Quote: |
Security Update 2004-02-23 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:
DiskArbitration IPSec Point-to-Point-Protocol Safari Additionally, Security Update 2003-11-19 has been incorporated into this security update. Those components are: gm4 groff Mail w/CRAM-MD5 authentication OpenSSL Personal File Sharing QuickTime for Java zlib "gzprintf()" function |
Quote: |
The following security advisory can be found at the SecuriTeam web site: http://www.securiteam.com
- - - - - - - - - Mac OS X pppd Format String Vulnerability ------------------------------------------------------------------------ SUMMARY The ppp daemon that comes installed by default in Mac OS X is vulnerable to a format string vulnerability. The vulnerability is in a function specific to pppd that does not allow for traditional exploitation (arbitrary data written to arbitrary memory locations) via %n. However, it is possible to read arbitrary data out of pppd's process. Under certain circumstances, it is also possible to 'steal' PAP/CHAP authentication credentials. DETAILS When pppd receives an invalid command line argument, it will eventually pass it as a format specifier to vslprintf(). This function is a custom replacement for vsnprintf(), and does contains a small subset of the format specifiers. ?The offending function is called option_error: void option_error __V((char *fmt, ...)) { va_list args; char buf[256]; #if defined(__STDC__) va_start(args, fmt); #else char *fmt; va_start(args); fmt = va_arg(args, char *); #endif vslprintf(buf, sizeof(buf), fmt, args); va_end(args); if (phase == PHASE_INITIALIZE) fprintf(stderr, "%s: %s\n", progname, buf); #ifdef __APPLE__ error(buf); #else syslog(LOG_ERR, "%s", buf); #endif } As we can see, there is a specific Apple ifdef that will pass our buffer directly to error(). By utilizing one of the techniques outlined in scut's paper, "Exploiting Format String Vulnerabilities", it may be possible to access PAP and/or CHAP credentials, if the OS X system is being used as a PPP server. Vendor Response: This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and Mac OS X 10.2.8. Information about Apple Security Updates may be found at http://www.info.apple.com/. Recommendation: Install the vendor supplied upgrade. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0165 CAN-2004-0165 Mac OS X pppd format string vulnerability. |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours