[Full-disclosure] [MU-200611-01] Pre-Authentication Vulnerability in Mac OSX kernel PPP

Type securityvulns
Reporter Securityvulns
Modified 2006-11-30T00:00:00




Pre-Authentication Vulnerability in Mac OSX kernel PPP driver [MU-200611-01] November 28, 2006


Affected Product/Versions:

Mac OS X v10.3.9 Mac OS X Server v10.3.9 Mac OS X v10.4.8 Mac OS X Server v10.4.8

Product Overview:

"PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links. The pppd daemon works together with the kernel PPP driver to establish and maintain a PPP link with another system (called the peer) and to negotiate Internet Protocol (IP) addresses for each end of the link. Pppd can also authenticate the peer and/or supply authentication infor- mation to the peer. PPP can be used with other network protocols besides IP, but such use is becoming increasingly rare."

Vulnerability Details:

The network kernel extension com.apple.nke.pppoe that works concurrently with the pppd has a critical vulnerability that may lead to arbitrary code execution with system privileges. The vulnerability is triggered by sending a malformed PADI packet with invalid lengths to the ppp daemon. PADI is the first message in a PPPoE link establishment and requires no credentials. In addition, the MAC address of the sender can be spoofed. Users of PPP who do not create PPPoE connections are not at risk of attack. PPPoE is also not enabled by default.

Vendor Response / Solution:

All users of PPPoE on OS X are recommended to immediately apply the security updates available from the following URL:


Mu Security would like to thank Apple for timely remediation of these vulnerabilities.


09/14/06 - First contact with the vendor 11/01/06 - Fix available for the vulnerabilities 11/28/06 - Advisory released


This vulnerability was discovered by the Mu Security research team.


Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the company's website at http://www.musecurity.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (Darwin)

iD8DBQFFbK47Ml+docYeP+YRAtYvAJsE0DymOrYWyPL363FyDIen2/B6qgCgk/uU myV3rI7qnCMdLbJCUjqdPsk= =Kv1p -----END PGP SIGNATURE-----

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/