NFS AUTH_UNIX RPC Double Free Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1018949 |
|
SecurityTracker URL: http://securitytracker.com/id/1018949
|
|
CVE Reference:
CVE-2007-4690
(Links to External Site)
|
Date: Nov 15 2007
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in NFS. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted AUTH_UNIX RPC call to trigger a double free bug and execute arbitrary code on the target system. The code will run with the privileges of the target service.
Mac OS X is affected.
Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
Apple has released a fix, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloa ds/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.4.11 or Security Update 2007-008.
For Mac OS X v10.4.10 (Intel)
The download file is named: "MacOSXUpd10.4.11Intel.dmg"
Its SHA-1 digest is: 4c9103699c7925cc0277cffce4c7419a9d469c31
For Mac OS X v10.4.4 (Intel) through v10.4.9 (Intel)
The download file is named: "MacOSXUpdCombo10.4.11Intel.dmg"
Its SHA-1 digest is: 9a869c44010996bcf1a645f5467dd1bc596924dd
For Mac OS X v10.4.10 (PowerPC)
The download file is named: "MacOSXUpd10.4.11PPC.dmg"
Its SHA-1 digest is: 132d354637604c63d28b57e57e74aed1b21c9894
For Mac OS X v10.4 (PowerPC) through v10.4.9 (PowerPC)
The download file is named: "MacOSXUpdCombo10.4.11PPC.dmg"
Its SHA-1 digest is: 3d403bfa769424c61a3cfac173f8527658f9d4af
For Mac OS X Server v10.4.10 (Universal)
The download file is named: "MacOSXServerUpd10.4.11Univ.dmg"
Its SHA-1 digest is: 37bf2f081d773756472205146a037d1c8c52d45e
For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
The download file is named: "MacOSXSrvrCombo10.4.11Univ.dmg"
Its SHA-1 digest is: 94a87bb6f7c73b68c2a8654a5c2642d7c5e82d56
For Mac OS X Server v10.4.10 (PowerPC)
The download file is named: "MacOSXServerUpd10.4.11PPC.dmg"
Its SHA-1 digest is: 6dde722314da1eaf00f881f026cfe770044f6cda
For Mac OS X Server v10.4 through v10.4.9 (PowerPC)
The download file is named: "MacOSXSrvrCombo10.4.11PPC.dmg"
Its SHA-1 digest is: 3aeb0fae441957c7a831365ad5af1b79b0d87720
For Mac OS X v10.3.9
The download file is named: "SecUpd2007-008Pan.dmg"
Its SHA-1 digest is: 7049852014bb8d31fe8a3b2706e59c1e7d3aebcd
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-008Pan.dmg"
Its SHA-1 digest is: d085bfc4bc59ca3c81495e9b7029381c3fa9b082
The Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=307041
|
Vendor URL: docs.info.apple.com/article.html?artnum=307041 (Links to External Site)
|
Cause:
State error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 14 Nov 2007 23:13:44 -0500
Subject: NFS
|
Apple reported:
NFS
CVE-ID: CVE-2007-4690
Available for: Mac OS X v10.4 through Mac OS X v10.4.10,
Mac OS X Server v10.4 through Mac OS X Server v10.4.10
Impact: A maliciously crafted AUTH_UNIX RPC call may lead to an
unexpected system shutdown or arbitrary code execution
Description: A double free issue in NFS may be triggered when
processing an AUTH_UNIX RPC call. By sending a maliciously crafted
AUTH_UNIX RPC call via TCP or UDP, a remote attacker may cause an
unexpected system shutdown or arbitrary code execution. This update
addresses the issue by through improved validation of AUTH_UNIX RPC
packets. Credit to Alan Newson of NGSSoftware, and Renaud Deraison of
Tenable Network Security, Inc. for reporting this issue.
|
|
