[NEWS] Mac OS X pppd Format String Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 02/24/04

  • Next message: SecuriTeam: "[REVS] Practical SEH" 
    To: list@securiteam.com
Date: 24 Feb 2004 17:54:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mac OS X pppd Format String Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The ppp daemon that comes installed by default in Mac OS X is vulnerable
    to a format string vulnerability. The vulnerability is in a function
    specific to pppd that does not allow for traditional exploitation
    (arbitrary data written to arbitrary memory locations) via %n. However, it
    is possible to read arbitrary data out of pppd's process. Under certain
    circumstances, it is also possible to 'steal' PAP/CHAP authentication
    credentials.

    DETAILS

    When pppd receives an invalid command line argument, it will eventually
    pass it as a format specifier to vslprintf(). This function is a custom
    replacement for vsnprintf(), and does contains a small subset of the
    format specifiers. ?The offending function is called option_error:

    void
    option_error __V((char *fmt, ...))
    {
        va_list args;
        char buf[256];

    #if defined(__STDC__)
        va_start(args, fmt);
    #else
        char *fmt;
        va_start(args);
        fmt = va_arg(args, char *);
    #endif
        vslprintf(buf, sizeof(buf), fmt, args);
        va_end(args);
        if (phase == PHASE_INITIALIZE)
            fprintf(stderr, "%s: %s\n", progname, buf);
    #ifdef __APPLE__
        error(buf);
    #else
        syslog(LOG_ERR, "%s", buf);
    #endif
    }

    As we can see, there is a specific Apple ifdef that will pass our buffer
    directly to error().

    By utilizing one of the techniques outlined in scut's paper, "Exploiting
    Format String Vulnerabilities", it may be possible to access PAP and/or
    CHAP credentials, if the OS X system is being used as a PPP server.

    Vendor Response:
    This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and Mac OS
    X 10.2.8. Information about Apple Security Updates may be found at
    <http://www.info.apple.com/> http://www.info.apple.com/.

    Recommendation:
    Install the vendor supplied upgrade.

    Common Vulnerabilities and Exposures (CVE) Information:
    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    following names to these issues. These are candidates for inclusion in the
    CVE list (http://cve.mitre.org), which standardizes names for security
    problems.

     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0165>
    CAN-2004-0165 Mac OS X pppd format string vulnerability.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:daveg@atstake.com> Dave G..

    The original article can be found at:
    <http://www.atstake.com/research/advisories/2004/a022304-1.txt>
    http://www.atstake.com/research/advisories/2004/a022304-1.txt.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Practical SEH"

    Relevant Pages