OSX client is also vulnerable.... and exploitable. -KF On May 29, 2007, at 7:26 AM, NGSSoftware Insight Security Research wrote: > ======= > Summary > ======= > Name: Mac OS X vpnd local format string > Release Date: 29 May 2007 > Reference: NGS00496 > Discover: Chris Anley <chris@ngssoftware.com> > Vendor: Apple > Vendor Reference: 26417237 > CVE-ID: CVE-2007-0753 > Systems Affected: OS X Server 10.4.9 and prior > Risk: High > Status: Published > > ======== > TimeLine > ======== > Discovered: 15 March 2007 > Reported: 19 March 2007 > Fixed: 24 May 2007 > Published: 29 May 2007 > > =========== > Description > =========== > The 'vpnd' command shipped with OS X runs setuid root, and is > vulnerable > to a format string attack. > > ================= > Technical Details > ================= > The vpnd command, when run with the '-i' parameter, is vulnerable to a > format string attack. The command is setuid root, and is world- > executable. > > This allows any local user to execute arbitrary code as root, > though the > vulnerable code is only accessible by default on server versions of OS > X. It is possible for a client version of OS X to be configured in a > vulnerable manner, though this requires extensive configuration > changes > and is unlikely to happen by accident. > > Demonstration: > > Apple:~ shellcoders$ sw_vers > ProductName: Mac OS X Server > ProductVersion: 10.4.9 > BuildVersion: 8P135 > Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x > 2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting... > 2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid > 2007-03-15 17:07:07 GMT Error processing prefs file > > > (gdb) bt > #0 0x90011cb8 in __vfprintf () > #1 0x9002a90c in vsnprintf () > #2 0x9002a41c in vsyslog () > #3 0x00003150 in vpnlog () > #4 0x00004b80 in process_prefs () > #5 0x000028d4 in main () > > The source code for vpnd is available from the Apple Darwin source > code > download site. The relevant code is in the ppp package. The code is > distributed under the Apple Public Source License, available at > http://www.opensource.apple.com/apsl/ > > The bug occurs in the process_prefs() function in vpnoptions.c. > > The user-specified server name is passed into the snprintf() > function as > data, and the resulting string is then passed to the vpnlog() > function, > as the format_str parameter. Although the server name is limited to 64 > characters (with '%.64s') it is still straightforward to exploit the > bug, and NGS have written a reliable exploit. > > =============== > Fix Information > =============== > This issue was fixed by Apple in Security Update 2007-005, released on > the 24th May 2007. NGS would like to thank the Apple Security Team for > their professional and prompt response to this issue. > > > NGSSoftware Insight Security Research > http://www.ngssoftware.com/ > http://www.databasesecurity.com/ > http://www.nextgenss.com/ > +44(0)208 401 0070 > > -- > E-MAIL DISCLAIMER > > The information contained in this email and any subsequent > correspondence is private, is solely for the intended recipient(s) and > may contain confidential or privileged information. For those other > than > the intended recipient(s), any disclosure, copying, distribution, > or any > other action taken, or omitted to be taken, in reliance on such > information is prohibited and may be unlawful. If you are not the > intended recipient and have received this message in error, please > inform the sender and delete this mail and any attachments. > > The views expressed in this email do not necessarily reflect NGS > policy. > NGS accepts no liability or responsibility for any onward transmission > or use of emails and attachments having left the NGS domain. > > NGS and NGSSoftware are trading names of Next Generation Security > Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 > 4BF with Company Number 04225835 and VAT Number 783096402