Overview
Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.
Description
Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the com.apple.RemoteAccessServers.plist file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process. Note that com.apple.RemoteAccessServers.plist is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools. |
Impact
A local, authenticated attacker could execute arbitrary code with root privileges. |
Solution
Apply a patch |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://docs.info.apple.com/article.html?artnum=301528
- http://secunia.com/advisories/15227/
- http://www.idefense.com/application/poi/display?id=240&type=vulnerabilities
- http://www.securityfocus.org/bid/13488
- http://www.securitytracker.com/alerts/2005/May/1013887.html
- http://www.osvdb.org/displayvuln.php?osvdb_id=16085
Acknowledgements
This vulnerability was reported by Jason Aras.
This document was written by Will Dormann, based on the information provided in the iDEFENSE Security Advisory 05.04.05 .
Other Information
| CVE IDs: | CVE-2005-1343 |
| Severity Metric: | 9.38 |
| Date Public: | 2005-05-03 |
| Date First Published: | 2005-05-16 |
| Date Last Updated: | 2005-05-24 13:37 UTC |
| Document Revision: | 13 |