Sign-up

ID

VAR-200705-0151


CVE

CVE-2007-0752


TITLE

Apple Mac OS X iChat UPnP buffer overflow

Trust: 0.8

sources: CERT/CC: VU#116100

DESCRIPTION

The PPP daemon (pppd) in Apple Mac OS X 10.4.8 checks ownership of the stdin file descriptor to determine if the invoker has sufficient privileges, which allows local users to load arbitrary plugins and gain root privileges by bypassing this check. A vulnerabilty in the way Apple Mac OS X iChat handles specially crafted UPnP packets may allow execution of arbitrary code or denial of service. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Alias Manager, CoreGraphics, crontabs, iChat, and PPP. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Both local and remote vulnerabilities are present. Apple Mac OS X 10.4.9 and prior versions are vulnerable to these issues. BACKGROUND Apple Mac OS X pppd is a setuid root application that is used to establish and configure connections for point to point links. It is commonly used for configuring traditional dial-up modem and DSL connections. More information can be found at the following URL. http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/pppd.8.html II. The vulnerability exists due to insufficient access validation when processing the "plugin" command line option. The application does not properly verify that the requesting user has root privileges and allows any user to load plug-ins. When checking to see if the executing user has root privileges, a check is made to see if the stdin file descriptor is owned by root. Passing this check is trivial and allows the attacker to load arbitrary plug-ins resulting in arbitrary code execution with root privileges. III. ANALYSIS Exploitation is trivial and grants root access. This vulnerability cannot be triggered remotely; an attacker needs local access to the victim's system in order to exploit this vulnerability. pppd is installed by default. IV. Other versions may also be affected. V. WORKAROUND Remove the setuid bit from the pppd binary. This will prevent users without root privileges from being able to properly use the program. VI. VENDOR RESPONSE Apple Inc has addressed this vulnerability in Apple Security Update 2007-005. More information can be found from Apple's Security Update page or the Security Update 2007-005 advisory page at the respective URLs below. http://docs.info.apple.com/article.html?artnum=61798 http://docs.info.apple.com/article.html?artnum=305530 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0752 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/08/2007 Initial vendor notification 01/09/2007 Initial vendor response 05/24/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Trust: 2.79

sources: NVD: CVE-2007-0752 // CERT/CC: VU#116100 // JVNDB: JVNDB-2007-001529 // BID: 24144 // VULHUB: VHN-24114 // PACKETSTORM: 56944

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.4.8

Trust: 2.4

vendor:applemodel:mac os x serverscope:eqversion:10.4.8

Trust: 1.6

vendor:apple computermodel: - scope: - version: -

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.6

Trust: 0.3

vendor:cosmicperlmodel:directory proscope:eqversion:10.0.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.03

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os preview.appscope:eqversion:x3.0.8

Trust: 0.3

sources: CERT/CC: VU#116100 // BID: 24144 // JVNDB: JVNDB-2007-001529 // CNNVD: CNNVD-200705-473 // NVD: CVE-2007-0752

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-0752
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#116100
value: 9.98

Trust: 0.8

NVD: CVE-2007-0752
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200705-473
value: HIGH

Trust: 0.6

VULHUB: VHN-24114
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-0752
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-24114
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#116100 // VULHUB: VHN-24114 // JVNDB: JVNDB-2007-001529 // CNNVD: CNNVD-200705-473 // NVD: CVE-2007-0752

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-0752

THREAT TYPE

local

Trust: 0.7

sources: PACKETSTORM: 56944 // CNNVD: CNNVD-200705-473

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200705-473

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-001529

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-24114

PATCH
title:APPLE-SA-2007-05-24url:http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-001529

EXTERNAL IDS
db:NVDid:CVE-2007-0752
Trust: 2.9
db:BIDid:24144
Trust: 2.0
db:SECTRACKid:1018124
Trust: 1.7
db:VUPENid:ADV-2007-1939
Trust: 1.7
db:OSVDBid:35144
Trust: 1.7
db:SECUNIAid:25402
Trust: 1.7
db:CERT/CCid:VU#116100
Trust: 1.1
db:JVNDBid:JVNDB-2007-001529
Trust: 0.8
db:CNNVDid:CNNVD-200705-473
Trust: 0.7
db:APPLEid:APPLE-SA-2007-05-24
Trust: 0.6
db:XFid:34503
Trust: 0.6
db:IDEFENSEid:20070524 APPLE COMPUTER MAC OS X PPPD PLUGIN LOADING PRIVILEGE ESCALATION VULNERABILITY
Trust: 0.6
db:PACKETSTORMid:56944
Trust: 0.2
db:EXPLOIT-DBid:3985
Trust: 0.1
db:VULHUBid:VHN-24114
Trust: 0.1
sources:
            
            
            CERT/CC: VU#116100 // 
            
            
            
            VULHUB: VHN-24114 // 
            
            
            
            BID: 24144 // 
            
            
            
            JVNDB: JVNDB-2007-001529 // 
            
            
            
            PACKETSTORM: 56944 // 
            
            
            
            CNNVD: CNNVD-200705-473 // 
            
            
            
            NVD: CVE-2007-0752

REFERENCES
url:http://docs.info.apple.com/article.html?artnum=305530
Trust: 2.1
url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537
Trust: 2.0
url:http://lists.apple.com/archives/security-announce/2007/may/msg00004.html
Trust: 1.7
url:http://www.securityfocus.com/bid/24144
Trust: 1.7
url:http://www.osvdb.org/35144
Trust: 1.7
url:http://www.securitytracker.com/id?1018124
Trust: 1.7
url:http://secunia.com/advisories/25402
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/1939
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/34503
Trust: 1.1
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-0752
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-0752
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/34503
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2007/1939
Trust: 0.6
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://www.kb.cert.org/vuls/id/116100
Trust: 0.3
url:/archive/1/469521
Trust: 0.3
url:http://developer.apple.com/documentation/darwin/reference/manpages/man8/pppd.8.html
Trust: 0.1
url:http://cve.mitre.org/),
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2007-0752
Trust: 0.1
url:http://labs.idefense.com/intelligence/vulnerabilities/
Trust: 0.1
url:http://docs.info.apple.com/article.html?artnum=61798
Trust: 0.1
url:http://labs.idefense.com/methodology/vulnerability/vcp.php
Trust: 0.1
url:http://labs.idefense.com/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#116100 // 
            
            
            
            VULHUB: VHN-24114 // 
            
            
            
            BID: 24144 // 
            
            
            
            JVNDB: JVNDB-2007-001529 // 
            
            
            
            PACKETSTORM: 56944 // 
            
            
            
            CNNVD: CNNVD-200705-473 // 
            
            
            
            NVD: CVE-2007-0752

CREDITS
Chris Anley※ chrisanley@hushmail.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200705-473

SOURCES
db:CERT/CCid:VU#116100
db:VULHUBid:VHN-24114
db:BIDid:24144
db:JVNDBid:JVNDB-2007-001529
db:PACKETSTORMid:56944
db:CNNVDid:CNNVD-200705-473
db:NVDid:CVE-2007-0752

LAST UPDATE DATE
2025-04-10T22:31:35.034000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#116100date:2007-05-29T00:00:00
db:VULHUBid:VHN-24114date:2017-07-29T00:00:00
db:BIDid:24144date:2008-07-21T18:18:00
db:JVNDBid:JVNDB-2007-001529date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200705-473date:2007-05-29T00:00:00
db:NVDid:CVE-2007-0752date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:CERT/CCid:VU#116100date:2007-05-25T00:00:00
db:VULHUBid:VHN-24114date:2007-05-24T00:00:00
db:BIDid:24144date:2007-05-24T00:00:00
db:JVNDBid:JVNDB-2007-001529date:2012-06-26T00:00:00
db:PACKETSTORMid:56944date:2007-05-30T20:49:34
db:CNNVDid:CNNVD-200705-473date:2007-05-24T00:00:00
db:NVDid:CVE-2007-0752date:2007-05-24T22:30:00