Vulnerabilities > CVE-2004-0430 - Unspecified vulnerability in Apple mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.
Vulnerable Configurations
Exploit-Db
description AppleFileServer LoginExt PathName Overflow. CVE-2004-0430. Remote exploit for osx platform id EDB-ID:16863 last seen 2016-02-02 modified 2010-09-20 published 2010-09-20 reporter metasploit source https://www.exploit-db.com/download/16863/ title AppleFileServer LoginExt PathName Overflow description AppleFileServer 10.3.3 LoginEXT PathName Overflow (OS X). CVE-2004-0430. Remote exploit for osx platform id EDB-ID:9931 last seen 2016-02-01 modified 2004-03-03 published 2004-03-03 reporter H D Moore source https://www.exploit-db.com/download/9931/ title AppleFileServer 10.3.3 - LoginEXT PathName Overflow OS X description Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit. CVE-2004-0430. Remote exploit for osx platform id EDB-ID:391 last seen 2016-01-31 modified 2004-08-13 published 2004-08-13 reporter Dino Dai Zovi source https://www.exploit-db.com/download/391/ title Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit
Metasploit
| description | This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions. |
| id | MSF:EXPLOIT/OSX/AFP/LOGINEXT |
| last seen | 2020-03-11 |
| modified | 2017-07-24 |
| published | 2005-12-26 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0430 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/afp/loginext.rb |
| title | AppleFileServer LoginExt PathName Overflow |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD20040503.NASL description The remote host is missing Security Update 2004-05-03. This security update includes updates for AFP Server, CoreFoundation, and IPSec. It also includes Security Update 2004-04-05, which includes updates for CUPS, libxml2, Mail, and OpenSSL. For Mac OS X 10.2.8, it also includes updates for Apache 1.3, cd9660.util, Classic, CUPS, Directory Services, DiskArbitration, fetchmail, fs_usage, gm4, groff, Mail, OpenSSL, Personal File Sharing, PPP, rsync, Safari, System Configuration, System Initialization, and zlib. This update fixes various issues which may allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 12518 published 2004-07-06 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12518 title Mac OS X Multiple Vulnerabilities (Security Update 2004-05-03) code # # (C) Tenable Network Security, Inc. # # better URL in solution, preserving old: #http://www.apple.com/downloads/macosx/apple/securityupdate__2004-05-03_(10_3_3_Client).html #http://www.apple.com/downloads/macosx/apple/securityupdate_2004-05-03_(10_2_8_Client).html #http://www.apple.com/downloads/macosx/apple/securityupdate_2004-05-03_(10_2_8_Server).html #http://www.apple.com/downloads/macosx/apple/securityupdate.html if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(12518); script_version ("1.17"); script_cve_id( "CVE-2004-0020", "CVE-2004-0113", "CVE-2004-0155", "CVE-2004-0174", "CVE-2004-0392", "CVE-2004-0403", "CVE-2004-0428", "CVE-2004-0430" ); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2004-05-03)"); script_summary(english:"Check for Security Update 2004-05-03"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute( attribute:"description", value: "The remote host is missing Security Update 2004-05-03. This security update includes updates for AFP Server, CoreFoundation, and IPSec. It also includes Security Update 2004-04-05, which includes updates for CUPS, libxml2, Mail, and OpenSSL. For Mac OS X 10.2.8, it also includes updates for Apache 1.3, cd9660.util, Classic, CUPS, Directory Services, DiskArbitration, fetchmail, fs_usage, gm4, groff, Mail, OpenSSL, Personal File Sharing, PPP, rsync, Safari, System Configuration, System Initialization, and zlib. This update fixes various issues which may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT1646" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2004/May/msg00000.html" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2004-05-03." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'AppleFileServer LoginExt PathName Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/02/24"); script_set_attribute(attribute:"patch_publication_date", value: "2004/05/03"); script_cvs_date("Date: 2018/08/10 18:07:07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); os = get_kb_item("Host/MacOSX/Version"); if ( egrep(pattern:"Mac OS X 10\.3.* Server", string:os) ) exit(0); # MacOS X 10.2.8 and 10.3.3 only if ( egrep(pattern:"Darwin.* (6\.8\.|7\.3\.)", string:uname) ) { if ( ! egrep(pattern:"^SecUpd2004-05-03", string:packages) ) security_hole(0); else { set_kb_item(name:"CVE-2004-0174", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2004-0079", value:TRUE); set_kb_item(name:"CVE-2004-0081", value:TRUE); set_kb_item(name:"CVE-2004-0112", value:TRUE); } }NASL family MacOS X Local Security Checks NASL id MACOSX_MULTIPLE_VULNS.NASL description The remote host is running a version of Mac OS X that is older than 10.3.4. Such versions contain several flaws that may allow an attacker to execute arbitrary commands on the remote system with root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 12257 published 2004-06-01 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12257 title Mac OS X < 10.3.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(12257); script_version("1.27"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2004-0171", "CVE-2004-0430", "CVE-2004-0485", "CVE-2004-0513", "CVE-2004-0514", "CVE-2004-0515", "CVE-2004-0516", "CVE-2004-0517", "CVE-2004-0518"); script_bugtraq_id(10268, 10271, 10432); script_name(english:"Mac OS X < 10.3.4 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X that is older than 10.3.4. Such versions contain several flaws that may allow an attacker to execute arbitrary commands on the remote system with root privileges." ); # nb: http://docs.info.apple.com/article.html?artnum=300667 redirects to http://support.apple.com/kb/HT1646 script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT1646" ); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2004/May/msg00005.html" ); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.3.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'AppleFileServer LoginExt PathName Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/01"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/05/03"); script_set_attribute(attribute:"patch_publication_date", value: "2004/05/28"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_end_attributes(); script_summary(english:"Various flaws in MacOS X"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("os_fingerprint.nasl"); script_require_keys("Host/OS"); exit(0); } # # The Operating system is actually very detailed, because we can read # its exact version using NTP or RendezVous os = get_kb_item("Host/OS"); if ( ! os || "Mac OS X" >!< os ) exit(0); if ( egrep(pattern:"Mac OS X 10\.([01]\.|3\.[0-3])", string:os) ) security_hole(0);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82304/loginext.rb.txt |
| id | PACKETSTORM:82304 |
| last seen | 2016-12-05 |
| published | 2009-10-28 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/82304/AppleFileServer-LoginExt-PathName-Overflow.html |
| title | AppleFileServer LoginExt PathName Overflow |
References
- http://lists.apple.com/mhonarc/security-announce/msg00049.html
- http://secunia.com/advisories/11539
- http://securitytracker.com/id?1010039
- http://www.atstake.com/research/advisories/2004/a050304-1.txt
- http://www.kb.cert.org/vuls/id/648406
- http://www.securiteam.com/securitynews/5QP0115CUO.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16049