ID

VAR-200407-0076

CVE

CVE-2004-0430

TITLE

Apple Mac OS X AppleFileServer fails to properly handle certain authentication requests

DESCRIPTION

Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. There is a buffer overflow vulnerability in the way Apple's AppleFileServer handles certain authentication requests. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. The issue presents itself when the application receives a 'LoginExt' packet containing a malformed 'PathName' argument. This issue was previously disclosed in a multiple BID 10268 (Apple OS X Multiple Unspecified Large Input Vulnerabilities), however, it is being assigned a new BID as a result of new information available. The problem exists in the pre-authentication stage. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: AppleFileServer Remote Command Execution Release Date: 05/03/2004 Application: AppleFileServer Platform: MacOS X 10.3.3 and below Severity: A remote attacker can execute arbitrary commands as root Authors: Dave G. <daveg@atstake.com> Dino Dai Zovi <ddaizovi@atstake.com> Vendor Status: Informed, Upgrade Available CVE Candidate: CAN-2004-0430 Reference: www.atstake.com/research/advisories/2004/a050304-1.txt Overview: The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is not enabled by default. It is enabled through the Sharing Preferences section by selecting the 'Personal File Sharing' checkbox. Thereis a pre-authentication remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges. The PathName argument is encoded as one-byte specifying the string type, two-bytes specifying the string length, and finally the string itself. A string of type AFPName (0x3) that is longer than the length declared in the packet will overflow the fixed-size stack buffer. The previously described malformed request results in a trivially exploitable stack buffer overflow. Vendor Response: - From APPLE-SA-2004-05-03 Security Update 2004-05-03 AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue. Security Update 2004-05-03 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: For Mac OS X 10.3.3 "Panther" ============================= http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/ 2Z/SecUpd2004-05-03Pan.dmg The download file is named: "SecUpd2004-05-03Pan.dmg" Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532 For Mac OS X Server 10.3.3 ========================== http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/ 2Z/SecUpdSrvr2004-05-03Pan.dmg The download file is named: "SecUpdSrvr2004-05-03Pan.dmg" Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7 For Mac OS X 10.2.8 "Jaguar" ============================= http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/ 2Z/SecUpd2004-05-03Jag.dmg The download file is named: "SecUpd2004-05-03Jag.dmg" Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945 For Mac OS X Server 10.2.8 ========================== http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/ 2Z/SecUpdSrvr2004-05-03Jag.dmg The download file is named: "SecUpdSrvr2004-05-03Jag.dmg" Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb Timeline 3/26/2004 Vendor notified of issue 5/04/2004 Vendor informs us that they have a patch available 4/04/2004 Advisory released Recommendation: If you do not need AFS, disable it. If you do need it, upgrade to the latest version of Panther. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-0430 AppleFileServer Remote Command Execution Open Source Vulnerability Database (OSVDB) Information: More information available at www.osvdb.org OSVDB ID 5762 @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2004 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQJbHKUe9kNIfAm4yEQJraQCgvzJSUEBfxJNS5Yrk8tCFoM+7vCsAn0WI aBZDr4XgtWYb05rrBQKn01f2 =A6ex -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Boundary Condition Error

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Dave G※ daveg@atstake.com

SOURCES

LAST UPDATE DATE

2024-08-14T12:07:10.910000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE