Apple Mac OS X VPND Local Format String Vulnerability
BID:24208
Info
Apple Mac OS X VPND Local Format String Vulnerability
| Bugtraq ID: | 24208 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-0753 |
| Remote: | No |
| Local: | Yes |
| Published: | May 29 2007 12:00AM |
| Updated: | May 30 2007 12:04AM |
| Credit: | Chris Anley of NGSSoftware is credited with discovery of this vulnerability. |
| Vulnerable: |
Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X Server 10.2.8 Apple Mac OS X Server 10.2.7 Apple Mac OS X Server 10.2.6 Apple Mac OS X Server 10.2.5 Apple Mac OS X Server 10.2.4 Apple Mac OS X Server 10.2.3 Apple Mac OS X Server 10.2.2 Apple Mac OS X Server 10.2.1 Apple Mac OS X Server 10.2 Apple Mac OS X Server 10.1.5 Apple Mac OS X Server 10.1.4 Apple Mac OS X Server 10.1.3 Apple Mac OS X Server 10.1.2 Apple Mac OS X Server 10.1.1 Apple Mac OS X Server 10.1 Apple Mac OS X Server 10.0 |
| Not Vulnerable: | |
Discussion
Apple Mac OS X VPND Local Format String Vulnerability
Apple Mac OS X's VPN service daemon is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to crash the application or execute arbitrary code with superuser privileges. Successful exploits can result in a complete compromise of vulnerable computers.
Apple Mac OS X Server 10.4.9 and prior versions are vulnerable to this issue.
This issue was originally included in BID 24144 (Apple Mac OS X 2007-005 Multiple Security Vulnerabilities), but has been given its own record.
Apple Mac OS X's VPN service daemon is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to crash the application or execute arbitrary code with superuser privileges. Successful exploits can result in a complete compromise of vulnerable computers.
Apple Mac OS X Server 10.4.9 and prior versions are vulnerable to this issue.
This issue was originally included in BID 24144 (Apple Mac OS X 2007-005 Multiple Security Vulnerabilities), but has been given its own record.
Exploit / POC
Apple Mac OS X VPND Local Format String Vulnerability
The following proof of concept and exploit are available:
$ vpnd -n -i _ABCD_%268\$x
The following proof of concept and exploit are available:
$ vpnd -n -i _ABCD_%268\$x
Solution / Fix
Apple Mac OS X VPND Local Format String Vulnerability
Solution:
The vendor has released a security advisory to address these issues. Please see the referenced advisory for details.
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.4.9
Solution:
The vendor has released a security advisory to address these issues. Please see the referenced advisory for details.
Apple Mac OS X Server 10.3.9
-
Apple SecUpdSrvr2007-005Pan.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13993&cat= 1&platform=osx&method=sa/SecUpdSrvr2007-005Pan.dmg
Apple Mac OS X Server 10.4.9
References
Apple Mac OS X VPND Local Format String Vulnerability
References:
References:
- Apple Security Update 2007-005 (Apple)
- Cisco TelePresence Video Communication Server (VCS) Homepage (Cisco)
- Mac OS X Homepage (Apple)
- Re: Mac OS X vpnd local format string ( Kevin Finisterre )
- Mac OS X vpnd local format string (NGSSoftware Insight Security Research)