cbcvebase.
CVE-2007-2386
published 2007-05-24

CVE-2007-2386: Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 allows remote attackers to cause a denial of service (application termination) or execute…

PriorityP353critical9.4CVSS 2.0
AVNACLAuNCCINAC
EXPLOIT
EPSS
50.00%
98.8th percentile
Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted UPnP Internet Gateway Device (IGD) packet.

Affected

11 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x

Detection & IOCsextracted from sources · hover to see the quote

port1900
commandHTTP/1.1 200 Ok ST: urn:schemas-upnp-org:service:WANIPConnection:1 USN: uuid:7076436f-6e65-1063-8074-0017311c11d4 Location: #{upnp_location}/#{key}.xml
commandHTTP/1.1 200 Ok ST: urn:schemas-upnp-org:service:WANIPConnection:1 USN: #{usn} Location: http://#{boom}
processmDNSResponder
  • Monitor for UPnP SSDP discovery responses (UDP) on ports 49152–65535 containing an oversized or malformed 'Location:' HTTP header field, which is the vector used to overflow the mDNSResponder buffer.
  • Detect UPnP SSDP responses with ST header value 'urn:schemas-upnp-org:service:WANIPConnection:1' combined with an anomalously long Location header (>21000 bytes) as an indicator of exploit attempt.
  • Detect UPnP SSDP responses using the hardcoded USN UUID '7076436f-6e65-1063-8074-0017311c11d4', which is a static value embedded in the Metasploit exploit module for this CVE.
  • The exploit scans UDP ports 49152–65535 sequentially sending crafted UPnP replies; a sequential UDP sweep across this ephemeral port range from a single source targeting a Mac OS X host is a strong behavioral indicator.
  • The exploit holds a TCP connection open on port 1900 after the initial GET request for a *.xml path matching /[0-9a-f]+\.xml; detect inbound GET requests to a UPnP XML path with a hex-only filename on port 1900.
  • Payload bad characters for this exploit are null byte (0x00), colon (0x3a), and forward slash (0x2f); shellcode in network traffic for this CVE will not contain these bytes.
  • ·The exploit targets only Mac OS X 10.4.0 through 10.4.9 without the Apple Security Update 2007-005 patch; patched or newer systems are not vulnerable.
  • ·Two distinct target architectures exist with different offsets and magic values: x86 (mDNSResponder-108.2, Magic=0x8fe510a0) and PPC (mDNSResponder-107, Magic=0x8fe51f4c, Ret=0x8fe41af8); detection logic should account for both payload shapes.
  • ·For the PPC target, the payload is embedded in the USN header starting at offset 556, not in the Location header; detection rules inspecting only the Location header will miss the PPC variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.