Vulnerability Note VU#354486

Apple Mac OS X Server NetInfo Setup Tool fails to validate command line parameters

Original Release date: 16 May 2005 | Last revised: 17 May 2005

Overview

Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow an attacker to execute arbitrary code.

Description

NeST is the NetInfo Setup Tool for Apple Mac OS X Server. There is a buffer overflow vulnerability in the way NeST performs bounds checking on command line arguments. By supplying the -target command line parameter with an overly long string of characters, a local user could execute arbitrary code on the system with privileges of the NeST process.

Please note that NeST executes with root privileges.

Impact

A local user could execute arbitrary code with privileges of the NeST process, possibly root.

Solution

Apply Update

Apple has released Apple Security update 2005-005 to correct this issue.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected-13 May 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by iDEFENSE Labs who acknowledges Nico for providing information concerning this vulnerability.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2005-0594
  • Date Public: 03 May 2005
  • Date First Published: 16 May 2005
  • Date Last Updated: 17 May 2005
  • Severity Metric: 10.69
  • Document Revision: 24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.