Apple iSync mRouter Local Command Line Argument Buffer Overflow Vulnerability

Bugtraq ID:	12334
Class:	Boundary Condition Error
CVE:	CVE-2005-0193
Remote:	No
Local:	Yes
Published:	Jan 22 2005 12:00AM
Updated:	Jul 12 2009 10:06AM
Credit:	Braden Thomas <[email protected]> discovered this vulnerability. <[email protected]> created the proof of concept exploit.
Vulnerable:	Apple iSync 1.5
Not Vulnerable:

Apple iSync mRouter Local Command Line Argument Buffer Overflow Vulnerability

iSync's 'mRouter' binary is reportedly susceptible to a local command line argument buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied input data prior to copying it into an insufficiently sized memory buffer.

The 'mRouter' binary is installed by default with setuid superuser permissions. This vulnerability allows users with local interactive access to a computer with the affected application installed to gain superuser privileges.

Apple iSync mRouter Local Command Line Argument Buffer Overflow Vulnerability

A proof of concept exploit is provided:

• /data/vulnerabilities/exploits/fm-iSink.c

Apple iSync mRouter Local Command Line Argument Buffer Overflow Vulnerability

Solution:
Apple has released an advisory (APPLE-SA-2005-04-19) and an update to address this vulnerability.


Apple iSync 1.5

• Apple SecUpd2005-004Pan.dmg
  http://www.apple.com/support/downloads/securityupdate2005004.html

Apple iSync mRouter Local Command Line Argument Buffer Overflow Vulnerability

References:

• iSync Home Page (Apple)
  
• Mac OS X 10.3 iSync Privilege Escalation (Braden Thomas )