Mac OS X AppleFileServer Pre-Authentication Remote Overflow

2004-05-03T00:00:00
ID OSVDB:5762
Type osvdb
Reporter Dino Dai Zovi(ddaizovi@atstake.com), Dave G.(daveg@atstake.com)
Modified 2004-05-03T00:00:00

Description

Vulnerability Description

MacOS X contains a flaw that may allow a remote attacker to gain administrative privileges. The issue is due to a stack buffer overflow in the pre-authentication routine. The overflow occurs when the PathName argument from the LoginExt packet requests authentication using the Cleartext Password User Authentication Method (UAM). With a specially crafted request, an attacker can gain full administrative privilege over the machine remotely.

Solution Description

Apple has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable AFS if not essential.

For Mac OS X 10.3.3 "Panther"

http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/SecUpd2004-05-03Pan.dmg

For Mac OS X Server 10.3.3

http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/SecUpdSrvr2004-05-03Pan.dmg

For Mac OS X 10.2.8 "Jaguar"

http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/SecUpd2004-05-03Jag.dmg

For Mac OS X Server 10.2.8

http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/SecUpdSrvr2004-05-03Jag.dmg

Short Description

MacOS X contains a flaw that may allow a remote attacker to gain administrative privileges. The issue is due to a stack buffer overflow in the pre-authentication routine. The overflow occurs when the PathName argument from the LoginExt packet requests authentication using the Cleartext Password User Authentication Method (UAM). With a specially crafted request, an attacker can gain full administrative privilege over the machine remotely.

References:

Vendor URL: http://www.apple.com Vendor Specific Advisory URL Packet Storm: http://packetstormsecurity.nl/exploits20.html Other Advisory URL: http://www.atstake.com/research/advisories/2004/a050304-1.txt ISS X-Force ID: 16049 Generic Exploit URL: http://www.securiteam.com/exploits/5AP0H1FDPE.html CVE-2004-0430 CIAC Advisory: o-139 CIAC Advisory: o-138 CERT VU: 648406 Bugtraq ID: 10271