lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 29 May 2007 11:56:18 -0400
From: Kevin Finisterre (lists) <kf_lists@...italmunition.com>
To: NGSSoftware Insight Security Research <nisr@...software.com>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: Re: Mac OS X vpnd local format string

OSX client is also vulnerable.... and exploitable.

-KF

On May 29, 2007, at 7:26 AM, NGSSoftware Insight Security Research  
wrote:

> =======
> Summary
> =======
> Name: Mac OS X vpnd local format string
> Release Date: 29 May 2007
> Reference: NGS00496
> Discover: Chris Anley <chris@...software.com>
> Vendor: Apple
> Vendor Reference: 26417237
> CVE-ID: CVE-2007-0753
> Systems Affected: OS X Server 10.4.9 and prior
> Risk: High
> Status: Published
>
> ========
> TimeLine
> ========
> Discovered: 15 March 2007
> Reported: 19 March 2007
> Fixed: 24 May 2007
> Published: 29 May 2007
>
> ===========
> Description
> ===========
> The 'vpnd' command shipped with OS X runs setuid root, and is  
> vulnerable
> to a format string attack.
>
> =================
> Technical Details
> =================
> The vpnd command, when run with the '-i' parameter, is vulnerable to a
> format string attack. The command is setuid root, and is world- 
> executable.
>
> This allows any local user to execute arbitrary code as root,  
> though the
> vulnerable code is only accessible by default on server versions of OS
> X. It is possible for a client version of OS X to be configured in a
> vulnerable manner, though this requires extensive configuration  
> changes
> and is unlikely to happen by accident.
>
> Demonstration:
>
> Apple:~ shellcoders$ sw_vers
> ProductName:    Mac OS X Server
> ProductVersion: 10.4.9
> BuildVersion:   8P135
> Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x
> 2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting...
> 2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid
> 2007-03-15 17:07:07 GMT Error processing prefs file
>
>
> (gdb) bt
> #0  0x90011cb8 in __vfprintf ()
> #1  0x9002a90c in vsnprintf ()
> #2  0x9002a41c in vsyslog ()
> #3  0x00003150 in vpnlog ()
> #4  0x00004b80 in process_prefs ()
> #5  0x000028d4 in main ()
>
> The source code for vpnd is available from the Apple Darwin source  
> code
> download site. The relevant code is in the ppp package. The code is
> distributed under the Apple Public Source License, available at
> http://www.opensource.apple.com/apsl/
>
> The bug occurs in the process_prefs() function in vpnoptions.c.
>
> The user-specified server name is passed into the snprintf()  
> function as
> data, and the resulting string is then passed to the vpnlog()  
> function,
> as the format_str parameter. Although the server name is limited to 64
> characters (with '%.64s') it is still straightforward to exploit the
> bug, and NGS have written a reliable exploit.
>
> ===============
> Fix Information
> ===============
> This issue was fixed by Apple in Security Update 2007-005, released on
> the 24th May 2007. NGS would like to thank the Apple Security Team for
> their professional and prompt response to this issue.
>
>
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com/
> http://www.databasesecurity.com/
> http://www.nextgenss.com/
> +44(0)208 401 0070
>
> --
> E-MAIL DISCLAIMER
>
> The information contained in this email and any subsequent
> correspondence is private, is solely for the intended recipient(s) and
> may contain confidential or privileged information. For those other  
> than
> the intended recipient(s), any disclosure, copying, distribution,  
> or any
> other action taken, or omitted to be taken, in reliance on such
> information is prohibited and may be unlawful. If you are not the
> intended recipient and have received this message in error, please
> inform the sender and delete this mail and any attachments.
>
> The views expressed in this email do not necessarily reflect NGS  
> policy.
> NGS accepts no liability or responsibility for any onward transmission
> or use of emails and attachments having left the NGS domain.
>
> NGS and NGSSoftware are trading names of Next Generation Security
> Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
> 4BF with Company Number 04225835 and VAT Number 783096402

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ