exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 04-05-03.1

Atstake Security Advisory 04-05-03.1
Posted May 7, 2004
Authored by David Goldsmith, Atstake, Dino Dai Zovi | Site atstake.com

Atstake Security Advisory A050304-1 - The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. There is a pre-authentication, remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges and execute commands as root. Versions affected are Mac OS X 10.3.3, 10.3.2, and 10.2.8.

tags | advisory, overflow, root, protocol
systems | apple, osx
advisories | CVE-2004-0430
SHA-256 | d0a99458eaeba41776f013f6acd2684183376fa3765005d3b0854d047a21d569

Atstake Security Advisory 04-05-03.1

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: AppleFileServer Remote Command Execution
Release Date: 05/03/2004
Application: AppleFileServer
Platform: MacOS X 10.3.3 and below
Severity: A remote attacker can execute arbitrary
commands as root
Authors: Dave G. <daveg@atstake.com>
Dino Dai Zovi <ddaizovi@atstake.com>
Vendor Status: Informed, Upgrade Available
CVE Candidate: CAN-2004-0430
Reference: www.atstake.com/research/advisories/2004/a050304-1.txt


Overview:

The AppleFileServer provides Apple Filing Protocol (AFP) services for
both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. There is a
pre-authentication, remotely exploitable stack buffer overflow that
allows an attacker to obtain administrative privileges and execute
commands as root.


Details:

The AppleFileServer provides Apple Filing Protocol (AFP) services
for both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
enabled by default. It is enabled through the Sharing Preferences
section by selecting the 'Personal File Sharing' checkbox.

Thereis a pre-authentication remotely exploitable stack buffer
overflow that allows an attacker to obtain administrative
privileges. The overflow occurs when parsing the PathName argument
from LoginExt packet requesting authentication using the Cleartext
Password User Authentication Method (UAM). The PathName argument
is encoded as one-byte specifying the string type, two-bytes
specifying the string length, and finally the string itself. A
string of type AFPName (0x3) that is longer than the length declared
in the packet will overflow the fixed-size stack buffer.

The previously described malformed request results in a trivially
exploitable stack buffer overflow. @stake was able to quickly
develop a proof-of-concept exploit that portably demonstrates this
vulnerability across multiple Mac OS X versions including Mac OS X
10.3.3, 10.3.2, and 10.2.8.


Vendor Response:

- From APPLE-SA-2004-05-03 Security Update 2004-05-03

AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long
passwords. Credit to Dave G. from @stake for reporting this issue.

Security Update 2004-05-03 may be obtained from:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:

For Mac OS X 10.3.3 "Panther"
=============================
https://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/
2Z/SecUpd2004-05-03Pan.dmg
The download file is named: "SecUpd2004-05-03Pan.dmg"
Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532

For Mac OS X Server 10.3.3
==========================
https://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/
2Z/SecUpdSrvr2004-05-03Pan.dmg
The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7

For Mac OS X 10.2.8 "Jaguar"
=============================
https://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/
2Z/SecUpd2004-05-03Jag.dmg
The download file is named: "SecUpd2004-05-03Jag.dmg"
Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945

For Mac OS X Server 10.2.8
==========================
https://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/
2Z/SecUpdSrvr2004-05-03Jag.dmg
The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb


Timeline

3/26/2004 Vendor notified of issue
5/04/2004 Vendor informs us that they have a patch available
4/04/2004 Advisory released


Recommendation:

If you do not need AFS, disable it. If you do need it, upgrade to
the latest version of Panther.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.

CAN-2004-0430 AppleFileServer Remote Command Execution


Open Source Vulnerability Database (OSVDB) Information:
More information available at www.osvdb.org

OSVDB ID 5762


@stake Vulnerability Reporting Policy:
https://www.atstake.com/research/policy/

@stake Advisory Archive:
https://www.atstake.com/research/advisories/

PGP Key:
https://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.






-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQJbHKUe9kNIfAm4yEQJraQCgvzJSUEBfxJNS5Yrk8tCFoM+7vCsAn0WI
aBZDr4XgtWYb05rrBQKn01f2
=A6ex
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close