[UNIX] Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 20 Dec 2007 17:34:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
<http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html> mount_smbfs utility is "used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X". Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges.
* Mac OS X version 10.4.10
The vulnerability exists in a portion of code responsible for parsing
command line arguments. When processing the -W option, which is used to
specify a workgroup name, the option's argument is copied into a fixed
sized stack buffer without any checks on its length. This leads to a
trivially exploitable stack based buffer overflow.
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges. In order to exploit this vulnerability, an
attacker must have execute permission for the set-uid root mount_smbfs
Removing the set-uid bit from the mount_smbfs binary will prevent
exploitation. However, non-root users will be unable to use the program.
Apple addressed this vulnerability within their Mac OS X 2007-009 security
update. More information is available at the following URL.
07/16/2007 - Initial vendor notification
07/17/2007 - Initial vendor response
12/17/2007 - Coordinated public disclosure
The information has been provided by iDefense Labs.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] ClamAV libclamav MEW PE File Integer Overflow Vulnerability
- Next by Date: [EXPL] Apple Mac OS X SMB Vulnerabilities (mount_smbfs and smbutil)
- Previous by thread: [NEWS] ClamAV libclamav MEW PE File Integer Overflow Vulnerability
- Next by thread: [EXPL] Apple Mac OS X SMB Vulnerabilities (mount_smbfs and smbutil)