=======
Summary
=======
Name: Mac OS X vpnd local format string
Release Date: 29 May 2007
Reference: NGS00496
Discover: Chris Anley <chris@xxxxxxxxxxxxxxx>
Vendor: Apple
Vendor Reference: 26417237
CVE-ID: CVE-2007-0753
Systems Affected: OS X Server 10.4.9 and prior
Risk: High
Status: Published
========
TimeLine
========
Discovered: 15 March 2007
Reported: 19 March 2007
Fixed: 24 May 2007
Published: 29 May 2007
===========
Description
===========
The 'vpnd' command shipped with OS X runs setuid root, and is
vulnerable
to a format string attack.
=================
Technical Details
=================
The vpnd command, when run with the '-i' parameter, is vulnerable to a
format string attack. The command is setuid root, and is world-
executable.
This allows any local user to execute arbitrary code as root,
though the
vulnerable code is only accessible by default on server versions of OS
X. It is possible for a client version of OS X to be configured in a
vulnerable manner, though this requires extensive configuration
changes
and is unlikely to happen by accident.
Demonstration:
Apple:~ shellcoders$ sw_vers
ProductName: Mac OS X Server
ProductVersion: 10.4.9
BuildVersion: 8P135
Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x
2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting...
2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid
2007-03-15 17:07:07 GMT Error processing prefs file
(gdb) bt
#0 0x90011cb8 in __vfprintf ()
#1 0x9002a90c in vsnprintf ()
#2 0x9002a41c in vsyslog ()
#3 0x00003150 in vpnlog ()
#4 0x00004b80 in process_prefs ()
#5 0x000028d4 in main ()
The source code for vpnd is available from the Apple Darwin source
code
download site. The relevant code is in the ppp package. The code is
distributed under the Apple Public Source License, available at
http://www.opensource.apple.com/apsl/
The bug occurs in the process_prefs() function in vpnoptions.c.
The user-specified server name is passed into the snprintf()
function as
data, and the resulting string is then passed to the vpnlog()
function,
as the format_str parameter. Although the server name is limited to 64
characters (with '%.64s') it is still straightforward to exploit the
bug, and NGS have written a reliable exploit.
===============
Fix Information
===============
This issue was fixed by Apple in Security Update 2007-005, released on
the 24th May 2007. NGS would like to thank the Apple Security Team for
their professional and prompt response to this issue.
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other
than
the intended recipient(s), any disclosure, copying, distribution,
or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.
The views expressed in this email do not necessarily reflect NGS
policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.
NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402