Mac OS X pppd Format String Vulnerability
The ppp daemon that comes installed by default in Mac OS X is vulnerable
to a format string vulnerability. The vulnerability is in a function
specific to pppd that does not allow for traditional exploitation
(arbitrary data written to arbitrary memory locations) via %n. However, it
is possible to read arbitrary data out of pppd's process. Under certain
circumstances, it is also possible to 'steal' PAP/CHAP authentication
When pppd receives an invalid command line argument, it will eventually
pass it as a format specifier to vslprintf(). This function is a custom
replacement for vsnprintf(), and does contains a small subset of the
format specifiers. ?The offending function is called option_error:
As we can see, there is a specific Apple ifdef that will pass our buffer
directly to error().
By utilizing one of the techniques outlined in scut's paper, "Exploiting
Format String Vulnerabilities", it may be possible to access PAP and/or
CHAP credentials, if the OS X system is being used as a PPP server.
This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and Mac OS
X 10.2.8. Information about Apple Security Updates may be found at
Install the vendor supplied upgrade.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues. These are candidates for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Looking for more Windows Networking info?
Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing! View a sample newsletter.
Become a WindowsNetworking.com member!
Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!