Secunia: Mac OS X ftpd Buffer Overflow Vulnerability

Secunia is reporting on a newly discovered, "moderately critical" vulnerability in Mac OS X's ftpd process. ftpd (tnftpd) is the FTP (file transfer protocol) server component of Mac OS X used to handle requests from connected FTP clients. As such, it's not clear whether or not FTP server capabilities have to be up and running in order for this vulnerability to be exploitable (more on this below).

Also, like most of the other vulnerabilities for Mac OS X reported in recent weeks, the only current threat known to be presented with this flaw is a denial of service -- in other words a kernel panic, spiked processor load or other means of disallowing normal system access. Whenever a vulnerability can trigger a kernel panic and some other types of service denial, there is the potential for privilege escalation or unauthorized access to private data, but manifestation of these outcomes is another hurdle for the would-be malicious user and has not been demonstrated (as far as we know) with this flaw.

Secunia writes:

"The vulnerability is caused due to a boundary error in ftpd when handling commands with globbing characters (e.g. "*") and can be exploited to cause a buffer overflow.

"Successful exploitation may allow execution of arbitrary code.

"The vulnerability is reported in Mac OS X 10.3.9 and 10.4.8. Other versions may also be affected."

The stated solution for this issue is to "Grant only trusted users access to the service."

If you don't have an FTP server enabled on your Mac, it would appear that you are immune from this flaw. If you do have FTP services enabled, it would further appear that a remote user would need login credentials in order to exploit this flaw -- hence the warning against providing access to non-trusted users.

Feedback? Late-breakers@macfixit.com.

Resources