lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 18 Dec 2007 13:30:54 -0600
From: reepex <reepex@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: iDefense Security Advisory 12.17.07: Apple
	Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability

lulz ... nice find

maybe Gadi Evron can publish his first exploit now

On Dec 18, 2007 12:25 PM, iDefense Labs <labs-no-reply@...fense.com> wrote:

> iDefense Security Advisory 12.17.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Dec 17, 2007
>
> I. BACKGROUND
>
> The mount_smbfs utility is used to mount a remote SMB share locally. It
> is installed set-uid root, so as to allow unprivileged users to mount
> shares, and is present in a default installation on both the Server and
> Desktop versions of Mac OS X. For more information visit the following
> URL.
>
>
> http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html
>
> II. DESCRIPTION
>
> Local exploitation of a stack based buffer overflow vulnerability in
> Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to
> execute arbitrary code with root privileges.
>
> The vulnerability exists in a portion of code responsible for parsing
> command line arguments. When processing the -W option, which is used to
> specify a workgroup name, the option's argument is copied into a fixed
> sized stack buffer without any checks on its length. This leads to a
> trivially exploitable stack based buffer overflow.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability results in the execution of arbitrary
> code with root privileges. In order to exploit this vulnerability, an
> attacker must have execute permission for the set-uid root mount_smbfs
> binary.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in Mac OS X
> version 10.4.10, on both the Server and Desktop versions. Previous
> versions may also be affected.
>
> V. WORKAROUND
>
> Removing the set-uid bit from the mount_smbfs binary will prevent
> exploitation. However, non-root users will be unable to use the
> program.
>
> VI. VENDOR RESPONSE
>
> Apple addressed this vulnerability within their Mac OS X 2007-009
> security update. More information is available at the following URL.
>
> http://docs.info.apple.com/article.html?artnum=307179
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2007-3876 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 07/16/2007  Initial vendor notification
> 07/17/2007  Initial vendor response
> 12/17/2007  Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was discovered by Sean Larsson of VeriSign iDefense
> Labs.
>
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
>
> Free tools, research and upcoming events
> http://labs.idefense.com/
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@...fense.com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ