Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
20 Dec. 2007
Summary
The mount_smbfs utility is "used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X". Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges.
The vulnerability exists in a portion of code responsible for parsing command line arguments. When processing the -W option, which is used to specify a workgroup name, the option's argument is copied into a fixed sized stack buffer without any checks on its length. This leads to a trivially exploitable stack based buffer overflow.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have execute permission for the set-uid root mount_smbfs binary.
Workaround:
Removing the set-uid bit from the mount_smbfs binary will prevent exploitation. However, non-root users will be unable to use the program.
