CVE-2004-0824
Description
PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.
Affected products
8cpe:2.3:o:apple:mac_os_x:10.2.8:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:apple:mac_os_x:10.2.8:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.5:*:*:*:*:*:*:*
- Range: >=10.2.8, <=10.3.5
Patches
Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.
Vulnerability mechanics
Root cause
"The application creates a log file in /tmp/ without proper validation, allowing a symlink attack."
Attack vector
A local user can trick the Internet Connect application into appending data to any file on the filesystem. This is achieved by creating a symbolic link named 'ppp.log' in the '/tmp/' directory that points to the target file. The application then opens and appends to this symlink, effectively writing to the target file. This attack is possible because the '/tmp/' directory is cleared periodically by the operating system, allowing a user to create the symlink before the application does [ref_id=1].
Affected code
The vulnerability lies within the Internet Connect application, which creates a log file named 'ppp.log' in the '/tmp/' directory. If this file already exists, it is opened in append mode; otherwise, a new file is created. The issue arises when a user can create a symbolic link at '/tmp/ppp.log' pointing to a sensitive system file before the application attempts to create or append to its log [ref_id=1].
What the fix does
The advisory provides a temporary fix by ensuring that a '/tmp/ppp.log' file always exists, preventing a user from creating a symlink with that name. This is accomplished by creating the file using '/usr/bin/touch /tmp/ppp.log'. Additionally, this command is recommended to be added to '/etc/daily' and '/etc/rc.common' to ensure the log file is present even after system startup [ref_id=1].
Preconditions
- inputThe system must be running a vulnerable version of Mac OS X (10.2.8 through 10.3.5).
- authThe attacker must have local user access to the system.
Reproduction
First, create a file owned by root, for example, '/etc/file_owned_by_root'. Then, create a symbolic link in '/tmp/' named 'ppp.log' pointing to '/etc/file_owned_by_root'. Launch Internet Connect, go to 'Configuration' -> 'Other', enter text into the 'Telephone Number' field, and click 'Connect'. After a few seconds, click 'Cancel'. The original file '/etc/file_owned_by_root' will now contain the appended text [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- securitytracker.com/idnvdPatch
- www.auscert.org.au/render.htmlnvdPatchVendor Advisory
- www.securityfocus.com/advisories/7148nvdPatchVendor Advisory
- www.securityfocus.com/bid/11139nvdPatch
- www.ciac.org/ciac/bulletins/o-212.shtmlnvdVendor Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/17298nvd
News mentions
0No linked articles in our index yet.