|
|
|
Credit:
The information has been provided by iDefense Labs Security Advisories.
To keep updated with the tool visit the project's homepage at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
|
|
Vulnerable Systems:
* Mac OS X version 10.4.10
Apple Mac OS X AppleTalk ASP Message Kernel Heap Overflow Vulnerability
Local exploitation of a heap based buffer overflow in Apple Inc.'s OS X may allow an attacker to execute arbitrary code in kernel context.
The vulnerability exists within a function responsible for sending an ASP (AppleTalk Session Protocol) message on an AppleTalk socket. When allocating a buffer, the kernel uses a user provided integer to perform an arithmetic operation that calculates the number of bytes to allocate. This calculation can overflow, leading to the allocation of a buffer of insufficient size. This results in an exploitable heap based buffer overflow within the kernel.
Analysis:
Successful exploitation of this vulnerability will result in the execution of arbitrary code in kernel context. Exploitation has proven to be non-trivial.
In order to reach the vulnerable code, a system would have to have AppleTalk turned on. It would likely be used on a network consisting of older Mac hosts since previous versions of Mac relied on it to implement Apple File Sharing.
Workaround:
Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled.
# appletalk -d
Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-008 security update. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307041
CVE Information:
CVE-2007-4269
Disclosure Timeline:
08/08/2007 - Initial vendor notification
08/09/2007 - Initial vendor response
11/14/2007 - Public disclosure
Apple Mac OS X AppleTalk Socket IOCTL Kernel Stack Buffer Overflow Vulnerability
Local exploitation of a stack based buffer overflow in Apple Inc.'s OS X may allow an attacker to execute arbitrary code in kernel context.
The vulnerability exists within the function responsible for adding an AppleTalk zone to an interface's routing table. A zone can be thought of as something similar to a Windows Domain.
When copying the user provided zone information into a fixed size stack buffer, the kernel uses a user provided length as the number of bytes to copy into the destination buffer. This results in an exploitable stack buffer overflow in the kernel.
Analysis:
Successful exploitation of this vulnerability will result in the execution of arbitrary code in kernel context. Unsuccessful attempts will likely crash the system.
In order to exploit this vulnerability, the system needs to have AppleTalk configured in routing mode. This is not enabled by default. It would likely be enabled on a Mac system running on a network with legacy Mac hosts.
Workaround:
Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled.
# appletalk -d
Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-008 security update. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307041
CVE Information:
CVE-2007-4267
Disclosure Timeline:
08/08/2007 - Initial vendor notification
08/09/2007 - Initial vendor response
11/14/2007 - Public disclosure
Apple Mac OS X AppleTalk mbuf Kernel Heap Overflow Vulnerability
Local exploitation of a heap based buffer overflow in Apple Inc.'s OS X may allow an attacker to execute arbitrary code in kernel context.
The vulnerability exists within a function responsible for allocating an mbuf. mbufs are a BSD concept, long used by BSD kernels to allocate buffers for storing network related data.
When allocating an mbuf buffer, the kernel performs a comparison using two signed integers, one of which is controlled by the user, to determine how many bytes to allocate. If a user passes a negative value, a minimally sized buffer will be allocated due to the signed comparison. The calling function will usually interpret the user controlled value as an unsigned value, and this results in the allocated buffer being overflowed.
Analysis:
Successful exploitation of this vulnerability will result in the execution of arbitrary code in kernel context. Unsuccessful attempts will likely crash the system. Exploitation has proven to be non-trivial.
In order to exploit this vulnerability, a system would have to have AppleTalk turned on. It would likely be used on a network consisting of older Mac hosts since previous versions of Mac relied on it to implement Apple File Sharing.
Workaround:
Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled.
# appletalk -d
Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-008 security update. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307041
CVE Information:
CVE-2007-4268
|
|
|
|