Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.
Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the com.apple.RemoteAccessServers.plist file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process.
Note that com.apple.RemoteAccessServers.plist is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools.
A local, authenticated attacker could execute arbitrary code with root privileges.
Apply a patch
This vulnerability was reported by Jason Aras.
|Date First Published:||2005-05-16|
|Date Last Updated:||2005-05-24 13:37 UTC|