lulz ... nice find maybe Gadi Evron can publish his first exploit now
On Dec 18, 2007 12:25 PM, iDefense Labs <[EMAIL PROTECTED]> wrote: > iDefense Security Advisory 12.17.07 > http://labs.idefense.com/intelligence/vulnerabilities/ > Dec 17, 2007 > > I. BACKGROUND > > The mount_smbfs utility is used to mount a remote SMB share locally. It > is installed set-uid root, so as to allow unprivileged users to mount > shares, and is present in a default installation on both the Server and > Desktop versions of Mac OS X. For more information visit the following > URL. > > > http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html > > II. DESCRIPTION > > Local exploitation of a stack based buffer overflow vulnerability in > Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to > execute arbitrary code with root privileges. > > The vulnerability exists in a portion of code responsible for parsing > command line arguments. When processing the -W option, which is used to > specify a workgroup name, the option's argument is copied into a fixed > sized stack buffer without any checks on its length. This leads to a > trivially exploitable stack based buffer overflow. > > III. ANALYSIS > > Exploitation of this vulnerability results in the execution of arbitrary > code with root privileges. In order to exploit this vulnerability, an > attacker must have execute permission for the set-uid root mount_smbfs > binary. > > IV. DETECTION > > iDefense has confirmed the existence of this vulnerability in Mac OS X > version 10.4.10, on both the Server and Desktop versions. Previous > versions may also be affected. > > V. WORKAROUND > > Removing the set-uid bit from the mount_smbfs binary will prevent > exploitation. However, non-root users will be unable to use the > program. > > VI. VENDOR RESPONSE > > Apple addressed this vulnerability within their Mac OS X 2007-009 > security update. More information is available at the following URL. > > http://docs.info.apple.com/article.html?artnum=307179 > > VII. CVE INFORMATION > > The Common Vulnerabilities and Exposures (CVE) project has assigned the > name CVE-2007-3876 to this issue. This is a candidate for inclusion in > the CVE list (http://cve.mitre.org/), which standardizes names for > security problems. > > VIII. DISCLOSURE TIMELINE > > 07/16/2007 Initial vendor notification > 07/17/2007 Initial vendor response > 12/17/2007 Coordinated public disclosure > > IX. CREDIT > > This vulnerability was discovered by Sean Larsson of VeriSign iDefense > Labs. > > Get paid for vulnerability research > http://labs.idefense.com/methodology/vulnerability/vcp.php > > Free tools, research and upcoming events > http://labs.idefense.com/ > > X. LEGAL NOTICES > > Copyright (c) 2007 iDefense, Inc. > > Permission is granted for the redistribution of this alert > electronically. It may not be edited in any way without the express > written consent of iDefense. If you wish to reprint the whole or any > part of this alert in any other medium other than electronically, > please e-mail [EMAIL PROTECTED] for permission. > > Disclaimer: The information in the advisory is believed to be accurate > at the time of publishing based on currently available information. Use > of the information constitutes acceptance for use in an AS IS condition. > There are no warranties with regard to this information. Neither the > author nor the publisher accepts any liability for any direct, > indirect, or consequential loss or damage arising from use of, or > reliance on, this information. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/