SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#706838

Apple Mac OS X vulnerable to buffer overflow via vpnd daemon

Overview

Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.

I. Description

Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the com.apple.RemoteAccessServers.plist file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process.

Note that com.apple.RemoteAccessServers.plist is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools.

II. Impact

A local, authenticated attacker could execute arbitrary code with root privileges.

III. Solution

Apply a patch

Apple advises all users to apply Apple Security Update 2005-005, which fixes this flaw and other critical security flaws.

Workarounds

Disallow non-root access to vpnd

Clear the execute bit of the vpnd binary for non-root users.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Vulnerable17-May-2005

References


http://docs.info.apple.com/article.html?artnum=301528
http://secunia.com/advisories/15227/
http://www.idefense.com/application/poi/display?id=240&type=vulnerabilities
http://www.securityfocus.org/bid/13488
http://www.securitytracker.com/alerts/2005/May/1013887.html
http://www.osvdb.org/displayvuln.php?osvdb_id=16085

Credit

This vulnerability was reported by Jason Aras.

This document was written by Will Dormann, based on the information provided in the iDEFENSE Security Advisory 05.04.05 .

Other Information

Date Public:2005-05-03
Date First Published:2005-05-16
Date Last Updated:2005-05-24
CERT Advisory: 
CVE-ID(s):CAN-2005-1343
NVD-ID(s):CAN-2005-1343
US-CERT Technical Alerts: 
Metric:9.38
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader