CVE-2013-3951
Apple iOS <8.2 and macOS <10.10.4 - Local Stack Cookie Randomization Bypass via stack-guard= Call-Path Prefix
Title source: llmDescription
sys/openbsd/stack_protector.c in libc in Apple iOS 6.1.3 and Mac OS X 10.8.x does not properly parse the Apple strings employed in the user-space stack-cookie implementation, which allows local users to bypass cookie randomization by executing a program with a call-path beginning with the stack-guard= substring, as demonstrated by an iOS untethering attack or an attack against a setuid Mac OS X program.
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1033703
Various Sources x_refsource_misc
http://www.syscan.org/index.php/sg/program/day/2
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205212
Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
Exploit x_refsource_misc
http://antid0te.com/syscan_2013/SyScan2013_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale_Whitepaper.pdf
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205267
Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205213
Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html
Scores
EPSS
0.0046
EPSS Percentile
36.5%
Details
CWE
CWE-20
Status
published
Products (9)
apple/iphone_os
6.1.3
apple/iphone_os
< 8.2
apple/mac_os_x
10.8.0
apple/mac_os_x
10.8.1
apple/mac_os_x
10.8.2
apple/mac_os_x
10.8.3
apple/mac_os_x
10.8.4
apple/mac_os_x
< 10.10.4
apple/watchos
< 1.0.1
Published
Jun 05, 2013
Tracked Since
Feb 18, 2026