[VulnWatch] Local root vuln in VPN daemon on MacOS X

From: Pieter de Boer (pieter_at_os3.nl)
Date: 05/04/05

  • Next message: khaalel: "[VulnWatch] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)"
    Date: Wed, 04 May 2005 16:09:41 +0200
    To: vulnwatch@vulnwatch.org
    
    

    Local root vulnerability in vpnd on MacOS X <= 10.3.9
    -----------------------------------------------------

    Overview
    --------

    There exists a local root exploitable stack based buffer overflow in the
    VPN daemon shipping with MacOS X. This bug can be easily exploited to
    gain root access. Proof of concept code isn't provided since it's too
    trivial.
    This vulnerability has CVE ID CAN-2005-1343.

    Exploitation
    ------------

    The overflow can only be exploited on a system having vpnd configured as
    a server. The following shows a NON-exploitable vpnd installation:

    host:/tmp root# vpnd -i bla
    2005-05-04 15:12:54 CEST VPND: could not get servers dictionary
    2005-05-04 15:12:54 CEST VPND: error processing prefs file

    This is due to the non-existance of
    /var/db/SystemConfiguration/com.apple.RemoteAccessServers.plist.

    Anyway, on an exploitable system you'd get:

    host:/tmp root# vpnd -i `perl -e 'print "A"x600'`
    2005-05-04 15:16:41 CEST VPND: Server ID 'AAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
    invalid
    Segmentation fault

    /Library/Logs/CrashReporter/vpnd.crash.log shows:

    OS Version: 10.3.7 (Build 7S215)
    Report Version: 2

    Command: vpnd
    Path: /usr/sbin/vpnd
    Version: ??? (???)
    PID: 12690
    Thread: 0

    Exception: EXC_BAD_ACCESS (0x0001)
    Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140

    Thread 0 Crashed:

    PPC Thread State:
      srr0: 0x41414140 srr1: 0x4200f030 vrsave: 0x00000000
        cr: 0x24000242 xer: 0x00000004 lr: 0x41414141 ctr: 0x900010a0
        r0: 0x41414141 r1: 0xbffffbf0 r2: 0xa0192b50 r3: 0xffffffff
        r4: 0x00300950 r5: 0x00402004 r6: 0x00402004 r7: 0x00000001
        r8: 0x0000000f r9: 0xa00011ac r10: 0x00000013 r11: 0x44000244
       r12: 0x900010a0 r13: 0x00000000 r14: 0x00000000 r15: 0x00000000
       r16: 0x00000000 r17: 0x00000000 r18: 0x00000000 r19: 0x00000000
       r20: 0x00000000 r21: 0x00000000 r22: 0x00000000 r23: 0x00000000
       r24: 0x00000000 r25: 0x00000000 r26: 0xbffffce4 r27: 0x00000014
       r28: 0x41414141 r29: 0x41414141 r30: 0x41414141 r31: 0x41414141

    So it's clearly quite exploitable.

    Fix

    ---
    Apply Security Update 2005-005 (which fixes quite a few other bugs,
    too), remove the suid bit or remove the above mentioned config file.
    More information about said security update can be found at:
    http://docs.info.apple.com/article.html?artnum=301528
    

  • Next message: khaalel: "[VulnWatch] KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)"

    Relevant Pages