exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 04-02-23.1

Atstake Security Advisory 04-02-23.1
Posted Feb 24, 2004
Authored by David Goldsmith, Atstake | Site atstake.com

Atstake Security Advisory A022304-1 - The ppp daemon that comes installed by default in Mac OS X is vulnerable to a format string vulnerability. It is possible to read arbitrary data out of pppd's process. Under certain circumstances, it is also possible to 'steal' PAP/CHAP authentication credentials.

tags | advisory, arbitrary
systems | apple, osx
advisories | CVE-2004-0165
SHA-256 | ac39259d91e80a21a84083dd2d5ed03a1ab274c26fa3d74162b3afe90c544152

Atstake Security Advisory 04-02-23.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: Mac OS X pppd format string vulnerability
Release Date: 02/23/2004
Application: pppd 2.4.0
Platform: Mac OS X 10.3.2 and below
Severity: Local users are able to retrieve PAP/CHAP credentials
Author: Dave G. <daveg@atstake.com>
Vendor Status: Vendor has security update
CVE Candidate: CAN-2004-0165
Reference: www.atstake.com/research/advisories/2004/a022304-1.txt


Overview:

The ppp daemon that comes installed by default in Mac OS X
is vulnerable to a format string vulnerability. The vulnerability is
in a function specific to pppd that does not allow for traditional
exploitation (arbitrary data written to arbitrary memory locations)
via %n. However, it is possible to read arbitrary data out of pppd's
process. Under certain circumstances, it is also possible to 'steal'
PAP/CHAP authentication credentials.


Details:

When pppd receives an invalid command line argument, it will
eventually pass it as a format specifier to vslprintf(). This
function is a custom replacement for vsnprintf(), and does contains a
small subset of the format specifiers. The offending function is
called option_error:

void
option_error __V((char *fmt, ...))
{
va_list args;
char buf[256];

#if defined(__STDC__)
va_start(args, fmt);
#else
char *fmt;
va_start(args);
fmt = va_arg(args, char *);
#endif
vslprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (phase == PHASE_INITIALIZE)
fprintf(stderr, "%s: %s\n", progname, buf);
#ifdef __APPLE__
error(buf);
#else
syslog(LOG_ERR, "%s", buf);
#endif
}

As we can see, there is a specific Apple ifdef that will pass our
buffer directly to error().

By utilizing one of the techniques outlined in scut's paper,
"Exploiting Format String Vulnerabilities", it may be possible to
access PAP and/or CHAP credentials, if the OS X system is being used
as a PPP server.


Vendor Response:

This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and
Mac OS X 10.2.8. Information about Apple Security Updates may be
found at http://www.info.apple.com/


Recommendation:

Install the vendor supplied upgrade.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2004-0165 Mac OS X pppd format string vulnerability


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQDqNV0e9kNIfAm4yEQJDyACfdyoktRpVe2HdeJ+OXFrO0PCH5L4Anj1t
ayzDBWIsuXib+mhqIjrG7wDI
=4K2F
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close