search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Apple Mac OS X Point-to-Point Protocol daemon (pppd) contains format string vulnerability

Vulnerability Note VU#841742

Original Release Date: 2004-02-26 | Last Revised: 2004-02-26

Overview

Apple Mac OS X Point-to-Point Protocol daemon contains a format string vulnerability in the handling of invalid command line arguments.

Description

The Point-to-Point Protocol (PPP) provides a method for transmitting datagrams over serial point-to-point links. There is a format string vulnerability in the Mac OS X Point-to-Point Protocol daemon (pppd). When pppd receives an invalid command line argument, this argument is passed to the fslprintf() function. This function accepts input without properly specifying a format string.

According to @stake:
The vulnerability is in a function specific to pppd that does not allow for traditional exploitation (arbitrary data written to arbitrary memory locations) via %n. However, it is possible to read arbitrary data out of pppd's process. Under certain circumstances, it is also possible to 'steal' PAP/CHAP authentication credentials.

Impact

The complete impact of this vulnerability is not yet known. However, exploitation may lead to the ability to read arbitrary data out of pppd's process. This data may contain CHAP or PAP authentication credentials.

Solution

Apply Patch

Apple has released a patch to address this vulnerability. For further details, please see the Apple Security Advisory (Security Update 2004-02-23).

Vendor Information

841742
 
Expand all

Apple Computer Inc. Affected

Updated:  February 25, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to the Apple Security Advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Dave G. of @stake and Justin Tibbs of Secure Network Operations (SRT).

This document was written by Damon Morda.

Other Information

CVE IDs: CVE-2004-0165
Severity Metric: 3.90
Date Public: 2004-02-24
Date First Published: 2004-02-26
Date Last Updated: 2004-02-26 15:23 UTC
Document Revision: 15

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis