ID

VAR-200403-0067

CVE

CVE-2004-0165

TITLE

Apple Mac OS X Point-to-Point Protocol daemon (pppd) contains format string vulnerability

DESCRIPTION

Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Apple has reported multiple previously known and newly discovered security vulnerabilities in Mac OS X (Client and Server). The individual security issues include: Improved notification logging (CAN-2004-0168). Undisclosed DiskArbitration security improvements for handling writeable removable media (CAN-2004-0167). Undisclosed IPSec key exchange issue (CAN-2004-0164). Unspecified security vulnerability (CAN-2004-0089) in QuickTime Streaming Server that is related to handling of request data. URI display issue (CAN-2004-0166) in the Safari web browser. Finally 3 vulnerabilities in tcpdump. These issues are described in BID 9507(TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability), BID 7090(TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability) and BID 9423(TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities). These issues are currently undergoing further analysis. Where it is appropriate, each individual issue will be assigned a unique BID and any existing BIDs will be updated accordingly to reflect the release of this Security Update. When the ppp daemon processes an invalid command line argument, a function, error(), is called on the user-supplied data. Format specifiers that are contained within the supplied data will be interpreted literally, providing an attacker a conduit to read from pppd process memory. However, this format string problem does not allow the use of \\%n to attack, but due to the lack of filtering when receiving command line parameters, the format string problem can be triggered when submitted to the vslprintf() function, and the part of the pppd process memory can be obtained by using this problem Information, such as PAP or CHAP authentication information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. The vulnerability is in a function specific to pppd that does not allow for traditional exploitation (arbitrary data written to arbitrary memory locations) via %n. However, it is possible to read arbitrary data out of pppd's process. Under certain circumstances, it is also possible to 'steal' PAP/CHAP authentication credentials. This function is a custom replacement for vsnprintf(), and does contains a small subset of the format specifiers. The offending function is called option_error: void option_error __V((char *fmt, ...)) { va_list args; char buf[256]; #if defined(__STDC__) va_start(args, fmt); #else char *fmt; va_start(args); fmt = va_arg(args, char *); #endif vslprintf(buf, sizeof(buf), fmt, args); va_end(args); if (phase == PHASE_INITIALIZE) fprintf(stderr, "%s: %s\n", progname, buf); #ifdef __APPLE__ error(buf); #else syslog(LOG_ERR, "%s", buf); #endif } As we can see, there is a specific Apple ifdef that will pass our buffer directly to error(). Information about Apple Security Updates may be found at http://www.info.apple.com/ Recommendation: Install the vendor supplied upgrade. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQDqNV0e9kNIfAm4yEQJDyACfdyoktRpVe2HdeJ+OXFrO0PCH5L4Anj1t ayzDBWIsuXib+mhqIjrG7wDI =4K2F -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Dave G※ daveg@atstake.com

SOURCES

LAST UPDATE DATE

2024-08-14T13:09:41.515000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE