cbcvebase.
CVE-2004-0430
published 2004-07-07

CVE-2004-0430: Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a…

PriorityP348medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
41.30%
98.5th percentile
Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x<= 10.3.3
applemac_os_x_server<= 10.3.3

Detection & IOCsextracted from sources · hover to see the quote

port548
other0xf0101c0c
other0xf0101cb0
commandpath = "\xff" * 1024 with ret at offset 168
bytes
\x3f\x00\x00\x00 (AFP FPLoginExt command header)
bytes
\x3f\x00\x00\x00\x0e\x41\x46\x50\x56\x65\x72\x73\x69\x6f\x6e\x20\x32\x2e\x31\x10\x43\x6c\x65\x61\x72\x74\x78\x74\x20\x70\x61\x73\x73\x77\x72\x64 (FPLoginExt with AFP Version 2.1 + Cleartxt passwd UAM)
bytes
\x03\x80\xff (PathType=0x03 with oversized path length 0x80ff triggering overflow)
bytes
PPC portbind shellcode: \x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6...
  • Detect AFP LoginExt (FPLoginExt, command byte 0x3f) packets on TCP/548 where the PathType field is 0x03 and the associated path length field is anomalously large (e.g. 0x80ff / >255), indicating an attempt to overflow the stack buffer.
  • Alert on AFP DSI packets on TCP/548 containing the FPLoginExt opcode (0x3f) combined with the UAM string 'Cleartxt Passwrd' or 'Cleartxt passwd' and a PathName argument exceeding the declared length field.
  • Monitor for outbound TCP connections from the AFP server process (AppleFileServer) to high ports such as 6969, which is the port the exploit's PPC portbind shellcode listens on after successful exploitation.
  • The exploit sends a DSI OpenSession request (command byte 0x04, ID 0x7a69 / 31337) immediately before the malicious FPLoginExt packet; detecting this specific DSI session ID pattern on TCP/548 can flag exploit tooling.
  • The Metasploit module fills the overflow buffer with 0xff bytes (1024 bytes of \xff) before placing the return address at offset 168; a NOP sled of at least 128 bytes precedes the payload. Scanning AFP traffic for large runs of 0xff or NOP-sled patterns within LoginExt PathName fields is a strong indicator.
  • The vulnerability is a stack-based overflow triggered only via the Cleartext Password UAM (UAM string 'Cleartxt Passwrd') in a LoginExt request; blocking or alerting on use of this deprecated UAM on TCP/548 reduces attack surface.
  • ·The Metasploit module notes the exploit only works under optimal conditions and the attacker has only one attempt before the service state is disrupted.
  • ·The return address 0xf0101c0c (Metasploit) and 0xf0101cb0 (Perl PoC) are hardcoded stack addresses specific to Mac OS X 10.3.3 on PPC; they will not work on other versions or architectures.
  • ·The payload bad characters are null bytes and spaces (\x00\x20); any detection or blocking of AFP traffic must account for the fact that the overflow buffer will not contain these bytes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.