• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

New Security Update for OS X

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Macintosh

View previous topic :: View next topic  
Author Message
acidrain
Just Arrived
Just Arrived


Joined: 27 Apr 2003
Posts: 0
Location: Yakima, Washington State, USA

Offline

PostPosted: Tue Feb 24, 2004 10:34 am    Post subject: New Security Update for OS X Reply with quote

Quote:
Security Update 2004-02-23 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

DiskArbitration
IPSec
Point-to-Point-Protocol
Safari

Additionally, Security Update 2003-11-19 has been incorporated into this security update. Those components are:

gm4
groff
Mail w/CRAM-MD5 authentication
OpenSSL
Personal File Sharing
QuickTime for Java
zlib "gzprintf()" function


http://www.apple.com/downloads/macosx/apple/

OS X Client 10.3
http://www.apple.com/downloads/macosx/apple/securityupdate20040223forpantherclient.html
OS X Client 10.2
http://www.apple.com/downloads/macosx/apple/securityupdate20040223forjaguarclient.html

Installed ok on my 10.2 client...no problems noticed afterward[/quote]
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Wed Feb 25, 2004 3:29 pm    Post subject: Reply with quote

that update fixes this vulnerability:

Quote:
The following security advisory can be found at the SecuriTeam web site: http://www.securiteam.com


- - - - - - - - -



Mac OS X pppd Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

The ppp daemon that comes installed by default in Mac OS X is vulnerable
to a format string vulnerability. The vulnerability is in a function
specific to pppd that does not allow for traditional exploitation
(arbitrary data written to arbitrary memory locations) via %n. However, it
is possible to read arbitrary data out of pppd's process. Under certain
circumstances, it is also possible to 'steal' PAP/CHAP authentication
credentials.

DETAILS

When pppd receives an invalid command line argument, it will eventually
pass it as a format specifier to vslprintf(). This function is a custom
replacement for vsnprintf(), and does contains a small subset of the
format specifiers. ?The offending function is called option_error:

void
option_error __V((char *fmt, ...))
{
va_list args;
char buf[256];

#if defined(__STDC__)
va_start(args, fmt);
#else
char *fmt;
va_start(args);
fmt = va_arg(args, char *);
#endif
vslprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (phase == PHASE_INITIALIZE)
fprintf(stderr, "%s: %s\n", progname, buf);
#ifdef __APPLE__
error(buf);
#else
syslog(LOG_ERR, "%s", buf);
#endif
}

As we can see, there is a specific Apple ifdef that will pass our buffer
directly to error().

By utilizing one of the techniques outlined in scut's paper, "Exploiting
Format String Vulnerabilities", it may be possible to access PAP and/or
CHAP credentials, if the OS X system is being used as a PPP server.

Vendor Response:
This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and Mac OS
X 10.2.8. Information about Apple Security Updates may be found at
http://www.info.apple.com/.

Recommendation:
Install the vendor supplied upgrade.

Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues. These are candidates for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0165
CAN-2004-0165 Mac OS X pppd format string vulnerability.
Back to top
View user's profile Send private message Visit poster's website
theDarkStranger
Just Arrived
Just Arrived


Joined: 24 Feb 2004
Posts: 0
Location: South-Texas

Offline

PostPosted: Wed Feb 25, 2004 4:41 pm    Post subject: Reply with quote

Hi All,

I'm new to the forum but a long time reader.

Correct me if i'm wrong but isn't this Update also a fix for the tcpdump issue Mac OS X has been having to where you can get the admin password to the machine via the dump.

I could have been mistaken. It was late when I downloaded the update.

thanks
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Macintosh All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register