Vulnerability Note VU#706838
Apple Mac OS X vulnerable to buffer overflow via vpnd daemon
Overview
Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.
Description
Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the com.apple.RemoteAccessServers.plist file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process. Note that com.apple.RemoteAccessServers.plist is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools. |
Impact
A local, authenticated attacker could execute arbitrary code with root privileges. |
Solution
Apply a patch |
|
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Apple Computer Inc. | Affected | - | 17 May 2005 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- http://docs.info.apple.com/article.html?artnum=301528
- http://secunia.com/advisories/15227/
- http://www.idefense.com/application/poi/display?id=240&type=vulnerabilities
- http://www.securityfocus.org/bid/13488
- http://www.securitytracker.com/alerts/2005/May/1013887.html
- http://www.osvdb.org/displayvuln.php?osvdb_id=16085
Credit
This vulnerability was reported by Jason Aras.
This document was written by Will Dormann, based on the information provided in the iDEFENSE Security Advisory 05.04.05 .
Other Information
- CVE IDs: CAN-2005-1343
- Date Public: 03 May 2005
- Date First Published: 16 May 2005
- Date Last Updated: 24 May 2005
- Severity Metric: 9.38
- Document Revision: 13
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.