[UNIX] Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

The
<http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html> mount_smbfs utility is "used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X". Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges.

DETAILS

Vulnerable Systems:
* Mac OS X version 10.4.10

The vulnerability exists in a portion of code responsible for parsing
command line arguments. When processing the -W option, which is used to
specify a workgroup name, the option's argument is copied into a fixed
sized stack buffer without any checks on its length. This leads to a
trivially exploitable stack based buffer overflow.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges. In order to exploit this vulnerability, an
attacker must have execute permission for the set-uid root mount_smbfs
binary.

Workaround:
Removing the set-uid bit from the mount_smbfs binary will prevent
exploitation. However, non-root users will be unable to use the program.

Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-009 security
update. More information is available at the following URL.
<http://docs.info.apple.com/article.html?artnum=307179>
http://docs.info.apple.com/article.html?artnum=307179

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3876>
CVE-2007-3876

Disclosure Timeline:
07/16/2007 - Initial vendor notification
07/17/2007 - Initial vendor response
12/17/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] ClamAV libclamav PE File Integer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ClamAV libclamav PE File Integer Overflow Vulnerability ... Exploitation of this vulnerability results in the execution of arbitrary ...
    (Securiteam)
  • [NEWS] Symantec Norton AntiVirus Multiple Local Privilege Escalation (MacOS)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a design error in the DiskMountNotify specifically ... "/Library/Application Support/Norton Solutions Support/Norton ... Vendor Response: ...
    (Securiteam)
  • [UNIX] Multiple Vendor X Server CID-keyed Fonts scan_cidfont() Integer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont' Integer Overflow ... vulnerability in the 'scan_cidfont' function in the X.Org and XFree86 X ... 08/25/2005 Initial vendor response ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)
  • [NEWS] PHP getimagesize() Multiple DoS Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is a widely-used general-purpose scripting language that is especially ... Remote exploitation of a denial of service condition in the PHP ... Local exploitation of an input validation vulnerability in The PHP Group's ...
    (Securiteam)