf()
> function as
> data, and the resulting string is then passed to the vpnlog()
> function,
> as the format_str parameter. Although the server name is limited to 64
> characters (with '%.64s') it is still straightforward to exploit the
> bug, and NGS have written a reliable exploit.
>
> ===============
> Fix Information
> ===============
> This issue was fixed by Apple in Security Update 2007-005, released on
> the 24th May 2007. NGS would like to thank the Apple Security Team for
> their professional and prompt response to this issue.
>
>
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com/
> http://www.databasesecurity.com/
> http://www.nextgenss.com/
> +44(0)208 401 0070
>
> --
> E-MAIL DISCLAIMER
>
> The information contained in this email and any subsequent
> correspondence is private, is solely for the intended recipient(s) and
> may contain confidential or privileged information. For those other
> than
> the intended recipient(s), any disclosure, copying, distribution,
> or any
> other action taken, or omitted to be taken, in reliance on such
> information is prohibited and may be unlawful. If you are not the
> intended recipient and have received this message in error, please
> inform the sender and delete this mail and any attachments.
>
> The views expressed in this email do not necessarily reflect NGS
> policy.
> NGS accepts no liability or responsibility for any onward transmission
> or use of emails and attachments having left the NGS domain.
>
> NGS and NGSSoftware are trading names of Next Generation Security
> Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
> 4BF with Company Number 04225835 and VAT Number 783096402

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus