Vulnerability Note VU#354486

Apple Mac OS X Server NetInfo Setup Tool fails to validate command line parameters

Overview

Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow an attacker to execute arbitrary code.

I. Description

NeST is the NetInfo Setup Tool for Apple Mac OS X Server. There is a buffer overflow vulnerability in the way NeST performs bounds checking on command line arguments. By supplying the -target command line parameter with an overly long string of characters, a local user could execute arbitrary code on the system with privileges of the NeST process.

Please note that NeST executes with root privileges.

II. Impact

A local user could execute arbitrary code with privileges of the NeST process, possibly root.

III. Solution

Apply Update

Apple has released Apple Security update 2005-005 to correct this issue.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Apple Computer Inc.	Vulnerable	13-May-2005

References

http://www.idefense.com/application/poi/display?id=239
http://secunia.com/advisories/15227/
http://docs.info.apple.com/article.html?artnum=301528

Credit

This vulnerability was reported by iDEFENSE Labs who acknowledges Nico for providing information concerning this vulnerability.

This document was written by Jeff Gennari.

Other Information

Date Public:	2005-05-03
Date First Published:	2005-05-16
Date Last Updated:	2005-05-17
CERT Advisory:
CVE-ID(s):	CAN-2005-0594
NVD-ID(s):	CAN-2005-0594
US-CERT Technical Alerts:
Metric:	10.69
Document Revision:	24

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader