High Risk Vulnerability in Mac OS X vpnd

May 29th, 2007

=======
Summary
=======
Name: Mac OS X vpnd local format string
Release Date: 29 May 2007
Reference: NGS00496
Discover: Chris Anley <chris@ngssoftware.com>
Vendor: Apple
Vendor Reference: 26417237
CVE-ID: CVE-2007-0753
Systems Affected: OS X Server 10.4.9 and prior
Risk: High
Status: Published

========
TimeLine
========
Discovered: 15 March 2007
Reported: 19 March 2007
Fixed: 24 May 2007
Published: 29 May 2007

===========
Description
===========
The ‘vpnd’ command shipped with OS X runs setuid root, and is vulnerable
to a format string attack.

=================
Technical Details
=================
The vpnd command, when run with the ‘-i’ parameter, is vulnerable to a
format string attack. The command is setuid root, and is world-executable.

This allows any local user to execute arbitrary code as root, though the
vulnerable code is only accessible by default on server versions of OS
X. It is possible for a client version of OS X to be configured in a
vulnerable manner, though this requires extensive configuration changes
and is unlikely to happen by accident.

Demonstration:

Apple:~ shellcoders$ sw_vers
ProductName: Mac OS X Server
ProductVersion: 10.4.9
BuildVersion: 8P135
Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x
2007-03-15 17:07:07 GMT Server ‘_ABCD_%268$x’ starting…
2007-03-15 17:07:07 GMT Server ID ‘_ABCD_41424344′ invalid
2007-03-15 17:07:07 GMT Error processing prefs file

(gdb) bt
#0 0×90011cb8 in __vfprintf ()
#1 0×9002a90c in vsnprintf ()
#2 0×9002a41c in vsyslog ()
#3 0×00003150 in vpnlog ()
#4 0×00004b80 in process_prefs ()
#5 0×000028d4 in main ()

The source code for vpnd is available from the Apple Darwin source code
download site. The relevant code is in the ppp package. The code is
distributed under the Apple Public Source License, available at
http://www.opensource.apple.com/apsl/

The bug occurs in the process_prefs() function in vpnoptions.c.

The user-specified server name is passed into the snprintf() function as
data, and the resulting string is then passed to the vpnlog() function,
as the format_str parameter. Although the server name is limited to 64
characters (with ‘%.64s’) it is still straightforward to exploit the
bug, and NGS have written a reliable exploit.

===============
Fix Information
===============
This issue was fixed by Apple in Security Update 2007-005, released on
the 24th May 2007. NGS would like to thank the Apple Security Team for
their professional and prompt response to this issue.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Section Navigation


Red Nose Day 2009

Red Nose Day 2009

Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls