Bonjour Apple, connect to this Mac OS X exploit

Bonjour Apple, connect to this Mac OS X exploit

Summary: Exploit code for a dangerous flaw in the Mac OS X Bonjour service is released less than 24 hours after Apple's security update.

SHARE:

Apple Mac OS X Bonjour

Less than 24 hours after Apple patched a serious flaw in its Bonjour zero-configuration networking service, a private security research company has released exploit code that puts Mac OS X users at risk of code execution attacks.

The exploit code has been shipped to members of Dave Aitel's Immunity Partner's Program, the $40,000 subscription service that offers up-to-the-minute information on new flaws and exploits to IDS companies and larger pen testing firms.

Aitel announced the exploit on the Daily Dave mailing list this morning:

[It is] essentially a reliable remote root on everyone at Starbucks or on all those OS X fiends at security conventions. The Immunity exploit will do so on either PPC or Intel, your pick, and since the service restarts, you get to pick twice.

"If this doesn't shut up the Apple fanboys, nothing will," Aitel said in a brief conversation over IM.

The vulnerability, patched with yesterday's Security Update 2007-005, is a buffer overflow in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code. Apple's implementation of the protocal, called Bonjour, allows devices to automatically discover each other without the need to enter IP addresses or configure DNS servers.

However, the bug in the code used to create Port Mappings on home NAT gateways in the OS X implementation could open the door for an hacker on the local network to launch a denial-of-service or code execution attack.

Juniper Networks researcher Michael Lynn (of Black Hat/Cisco/ISS fame) is credited with finding and reporting the vulnerability to Apple.

ALSO SEE: Apple patch batch fixes 17 Mac OS X vulnerabilities.

[UPDATE: May 25 @ 12:43 PM]  Rob Lemos reports that this Bonjour flaw was in play during the CanSecWest MacBook hijack contest last month.

Topics: Apple, Hardware, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

63 comments
Log in or register to join the discussion
  • Sounds like Aitel

    has a serious case of ***** envy. Whenever you hear the phrase "shut the Apple
    fanboys up" you know you're dealing with a zealot with the emotional maturity of a
    16-year old.
    frgough
    • One more thing

      The exploit was patched yesterday.

      The complaint I've always had with MS is not that they don't patch, but that nothing,
      but nothing will make them break their Tuesday patch cycle except a crack to their
      DRM. Exploits in the wild? Nope. Legit websites hacked with unpatched exploits?
      Nope. Break WMP encryption? Patched in 48 hours.
      frgough
      • This bug

        This bug was in play during the CanSecWest contest. See update to the blog entry above.

        _r
        Ryan Naraine
        • Then

          Why wasn't it used to root a machine and win the contest?
          frgough
          • The exploit wasn't working

            They tried but couldn't come up with a reliable exploit. Be clear that there's a distinction between a confirmed vulnerability and a reliable exploit.

            Immunity's researchers reversed the patch and came up with a reliable exploit in less than a day. They're not the only people capable of doing this. If you live on a Mac (like I do), apply the update ASAP.

            _r
            Ryan Naraine
          • So, in other words

            there was no exploit before the patch, and no danger after the patch. So, tell us
            again why you're giving press to an apple-hating zealot who's primary motivation
            seems to be shutting up Apple fanboys?
            frgough
          • Love the Mac zealot logic

            So because you couldn't [b]see[/b] the exploit, it must not exist? You realize that most humans can separate an object's existence from an object's visibility within the first year of life? So either you are less than 1 years old (in which case, congrats on knowing how to type!!) or you are older but haven't matured much.

            Here is a hint: malware authors [b]want[/b] exploits to remain hidden. This exploit was published by a security company, not by someone actively using this exploit to root OSX machines. OUCH!!
            NonZealot
          • Re: NZ

            Argument from silence. Don't feel too bad, most adults can't spot logical fallacies, let
            alone 16-year old frustrated shut-ins.
            frgough
      • .ANI patch was released out-of-cycle

        "The complaint I've always had with MS is not that they don't patch, but that nothing, but nothing will make them break their Tuesday patch cycle except a crack to their DRM. Exploits in the wild? Nope. Legit websites hacked with unpatched exploits? Nope. Break WMP encryption? Patched in 48 hours."

        To my knowledge the .ANI vulnerability had nothing to do with DRM.
        ye
        • Whhoooooa!!!!

          You ACTUALLY admit the .ani exploit exists now?!?!?

          WTF?!?!?

          There was not enough proof in this world to prove it to you before but now you'll by stand by MS to prove a patch was released out of cycle.

          You guys really ARE blind!!

          You might as well clean his shoes while yer down there. ;)
          Kid Icarus-21097050858087920245213802267493
          • I said "patch" and "vulnerability".

            Do you see the word "exploit" in what I wrote?
            ye
          • Unreal

            And why, precisely do you think there was such outrage that MS was finally forced to
            patch out of cycle? It was because of exploits in the wild hitting real machines while
            MS continued to whistle your line: No exploits, no exploits...
            frgough
          • I don't know. But, as of this writing I have yet to see any...

            ...credible proof of an exploit. The only "proof" I've been provided have been references to:

            1. The existence of the .ANI vulnerability.
            2. The existence of the patch for said vulnerability.
            3. References to ambiguous postings that exploits exist.

            For something that is supposed to be so pervasive there is little information to be found. I don't discount the possibility that exploits exist. I just haven't seen anything to support they exist. At this time these "exploits" appear to be little more than urban legend. Just like the infamous saying by Bill Gates that "640KB should be enough memory for anyone". Repeated often enough people tend to believe it is true. But when asked for supporting evidence none is ever provided.
            ye
          • But its no big deal!

            After all, this was patched weeks ago and a vulnerability that has been patched is no big deal, right? Or is a [b]root remote code execution exploit[/b] no big deal once Apple patches it but some socially engineered Windows trojan that requires you to enter a zip password before executing the malware is proof that Windows can't be used safely? Ahh, Mac zealots and their double standards are delicious for those of us who are sane. :)
            NonZealot
          • Not that it will do any good

            since you are not basing your conclusions on reason or fact:

            http://asert.arbornetworks.com/2007/04/never-slow-down-ms07-017-ani-
            exploit-activity-timeline/
            frgough
          • No, that link does no good.

            That link falls into category:

            "3. References to ambiguous postings that exploits exist."

            It's just another example of ambiguous postings about the exploits. Why don't you provide a link that provides some detail about at least one of the .ANI exploits? If the exploits exist what I'm asking shouldn't be too difficult.
            ye
          • ye: isn't it amazing?

            It is amazing to me that the .ANI exploits are [b]everywhere[/b] yet no one can list any specifics about even one of them. Those .ANI exploits must be [b]really[/b] sneaky considering the anti-virus sites have incredible amounts of detail (listing 50+ variations of email subject lines) on simple trojans that affected 0-49 computers.
            NonZealot
          • NZ: I think they need them to exist because...

            ...they're supposed to work on Vista. If they lose these exploits they will not be able to claim that Vista has been exploited. And, by their own rules, Windows would become more secure than the alternatives (primarily OS X and Linux) because one exploit is more than none.
            ye
        • Only because

          of the huge uproar. MS had NO intention of patching the flaw outside their regular
          patch cycle until the holy h*** they were receiving about their attitude reached a
          critical point. Look it up.
          frgough
          • Reason is irrelevant. You said:

            "The complaint I've always had with MS is not that they don't patch, but that nothing, but nothing will make them break their Tuesday patch cycle except a crack to their DRM. Exploits in the wild?"

            Obviously you were wrong.
            ye