Thursday, December 20, 2007

[UNIX] Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

The
<http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html> mount_smbfs utility is "used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X". Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges.

DETAILS

Vulnerable Systems:
* Mac OS X version 10.4.10

The vulnerability exists in a portion of code responsible for parsing
command line arguments. When processing the -W option, which is used to
specify a workgroup name, the option's argument is copied into a fixed
sized stack buffer without any checks on its length. This leads to a
trivially exploitable stack based buffer overflow.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges. In order to exploit this vulnerability, an
attacker must have execute permission for the set-uid root mount_smbfs
binary.

Workaround:
Removing the set-uid bit from the mount_smbfs binary will prevent
exploitation. However, non-root users will be unable to use the program.

Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-009 security
update. More information is available at the following URL.
<http://docs.info.apple.com/article.html?artnum=307179>

http://docs.info.apple.com/article.html?artnum=307179

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3876>
CVE-2007-3876

Disclosure Timeline:
07/16/2007 - Initial vendor notification
07/17/2007 - Initial vendor response
12/17/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment