======= Summary ======= Name: Mac OS X vpnd local format string Release Date: 29 May 2007 Reference: NGS00496 Discover: Chris Anley <chris@xxxxxxxxxxxxxxx> Vendor: Apple Vendor Reference: 26417237 CVE-ID: CVE-2007-0753 Systems Affected: OS X Server 10.4.9 and prior Risk: High Status: Published ======== TimeLine ======== Discovered: 15 March 2007 Reported: 19 March 2007 Fixed: 24 May 2007 Published: 29 May 2007 =========== Description =========== The 'vpnd' command shipped with OS X runs setuid root, and is vulnerable to a format string attack. ================= Technical Details ================= The vpnd command, when run with the '-i' parameter, is vulnerable to a format string attack. The command is setuid root, and is world-executable. This allows any local user to execute arbitrary code as root, though the vulnerable code is only accessible by default on server versions of OS X. It is possible for a client version of OS X to be configured in a vulnerable manner, though this requires extensive configuration changes and is unlikely to happen by accident. Demonstration: Apple:~ shellcoders$ sw_vers ProductName: Mac OS X Server ProductVersion: 10.4.9 BuildVersion: 8P135 Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x 2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting... 2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid 2007-03-15 17:07:07 GMT Error processing prefs file (gdb) bt #0 0x90011cb8 in __vfprintf () #1 0x9002a90c in vsnprintf () #2 0x9002a41c in vsyslog () #3 0x00003150 in vpnlog () #4 0x00004b80 in process_prefs () #5 0x000028d4 in main () The source code for vpnd is available from the Apple Darwin source code download site. The relevant code is in the ppp package. The code is distributed under the Apple Public Source License, available at http://www.opensource.apple.com/apsl/ The bug occurs in the process_prefs() function in vpnoptions.c. The user-specified server name is passed into the snprintf() function as data, and the resulting string is then passed to the vpnlog() function, as the format_str parameter. Although the server name is limited to 64 characters (with '%.64s') it is still straightforward to exploit the bug, and NGS have written a reliable exploit. =============== Fix Information =============== This issue was fixed by Apple in Security Update 2007-005, released on the 24th May 2007. NGS would like to thank the Apple Security Team for their professional and prompt response to this issue. NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
