flynn23 wrote:

Abaddon wrote:

Acidus wrote:

A remote user can send specially crafted data to trigger a buffer overflow in the UPnP Internet Gateway Device Standardized Device Control Protocol code and execute arbitrary code on the target system. The code will run with the privileges of the target service.

"privileges of target service" == root

Apple credits Michael Lynn of Juniper Networks with reporting this vulnerability.

Mike's fuzzing DNS again which is oh so Dan Kaminski-esque.

I don't fuzz and this was not DNS it was upnp, also interesting to note that the bug was fully remote, not local lan, still dont know why apple said it was local lan only...

--Mike

That service runs as root? It doesn't run as a jailed user? WTF???

nope, its like 1997 up in here ;)...the only thing they have is a non-executable stack, but with no ASLR that is totally useless, took me less than 2 minutes to work around that...I use apple products enough that little by little I'm hoping I can help to nudge their priorities towards implimenting some defense in depth on their platform, cause right now, from a security standpoint they are way behind MS...

right now the only reason why apple isnt seen as being less secure than MS is because the user base is still small by comparison, but having a target that hackers are less likely to hack make a system secure the same way that costa-rica is a military power even though they have no army, just because no-one would think to invade...

anyways in the mean time keep an eye out for more patches, cause securing apple is a new priority of mine...

--Mike

RE: Remote root in Mac OS-X