Mac OS X pppd format string vulnerability

From: Advisories (advisories_at_atstake.com)
Date: 02/24/04

  • Next message: mgotts_at_2roads.com: "Re: blocking gzip encoded files" 
    Date: Mon, 23 Feb 2004 18:38:38 -0500
To: <bugtraq@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                 Security Advisory

    Advisory Name: Mac OS X pppd format string vulnerability
     Release Date: 02/23/2004
      Application: pppd 2.4.0
         Platform: Mac OS X 10.3.2 and below
         Severity: Local users are able to retrieve PAP/CHAP credentials
           Author: Dave G. <daveg@atstake.com>
    Vendor Status: Vendor has security update
    CVE Candidate: CAN-2004-0165
        Reference: www.atstake.com/research/advisories/2004/a022304-1.txt

    Overview:

    The ppp daemon that comes installed by default in Mac OS X
    is vulnerable to a format string vulnerability. The vulnerability is
    in a function specific to pppd that does not allow for traditional
    exploitation (arbitrary data written to arbitrary memory locations)
    via %n. However, it is possible to read arbitrary data out of pppd's
    process. Under certain circumstances, it is also possible to 'steal'
    PAP/CHAP authentication credentials.

           
    Details:

    When pppd receives an invalid command line argument, it will
    eventually pass it as a format specifier to vslprintf(). This
    function is a custom replacement for vsnprintf(), and does contains a
    small subset of the format specifiers. The offending function is
    called option_error:

    void
    option_error __V((char *fmt, ...))
    {
        va_list args;
        char buf[256];

    #if defined(__STDC__)
        va_start(args, fmt);
    #else
        char *fmt;
        va_start(args);
        fmt = va_arg(args, char *);
    #endif
        vslprintf(buf, sizeof(buf), fmt, args);
        va_end(args);
        if (phase == PHASE_INITIALIZE)
            fprintf(stderr, "%s: %s\n", progname, buf);
    #ifdef __APPLE__
        error(buf);
    #else
        syslog(LOG_ERR, "%s", buf);
    #endif
    }

    As we can see, there is a specific Apple ifdef that will pass our
    buffer directly to error().

    By utilizing one of the techniques outlined in scut's paper,
    "Exploiting Format String Vulnerabilities", it may be possible to
    access PAP and/or CHAP credentials, if the OS X system is being used
    as a PPP server.

    Vendor Response:

    This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and
    Mac OS X 10.2.8. Information about Apple Security Updates may be
    found at http://www.info.apple.com/

    Recommendation:

    Install the vendor supplied upgrade.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2004-0165 Mac OS X pppd format string vulnerability

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    Copyright 2004 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3

    iQA/AwUBQDqNV0e9kNIfAm4yEQJDyACfdyoktRpVe2HdeJ+OXFrO0PCH5L4Anj1t
    ayzDBWIsuXib+mhqIjrG7wDI
    =4K2F
    -----END PGP SIGNATURE-----

  • Next message: mgotts_at_2roads.com: "Re: blocking gzip encoded files"