lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8nfEp7PCYEFku859KE9ruZgo_eRKh18nufd8GFmvCuLXQ@mail.gmail.com> Date: Thu, 15 Nov 2012 09:36:20 -0500 From: Jeffrey Walton <noloader@...il.com> To: ZDI Disclosures <zdi-disclosures@...pingpoint.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>, BugTraq <bugtraq@...urityfocus.com>, zdi-disclosures@...com Subject: Re: ZDI-12-185 : Apple Mac OS X DirectoryService SwapProxyMessage Unchecked objOffset Remote Code Execution Vulnerability A year to fix a validation bug? Jesus Christ.... On Thu, Nov 15, 2012 at 9:26 AM, ZDI Disclosures <zdi-disclosures@...pingpoint.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ZDI-12-185 : Apple Mac OS X DirectoryService SwapProxyMessage Unchecked > objOffset Remote Code Execution Vulnerability > > http://www.zerodayinitiative.com/advisories/ZDI-12-185 > > November 15, 2012 > > - -- CVE ID: > CVE-2012-0650 > > - -- CVSS: > 10, AV:N/AC:L/Au:N/C:C/I:C/A:C > > - -- Affected Vendors: > Apple > > - -- Affected Products: > Apple OS X > > - -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Apple Mac OSX. Authentication is not required > to exploit this vulnerability. > > The flaw exists within the DirectoryService daemon. This process listens on > TCP port 625 by default on Mac OSX Server pre 10.7. Request types to the > service include a sComProxyData structure having a translate field which is > responsible for describing the endianness of the payload. When passing a > message to SwapProxyMessage for byte-reordering, multiple user controlled > fields are trusted including lengths and offsets. When processing this data > with DSSwapObjectData, the process will address memory out of the bounds of > the allocated region. A remote attacker can exploit this vulnerability to > execute arbitrary code under the context of the process. > > - -- Vendor Response: > Apple has issued an update to correct this vulnerability. More details can > be found at: > http://support.apple.com/kb/HT1222 > > - -- Disclosure Timeline: > 2011-11-29 - Vulnerability reported to vendor > 2012-11-15 - Coordinated public release of advisory > > > - -- Credit: > This vulnerability was discovered by: > * aazubel > [SNIP] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists