CVE-2007-2386
published 2007-05-24CVE-2007-2386: Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 allows remote attackers to cause a denial of service (application termination) or execute…
PriorityP353critical9.4CVSS 2.0
AVNACLAuNCCINAC
EXPLOIT
EPSS
50.00%
98.8th percentile
Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted UPnP Internet Gateway Device (IGD) packet.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandHTTP/1.1 200 Ok
ST: urn:schemas-upnp-org:service:WANIPConnection:1
USN: uuid:7076436f-6e65-1063-8074-0017311c11d4
Location: #{upnp_location}/#{key}.xml
↗
commandHTTP/1.1 200 Ok
ST: urn:schemas-upnp-org:service:WANIPConnection:1
USN: #{usn}
Location: http://#{boom}
↗
- →Monitor for UPnP SSDP discovery responses (UDP) on ports 49152–65535 containing an oversized or malformed 'Location:' HTTP header field, which is the vector used to overflow the mDNSResponder buffer. ↗
- →Detect UPnP SSDP responses with ST header value 'urn:schemas-upnp-org:service:WANIPConnection:1' combined with an anomalously long Location header (>21000 bytes) as an indicator of exploit attempt. ↗
- →Detect UPnP SSDP responses using the hardcoded USN UUID '7076436f-6e65-1063-8074-0017311c11d4', which is a static value embedded in the Metasploit exploit module for this CVE. ↗
- →The exploit scans UDP ports 49152–65535 sequentially sending crafted UPnP replies; a sequential UDP sweep across this ephemeral port range from a single source targeting a Mac OS X host is a strong behavioral indicator. ↗
- →The exploit holds a TCP connection open on port 1900 after the initial GET request for a *.xml path matching /[0-9a-f]+\.xml; detect inbound GET requests to a UPnP XML path with a hex-only filename on port 1900. ↗
- →Payload bad characters for this exploit are null byte (0x00), colon (0x3a), and forward slash (0x2f); shellcode in network traffic for this CVE will not contain these bytes. ↗
- ·The exploit targets only Mac OS X 10.4.0 through 10.4.9 without the Apple Security Update 2007-005 patch; patched or newer systems are not vulnerable. ↗
- ·Two distinct target architectures exist with different offsets and magic values: x86 (mDNSResponder-108.2, Magic=0x8fe510a0) and PPC (mDNSResponder-107, Magic=0x8fe51f4c, Ret=0x8fe41af8); detection logic should account for both payload shapes. ↗
- ·For the PPC target, the payload is embedded in the USN header starting at offset 556, not in the Location header; detection rules inspecting only the Location header will miss the PPC variant. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xrgw-2g7f-5735: Buffer overflow in mDNSResponder in Apple Mac OS X 10
ghsa_unreviewed·2022-05-01
CVE-2007-2386 [HIGH] GHSA-xrgw-2g7f-5735: Buffer overflow in mDNSResponder in Apple Mac OS X 10
Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted UPnP Internet Gateway Device (IGD) packet.
GHSA
GHSA-5p4c-h4w7-4mj2: Unspecified vulnerability in mDNSResponder in Apple Mac OS X allows remote attackers to execute arbitrary code via unspecified vectors, a related issu
ghsa_unreviewed·2022-05-01·CVSS 9.4
CVE-2007-3828 [CRITICAL] GHSA-5p4c-h4w7-4mj2: Unspecified vulnerability in mDNSResponder in Apple Mac OS X allows remote attackers to execute arbitrary code via unspecified vectors, a related issu
Unspecified vulnerability in mDNSResponder in Apple Mac OS X allows remote attackers to execute arbitrary code via unspecified vectors, a related issue to CVE-2007-2386.
No detection rules found.
Exploit-DB
Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
exploitdb·2011-01-08
CVE-2007-2386 Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
---
##
# $Id: upnp_location.rb 11515 2011-01-08 01:12:15Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mac OS X mDNSResponder UPnP Location Overflow',
'Description' => %q{
This module exploits a buffer overflow that occurs when processing
specially crafted requests set to mDNSResponder. All Mac OS X systems
between version 10.4 and 10.4.9 (without the 2007-005 patch) are
affected.
},
'License' => MSF_LICENSE,
'Author' =>
[
'ddz'
],
'Version' => '$Revision: 11515 $'
Metasploit
Mac OS X mDNSResponder UPnP Location Overflow
metasploit
Mac OS X mDNSResponder UPnP Location Overflow
Mac OS X mDNSResponder UPnP Location Overflow
This module exploits a buffer overflow that occurs when processing specially crafted requests set to mDNSResponder. All Mac OS X systems between version 10.4 and 10.4.9 (without the 2007-005 patch) are affected.
No writeups or analysis indexed.
http://docs.info.apple.com/article.html?artnum=305530http://lists.apple.com/archives/security-announce/2007/Jun/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2007/May/msg00004.htmlhttp://secunia.com/advisories/25402http://secunia.com/advisories/25745http://www.kb.cert.org/vuls/id/221876http://www.osvdb.org/35142http://www.securityfocus.com/bid/24144http://www.securityfocus.com/bid/24159http://www.securitytracker.com/id?1018123http://www.vupen.com/english/advisories/2007/1939http://www.vupen.com/english/advisories/2007/2269https://exchange.xforce.ibmcloud.com/vulnerabilities/34493http://docs.info.apple.com/article.html?artnum=305530http://lists.apple.com/archives/security-announce/2007/Jun/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2007/May/msg00004.htmlhttp://secunia.com/advisories/25402http://secunia.com/advisories/25745http://www.kb.cert.org/vuls/id/221876http://www.osvdb.org/35142http://www.securityfocus.com/bid/24144http://www.securityfocus.com/bid/24159http://www.securitytracker.com/id?1018123http://www.vupen.com/english/advisories/2007/1939http://www.vupen.com/english/advisories/2007/2269https://exchange.xforce.ibmcloud.com/vulnerabilities/34493
2007-05-24
Published