ID

VAR-200711-0064

CVE

CVE-2007-6165

TITLE

Apple Safari WebKit component vulnerable to buffer overflow

DESCRIPTION

Mail in Apple Mac OS X Leopard (10.5.1) allows user-assisted remote attackers to execute arbitrary code via an AppleDouble attachment containing an apparently-safe file type and script in a resource fork, which does not warn the user that a separate program is going to be executed. NOTE: this is a regression error related to CVE-2006-0395. Apple Safari is vulnerable to a stack-based buffer overflow. This may allow a remote attacker to execute arbitrary code on a vulnerable system. Mac OS X In this file system, a file consists of information called resource fork and data fork. RFC 1740 So, to handle this file structure by email MIME format (AppleSingle format, AppleDoube format ) Is defined. Apple Mail Is AppleDouble Parses resource forks when processing format attachments. This issue affects the Mail application when handling email attachments. This will compromise the application and possibly the underlying operating system. This issue affects Mac OS X 10.5. Although the issues seem similar in nature, this may not be the very same underlying vulnerability. We will update this BID as more information emerges. UPDATE (November 21, 2007): Reports indicate that this issue occurs because of an error in the application's quarantine feature. We have not confirmed this information. UPDATE (December 17, 2007): This vulnerability stems from an unspecified implementation issue in the Launch Services application. http://www.securityfocus.com/bid/16907. Apple Mail is the mail client bundled with the Apple operating system. 1) Various security issues exist in the PHP Apache module and scripting environment. For more information: SA17371 2) An error in automount makes it possible for malicious file servers to cause a vulnerable system to mount file systems with reserved names, which can cause a DoS (Denial of Service) or potentially allow arbitrary code execution. 3) An input validation error in the BOM framework when unpacking certain archives can be exploited to cause files to be unpacked to arbitrary locations via directory traversal attacks. 4) The "passwd" program creates temporary files insecurely, which can be exploited via symlink attacks to create or overwrite arbitrary files with "root" privileges. 5) User directories are insecurely mounted when a FileVault image is created, which may allow unauthorised access to files. 6) An error in IPSec when handling certain error conditions can be exploited to cause a DoS against VPN connections. 7) An error in the LibSystem component can be exploited by malicious people to cause a heap-based buffer overflow via applications when requesting large amounts of memory. 8) The "Download Validation" in the Mail component fails to warn users about unsafe file types when an e-mail attachment is double-clicked. 9) In certain cases a Perl program may fail to drop privileges. For more information: SA17922 10) A boundary error in rsync can be exploited by authenticated users to cause a heap-based buffer overflow when it's allowed to transfer extended attributes. 11) A boundary error in WebKit's handling of certain HTML can be exploited to cause a heap-based buffer overflow. 12) A boundary error in Safari when parsing JavaScript can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code when a malicious web page including specially crafted JavaScript is viewed. 13) An error in Safari's security model when handling HTTP redirection can be exploited to execute JavaScript in the local domain via a specially crafted web site. 14) An error in Safari / LaunchServices may cause a malicious application to appear as a safe file type. This may cause a malicious file to be executed automatically when the "Open safe files after downloading" option is enabled. This vulnerability is related to: SA18963 15) An input validation error in the Syndication (Safari RSS) component can be exploited to conduct cross-site scripting attacks when subscribing to malicious RSS content. SOLUTION: Apply Security Update 2006-001. 4) Vade 79 (the vendor also credits Ilja van Sprundel and iDEFENSE). 6) The vendor credits OUSPG from the University of Oulu, NISCC, and CERT-FI. 7) The vendor credits Neil Archibald, Suresec LTD. 10) The vendor credits Jan-Derk Bakker. 11) The vendor credits Suresec LTD. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303382 Vade79: http://fakehalo.us/xosx-passwd.pl OTHER REFERENCES: SA18963: http://secunia.com/advisories/18963/ SA17922: http://secunia.com/advisories/17922/ SA17371: http://secunia.com/advisories/17371/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

heise Security

SOURCES

LAST UPDATE DATE

2025-05-07T20:47:29.138000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE