Mac OS X CF_CHARSET_PATH Buffer Overflow Vulnerability
22 Mar. 2005
Summary
Mac OS X is "an operating system for the Apple family of microcomputers". Local exploitation of a buffer overflow vulnerability within the Core Foundation Library included by default in Apple Computer Inc.'s Mac OS X could allow an attacker to gain root privileges.
Vulnerable Systems:
* Mac OS X version 10.3.5
* Mac OS X version 10.3.6
The vulnerability specifically exists due to improper handling of the CF_CHARSET_PATH environment variable. When a string greater than 1,024 characters is passed via this variable, a stack-based overflow occurs, allowing the attacker to control program flow by overwriting the function's return address on the stack.
Any application linked against the Core Foundation Library can be used as an exploit vector for this vulnerability. Some of the setuid root binaries that are vulnerable include su, pppd and login.
Analysis:
Successful exploitation of this vulnerability allows for root access. An attacker needs local access to the victim's system to exploit this vulnerability. This vulnerability is difficult to workaround due to the fact that a large number of system binaries are linked against the vulnerable code.
Workaround:
Restrict local access to trusted users only, as it is impossible to remove the setuid bit from the affected binaries without severely
limiting the function of the system.
