CVE-2004-0430
published 2004-07-07CVE-2004-0430: Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a…
PriorityP348medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
41.30%
98.5th percentile
Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.3.3 | — |
| apple | mac_os_x_server | <= 10.3.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x3f\x00\x00\x00 (AFP FPLoginExt command header)
bytes↗
\x3f\x00\x00\x00\x0e\x41\x46\x50\x56\x65\x72\x73\x69\x6f\x6e\x20\x32\x2e\x31\x10\x43\x6c\x65\x61\x72\x74\x78\x74\x20\x70\x61\x73\x73\x77\x72\x64 (FPLoginExt with AFP Version 2.1 + Cleartxt passwd UAM)
bytes↗
\x03\x80\xff (PathType=0x03 with oversized path length 0x80ff triggering overflow)
bytes↗
PPC portbind shellcode: \x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6...
- →Detect AFP LoginExt (FPLoginExt, command byte 0x3f) packets on TCP/548 where the PathType field is 0x03 and the associated path length field is anomalously large (e.g. 0x80ff / >255), indicating an attempt to overflow the stack buffer. ↗
- →Alert on AFP DSI packets on TCP/548 containing the FPLoginExt opcode (0x3f) combined with the UAM string 'Cleartxt Passwrd' or 'Cleartxt passwd' and a PathName argument exceeding the declared length field. ↗
- →Monitor for outbound TCP connections from the AFP server process (AppleFileServer) to high ports such as 6969, which is the port the exploit's PPC portbind shellcode listens on after successful exploitation. ↗
- →The exploit sends a DSI OpenSession request (command byte 0x04, ID 0x7a69 / 31337) immediately before the malicious FPLoginExt packet; detecting this specific DSI session ID pattern on TCP/548 can flag exploit tooling. ↗
- →The Metasploit module fills the overflow buffer with 0xff bytes (1024 bytes of \xff) before placing the return address at offset 168; a NOP sled of at least 128 bytes precedes the payload. Scanning AFP traffic for large runs of 0xff or NOP-sled patterns within LoginExt PathName fields is a strong indicator. ↗
- →The vulnerability is a stack-based overflow triggered only via the Cleartext Password UAM (UAM string 'Cleartxt Passwrd') in a LoginExt request; blocking or alerting on use of this deprecated UAM on TCP/548 reduces attack surface. ↗
- ·The Metasploit module notes the exploit only works under optimal conditions and the attacker has only one attempt before the service state is disrupted. ↗
- ·The return address 0xf0101c0c (Metasploit) and 0xf0101cb0 (Perl PoC) are hardcoded stack addresses specific to Mac OS X 10.3.3 on PPC; they will not work on other versions or architectures. ↗
- ·The payload bad characters are null bytes and spaces (\x00\x20); any detection or blocking of AFP traffic must account for the fact that the overflow buffer will not contain these bytes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AppleFileServer (OSX) - LoginExt PathName Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0430 AppleFileServer (OSX) - LoginExt PathName Overflow (Metasploit)
AppleFileServer (OSX) - LoginExt PathName Overflow (Metasploit)
---
##
# $Id: loginext.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'AppleFileServer LoginExt PathName Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the AppleFileServer service
on MacOS X. This vulnerability was originally reported by Atstake and
was actually one of the few useful advisories ever published by that
company. You only have one chance to exploit this bug.
This particular exploit uses a stack-
Exploit-DB
Apple Mac OSX 10.3.3 - AppleFileServer Overflow Remote Code Execution
exploitdb·2004-08-13
CVE-2004-0430 Apple Mac OSX 10.3.3 - AppleFileServer Overflow Remote Code Execution
Apple Mac OSX 10.3.3 - AppleFileServer Overflow Remote Code Execution
---
#!/usr/bin/perl
# Priv8security com remote root exploit for AppleFileServer.
# PUBLIC VERSION!!!!
#
# Bug found by Dave G. and Dino Dai Zovi.
# URL: http://www.atstake.com/research/advisories/2004/a050304-1.txt
#
# [wsxz@localhost buffer]$ perl priv8afp.pl -h 10.4.12.199 -t 0
# -=[Priv8security.com Apple File Server remote root exploit!]=-
#
# [+] Using target: MacOSX 10.3.3
# [+] Using ret: 0xf0101cb0
# [+] Sending Request Opensession... DOne!
# [+] Got response packet:
# Flags: 1 Cmd: 4 ID: 31337
# [+] Sending FPloginEXT packet... DOne!
# [+] Waiting... We got in =)
#
# ****** Welcome to 'Adriano-Limas-Computer' ******
#
# Darwin Adriano-Limas-Computer.local 7.3.1 Darwin Kernel Version 7.3.1: Mon Mar
# 22 21:48:4
Exploit-DB
AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)
exploitdb·2004-03-03
CVE-2004-0430 AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)
AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'AppleFileServer LoginExt PathName Overflow',
'Description' => %q{
This module exploits a stack overflow in the AppleFileServer service
on MacOS X. This vulnerability was originally reported by Atstake and
was actually one of the few useful advisories ever published by that
company. You only have one chance to exploit this bug.
This particular exploit uses a stack-based return address that will
only work unde
Metasploit
AppleFileServer LoginExt PathName Overflow
metasploit
AppleFileServer LoginExt PathName Overflow
AppleFileServer LoginExt PathName Overflow
This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions.
No writeups or analysis indexed.
http://lists.apple.com/mhonarc/security-announce/msg00049.htmlhttp://secunia.com/advisories/11539http://securitytracker.com/id?1010039http://www.atstake.com/research/advisories/2004/a050304-1.txthttp://www.kb.cert.org/vuls/id/648406http://www.securiteam.com/securitynews/5QP0115CUO.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/16049http://lists.apple.com/mhonarc/security-announce/msg00049.htmlhttp://secunia.com/advisories/11539http://securitytracker.com/id?1010039http://www.atstake.com/research/advisories/2004/a050304-1.txthttp://www.kb.cert.org/vuls/id/648406http://www.securiteam.com/securitynews/5QP0115CUO.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/16049
2004-07-07
Published