Less than 24 hours after Apple patched a serious flaw in its Bonjour zero-configuration networking service, a private security research company has released exploit code that puts Mac OS X users at risk of code execution attacks.
The exploit code has been shipped to members of Dave Aitel's Immunity Partner's Program, the $40,000 subscription service that offers up-to-the-minute information on new flaws and exploits to IDS companies and larger pen testing firms.
Aitel announced the exploit on the Daily Dave mailing list this morning:
[It is] essentially a reliable remote root on everyone at Starbucks or on all those OS X fiends at security conventions. The Immunity exploit will do so on either PPC or Intel, your pick, and since the service restarts, you get to pick twice.
"If this doesn't shut up the Apple fanboys, nothing will," Aitel said in a brief conversation over IM.
The vulnerability, patched with yesterday's Security Update 2007-005, is a buffer overflow in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code. Apple's implementation of the protocal, called Bonjour, allows devices to automatically discover each other without the need to enter IP addresses or configure DNS servers.
However, the bug in the code used to create Port Mappings on home NAT gateways in the OS X implementation could open the door for an hacker on the local network to launch a denial-of-service or code execution attack.
Juniper Networks researcher Michael Lynn (of Black Hat/Cisco/ISS fame) is credited with finding and reporting the vulnerability to Apple.