- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
The
<http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html> mount_smbfs utility is "used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X". Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges.
DETAILS
Vulnerable Systems:
* Mac OS X version 10.4.10
The vulnerability exists in a portion of code responsible for parsing
command line arguments. When processing the -W option, which is used to
specify a workgroup name, the option's argument is copied into a fixed
sized stack buffer without any checks on its length. This leads to a
trivially exploitable stack based buffer overflow.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges. In order to exploit this vulnerability, an
attacker must have execute permission for the set-uid root mount_smbfs
binary.
Workaround:
Removing the set-uid bit from the mount_smbfs binary will prevent
exploitation. However, non-root users will be unable to use the program.
Vendor response:
Apple addressed this vulnerability within their Mac OS X 2007-009 security
update. More information is available at the following URL.
<http://docs.info.apple.com/article.html?artnum=307179>
http://docs.info.apple.com/article.html?artnum=307179
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3876>
CVE-2007-3876
Disclosure Timeline:
07/16/2007 - Initial vendor notification
07/17/2007 - Initial vendor response
12/17/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment