Apple Mac OS X SLP Daemon Service Registration Local Buffer Overflow Vulnerability

Bugtraq ID:	22101
Class:	Boundary Condition Error
CVE:	CVE-2007-0355
Remote:	No
Local:	Yes
Published:	Jan 17 2007 12:00AM
Updated:	Feb 12 2008 12:16AM
Credit:	LMH <lmh [at] info-pull.com> is credited with discovering this issue.
Vulnerable:	Apple Mac OS X Server 10.4.8 Apple Mac OS X 10.4.8
Not Vulnerable:	Apple Mac OS X Server 10.5.2 Apple Mac OS X 10.5.2

Apple Mac OS X SLP Daemon Service Registration Local Buffer Overflow Vulnerability

Apple Mac OS X SLP daemon is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying into an insufficiently sized memory buffer.

Successful exploits may cause arbitrary code to run superuser privileges. Failed exploit attempts will likely cause denial-of-service conditions.

Apple Mac OS X 10.4.8 is reported vulnerable; other versions may be affected as well.

Apple Mac OS X SLP Daemon Service Registration Local Buffer Overflow Vulnerability

The following proof of concept is available:

• /data/vulnerabilities/exploits/MOAB-17-01-2007.rb

Apple Mac OS X SLP Daemon Service Registration Local Buffer Overflow Vulnerability

Solution:
The vendor released an advisory and fixes to address this issue. Please see the references for more information.

Apple Mac OS X SLP Daemon Service Registration Local Buffer Overflow Vulnerability

References:

• Mac OS X Homepage (Apple)
  
• MOAB-17-01-2007: Apple SLP Daemon Service Registration Buffer Overflow Vulnerabi (LMH )
  
• About the security content of Mac OS X 10.5.2 and Security Update 2008-001 (Apple)