__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apple Mac OS X Jaguar and Panther Security Vulnerabilities [@stake a050304-1] May 10, 2004 16:00 GMT Number O-138 [REVISED 06 Dec 2004] ______________________________________________________________________________ PROBLEM: Several security vulnerabilities have been identified in Mac OS X Jaguar and Panther. Some of these vulnerabilities were addressed in previously released CIAC Bulletins. (CIAC Bulletins O-128, O-135, and P-049.) PLATFORM: Mac OS X10.3.3 Panther Mac OS X 10.3.3 Server Mac OS X 10.2.8 Jaguar Mac OS X 10.2.8 Server Mac OS X v10.2.x and v10.3.x (added 12-6-04) Mac OS X Servers v10.2.x and v10.3.x (added 12-6-04) DAMAGE: There is a pre-authentication, remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges. Other vulnerabilities include man-in-the-middle and denial of service. SOLUTION: Upgrade to the latest version of Jaguar and Panther. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Allows a remotely exploitable stack buffer ASSESSMENT: overflow that allows an attacker to obtain administrative privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-138.shtml ORIGINAL BULLETINS: Apple Security Update 2004-12-02 (Also on CIAC P-049) http://docs.info.apple.com/article.html?artnum=61798 ADDITIONAL LINKS: http://atstake.com/research/advisories/2004/a050304-1.txt CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0430 CAN-2003-0020 CAN-2004-0113 CAN-2004-0174 CAN-2004-0428 CAN-2004-0155 CAN-2004-0403 CAN-2004-0429 CAN-2004-0431 ______________________________________________________________________________ REVISION HISTORY: 12/06/04 - Added other Apple products to Platforms. Updated info on the link to Apple's Security Update 2004-12-02. This information also on our CIAC Bulletin P-049. Visit Apple's web site for their published information. http://docs.info.apple.com/article.html?artnum=61798 [***** Start @stake a050304-1 *****] @stake, Inc. www.atstake.com Security Advisory Advisory Name: AppleFileServer Remote Command Execution Release Date: 05/03/2004 Application: AppleFileServer Platform: MacOS X 10.3.3 and below Severity: A remote attacker can execute arbitrary commands as root Authors: Dave G. Dino Dai Zovi Vendor Status: Informed, Upgrade Available CVE Candidate: CAN-2004-0430 Reference: www.atstake.com/research/advisories/2004/a050304-1.txt Overview: The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. There is a pre-authentication, remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges and execute commands as root. Details: The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is not enabled by default. It is enabled through the Sharing Preferences section by selecting the 'Personal File Sharing' checkbox. There is a pre-authentication, remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges. The overflow occurs when parsing the PathName argument from LoginExt packet requesting authentication using the Cleartext Password User Authentication Method (UAM). The PathName argument is encoded as one-byte specifying the string type, two-bytes specifying the string length, and finally the string itself. A string of type AFPName (0x3) that is longer than the length declared in the packet will overflow the fixed-size stack buffer. The previously described malformed request results in a trivially exploitable stack buffer overflow. @stake was able to quickly develop a proof-of-concept exploit that portably demonstrates this vulnerability across multiple Mac OS X versions including Mac OS X 10.3.3, 10.3.2, and 10.2.8. Vendor Response: - From APPLE-SA-2004-05-03 Security Update 2004-05-03 AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue. Security Update 2004-05-03 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: For Mac OS X 10.3.3 "Panther" ============================= http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/ 2Z/SecUpd2004-05-03Pan.dmg The download file is named: "SecUpd2004-05-03Pan.dmg" Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532 For Mac OS X Server 10.3.3 ========================== http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/ 2Z/SecUpdSrvr2004-05-03Pan.dmg The download file is named: "SecUpdSrvr2004-05-03Pan.dmg" Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7 For Mac OS X 10.2.8 "Jaguar" ============================= http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/ 2Z/SecUpd2004-05-03Jag.dmg The download file is named: "SecUpd2004-05-03Jag.dmg" Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945 For Mac OS X Server 10.2.8 ========================== http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/ 2Z/SecUpdSrvr2004-05-03Jag.dmg The download file is named: "SecUpdSrvr2004-05-03Jag.dmg" Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb Timeline 3/26/2004 Vendor notified of issue 5/03/2004 Vendor informs us that they have a patch available 5/03/2004 Advisory released Recommendation: If you do not need AFS, disable it. If you do need it, upgrade to the latest version of Panther. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-0430 AppleFileServer Remote Command Execution Open Source Vulnerability Database (OSVDB) Information: More information available at www.osvdb.org OSVDB ID 5762 @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2004 @stake, Inc. All rights reserved. [***** End @stake a050304-1 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Apple & @stake for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-128: Apache HTTP Server 2.0.49 Release Fixes Security Vulnerabilities O-129: Common Desktop Environment (CDE) dtlogin XDMCP parser Vulnerability O-130: Perl and ActivePerl win32_stat Buffer Overflow O-131: AIX Symlink and Buffer Overflow Vulnerabilities in LVM Commands O-132: BEA WebLogic Server and Express Certificate Spoofing Vulnerability O-133: Red Hat utempter Package Vulnerability O-134: Debian rsync O-135: Apple QuickTime Integer Overflow O-136: HP Web JetAdmin Vulnerabilities O-137: SGI IRIX Networking Security Vulnerabilities