CVE-2005-1343
CVSS7.2
发布时间 :2005-05-03 00:00:00
修订时间 :2008-09-05 16:48:53
NMCOPS    

[原文]Stack-based buffer overflow in the VPN daemon (vpnd) for Mac OS X before 10.3.9 allows local users to execute arbitrary code via a long -i (Server_id) argument.


[CNNVD]Apple Mac OS X vpnd Server_id缓冲区溢出漏洞(CNNVD-200505-868)

        Apple Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X的vpnd守护进程实现上存在缓冲区溢出,本地利用此漏洞可能允许攻击者执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.3.9Apple Mac OS X 10.3.9
cpe:/o:apple:mac_os_x_server:10.3.9Apple Mac OS X Server 10.3.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1343
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1343
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-868
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA05-136A.html
(UNKNOWN)  CERT  TA05-136A
http://www.kb.cert.org/vuls/id/706838
(UNKNOWN)  CERT-VN  VU#706838
http://lists.apple.com/archives/security-announce/2005/May/msg00001.html
(PATCH)  APPLE  APPLE-SA-2005-05-03
http://lists.apple.com/archives/security-announce/2005/Jun/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-06-08

- 漏洞信息

Apple Mac OS X vpnd Server_id缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-03 00:00:00 2005-10-20 00:00:00
本地  
        Apple Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X的vpnd守护进程实现上存在缓冲区溢出,本地利用此漏洞可能允许攻击者执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apple Mac OS X 10.3.9:
        http://www.apple.com/support/downloads/securityupdate2005005client.html
        http://www.apple.com/support/downloads/securityupdate2005005server.html

- 漏洞信息 (F39081)

vpndMac.txt (PacketStormID:F39081)
2005-08-06 00:00:00
Pieter de Boer  
advisory,overflow
apple
CVE-2005-1343
[点击下载]

vpnd on Mac OSX versions 10.3.9 and below suffers from a stack buffer overflow.

Local root vulnerability in vpnd on MacOS X <= 10.3.9
-----------------------------------------------------

Overview
--------

There exists a local root exploitable stack based buffer overflow in the
VPN daemon shipping with MacOS X. This bug can be easily exploited to
gain root access.
This vulnerability has CVE ID CAN-2005-1343.


Exploitation
------------

The overflow can only be exploited on a system having vpnd configured as
a server. The following shows a NON-exploitable vpnd installation:

host:/tmp root# vpnd -i bla
2005-05-04 15:12:54 CEST        VPND: could not get servers dictionary
2005-05-04 15:12:54 CEST        VPND: error processing prefs file

This is due to the non-existance of
/var/db/SystemConfiguration/com.apple.RemoteAccessServers.plist.


Anyway, on an exploitable system you'd get:

host:/tmp root# vpnd -i `perl -e 'print "A"x600'`
2005-05-04 15:16:41 CEST        VPND: Server ID 'AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
invalid
Segmentation fault


The crashlog /Library/Logs/CrashReporter/vpnd.crash.log shows:

OS Version:     10.3.7 (Build 7S215)
Report Version: 2
Command: vpnd
Path:    /usr/sbin/vpnd
Version: ??? (???)
PID:     12690
Thread:  0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x41414140

Thread 0 Crashed:

PPC Thread State:
  srr0: 0x41414140 srr1: 0x4200f030                vrsave: 0x00000000
    cr: 0x24000242  xer: 0x00000004   lr: 0x41414141  ctr: 0x900010a0
    r0: 0x41414141   r1: 0xbffffbf0   r2: 0xa0192b50   r3: 0xffffffff
    r4: 0x00300950   r5: 0x00402004   r6: 0x00402004   r7: 0x00000001
    r8: 0x0000000f   r9: 0xa00011ac  r10: 0x00000013  r11: 0x44000244
   r12: 0x900010a0  r13: 0x00000000  r14: 0x00000000  r15: 0x00000000
   r16: 0x00000000  r17: 0x00000000  r18: 0x00000000  r19: 0x00000000
   r20: 0x00000000  r21: 0x00000000  r22: 0x00000000  r23: 0x00000000
   r24: 0x00000000  r25: 0x00000000  r26: 0xbffffce4  r27: 0x00000014
   r28: 0x41414141  r29: 0x41414141  r30: 0x41414141  r31: 0x41414141


Fix
---

Apply Security Update 2005-005 (which fixes quite a few other bugs,
too), remove the suid bit or remove the above mentioned config file.
More information about said security update can be found at:
http://docs.info.apple.com/article.html?artnum=301528

-- 
Pieter de Boer
    

- 漏洞信息

16085
Apple Mac OS X vpnd Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A local overflow exists in Mac OS X when configured as a VPN server. vpnd fails to validate user-supplied input to the Server_id parameter resulting in a buffer overflow. With a specially crafted request, a malicious user can execute arbitrary code resulting in a loss of integrity.

- 时间线

2005-05-03 Unknow
2005-05-04 2005-06-09

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X VPND Local Buffer Overflow Vulnerability
Boundary Condition Error 13488
No Yes
2005-05-03 12:00:00 2009-07-12 02:06:00
Discovery is credited to Pieter de Boer <pieter@os3.nl>. This issue may have been independently discovered by Jason Aras as well.

- 受影响的程序版本

Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3

- 漏洞讨论

Apple Mac OS X vpnd is prone to a local buffer overflow vulnerability.

The vulnerability presents itself when the application handles excessive string values supplied through the '-i' command line parameter.

An attacker can gain superuser privileges by exploiting this issue.

This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assinged a new BID.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Apple has released security advisory APPLE-SA-2005-06-08 along with fixes dealing with this issue for Mac OS X 10.4.1. Please see the referenced advisory for more information.

Apple has released advisory (APPLE-SA-2005-05-03) to address this and other issues. Please see the referenced advisory for more information.


Apple Mac OS X 10.3.9

Apple Mac OS X Server 10.3.9

Apple Mac OS X Server 10.4.1

Apple Mac OS X 10.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站