Vulnerability Note VU#706838

Apple Mac OS X vulnerable to buffer overflow via vpnd daemon

Original Release date: 16 May 2005 | Last revised: 24 May 2005

Overview

Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.

Description

Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the com.apple.RemoteAccessServers.plist file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process.

Note that com.apple.RemoteAccessServers.plist is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools.

Impact

A local, authenticated attacker could execute arbitrary code with root privileges.

Solution

Apply a patch
Apple advises all users to apply Apple Security Update 2005-005, which fixes this flaw and other critical security flaws.


Workarounds

Disallow non-root access to vpnd

Clear the execute bit of the vpnd binary for non-root users.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected-17 May 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Jason Aras.

This document was written by Will Dormann, based on the information provided in the iDEFENSE Security Advisory 05.04.05 .

Other Information

  • CVE IDs: CAN-2005-1343
  • Date Public: 03 May 2005
  • Date First Published: 16 May 2005
  • Date Last Updated: 24 May 2005
  • Severity Metric: 9.38
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.