|
Brought to you by:
Suppliers of:
|
|
|
| |
| The mount_smbfs utility is "used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X". Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges. |
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633
|
| |
Vulnerable Systems:
* Mac OS X version 10.4.10
The vulnerability exists in a portion of code responsible for parsing command line arguments. When processing the -W option, which is used to specify a workgroup name, the option's argument is copied into a fixed sized stack buffer without any checks on its length. This leads to a trivially exploitable stack based buffer overflow.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have execute permission for the set-uid root mount_smbfs binary.
Workaround:
Removing the set-uid bit from the mount_smbfs binary will prevent exploitation. However, non-root users will be unable to use the program.
Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-009 security update. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307179
CVE Information:
CVE-2007-3876
Disclosure Timeline:
07/16/2007 - Initial vendor notification
07/17/2007 - Initial vendor response
12/17/2007 - Coordinated public disclosure
|
|
|
|
|
