Apple Mac OS X mDNSResponder HTTP Request Heap Overflow Vulnerability
8 Aug. 2007
Summary
mDNSResponder is part of the Bonjour suite of applications. Bonjour is used to provide automatic and transparent configuration of network devices. It is similar to UPnP, in that the goal of both is to allow users to simply plug devices into a network without worrying about configuration details. mDNSResponder runs by default on both Server and Workstation.
Remote exploitation of a heap overflow vulnerability in Apple Inc.'s mDNSResponder application may allow attackers to execute arbitrary code with root privileges.
Vulnerable Systems:
* Mac OS X version 10.4.10, Server and Workstation, with mDNSResponder version 108.5.
* (Previous versions may also be affected.)
The vulnerability exists within the Legacy NAT Traversal code. Unlike the core of the mDNSResponder service, this area of code does not rely on Multicast UDP. It listens on a dynamically allocated Unicast UDP port.
The vulnerability occurs when parsing a malformed HTTP request. This results in an exploitable heap overflow.
Exploitation of this vulnerability allows an attacker to execute arbitrary code with root privileges on a vulnerable host. No authentication is needed to exploit this vulnerability.
Failed attempts will result in the service crashing. Shortly after crashing, it will be restarted.
