[NEWS] AppleFileServer Remote Command Execution

• Previous message: SecuriTeam: "[NT] Citrix MetaFrame's Administrator Client Drivers Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 May 2004 14:05:49 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  AppleFileServer Remote Command Execution
------------------------------------------------------------------------

SUMMARY

The AppleFileServer provides Apple Filing Protocol (AFP) services for both
Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount
drives, similar to NFS or SMB/CIFS. There is a pre-authentication,
remotely exploitable stack buffer overflow that allows an attacker to
obtain administrative privileges and execute commands as root.

DETAILS

Vulnerable Systems:
 * MacOS X version 10.3.3 and prior

The AppleFileServer provides Apple Filing Protocol (AFP) services for both
Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount
drives, similar to NFS or SMB/CIFS. AFP is not enabled by default. It is
enabled through the Sharing Preferences section by selecting the 'Personal
File Sharing' checkbox.

There is a pre-authentication, remotely exploitable stack buffer overflow
that allows an attacker to obtain administrative privileges. The overflow
occurs when parsing the PathName argument from LoginExt packet requesting
authentication using the Cleartext Password User Authentication Method
(UAM). The PathName argument is encoded as one-byte specifying the string
type, two-bytes specifying the string length, and finally the string
itself. A string of type AFPName (0x3) that is longer than the length
declared in the packet will overflow the fixed-size stack buffer.

The previously described malformed request results in a trivially
exploitable stack buffer overflow. @stake was able to quickly develop a
proof-of-concept exploit that portably demonstrates this vulnerability
across multiple Mac OS X versions including Mac OS X 10.3.3, 10.3.2, and
10.2.8.

Vendor Response:
- From APPLE-SA-2004-05-03 Security Update 2004-05-03

AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long
passwords. Credit to Dave G. from @stake for reporting this issue.

Security Update 2004-05-03 may be obtained from:

 * Software Update pane in System Preferences

 * Apple's Software Downloads web site:

    For Mac OS X 10.3.3 "Panther"
    =============================
    
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/SecUpd2004-05-03Pan.dmg
    The download file is named: "SecUpd2004-05-03Pan.dmg"
    Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532
    
    For Mac OS X Server 10.3.3
    ==========================
    
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/SecUpdSrvr2004-05-03Pan.dmg
    The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
    Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7
    
    For Mac OS X 10.2.8 "Jaguar"
    =============================
    
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/SecUpd2004-05-03Jag.dmg
    The download file is named: "SecUpd2004-05-03Jag.dmg"
    Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945
    
    For Mac OS X Server 10.2.8
    ==========================
    
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/SecUpdSrvr2004-05-03Jag.dmg
    The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
    Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb

Timeline:
3/26/2004 Vendor notified of issue
5/03/2004 Vendor informs us that they have a patch available
5/03/2004 Advisory released

Recommendation:
If you do not need AFS, disable it. If you do need it, upgrade to the
latest version of Panther.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0430>
CAN-2004-0430

ADDITIONAL INFORMATION

The information has been provided by <mailto:daveg@atstake.com> Dave G.
and <mailto:ddaizovi@atstake.com> Dino Dai Zovi.

The original article can be found at:
<http://www.atstake.com/research/advisories/2004/a050304-1.txt>
http://www.atstake.com/research/advisories/2004/a050304-1.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Citrix MetaFrame's Administrator Client Drivers Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]