search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Mac OS X vulnerable to buffer overflow via vpnd daemon

Vulnerability Note VU#706838

Original Release Date: 2005-05-16 | Last Revised: 2005-05-24

Overview

Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.

Description

Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the com.apple.RemoteAccessServers.plist file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process.

Note that com.apple.RemoteAccessServers.plist is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools.

Impact

A local, authenticated attacker could execute arbitrary code with root privileges.

Solution

Apply a patch
Apple advises all users to apply Apple Security Update 2005-005, which fixes this flaw and other critical security flaws.


Workarounds

Disallow non-root access to vpnd

Clear the execute bit of the vpnd binary for non-root users.

Vendor Information

706838
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Updated:  May 17, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Apple advises all users to apply Apple Security Update 2005-005.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported by Jason Aras.

This document was written by Will Dormann, based on the information provided in the iDEFENSE Security Advisory 05.04.05

Other Information

CVE IDs: CVE-2005-1343
Severity Metric: 9.38
Date Public: 2005-05-03
Date First Published: 2005-05-16
Date Last Updated: 2005-05-24 13:37 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.