Sign-up

ID

VAR-200902-0476


CVE

CVE-2009-0141


TITLE

Apple Mac OS  of  XTerm  writable vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2009-001085

DESCRIPTION

XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Local attackers may exploit this issue to gain elevated privileges; other attacks may also be possible. This issue affects Mac OS X 10.4.11 and 10.5.6. Other distributions that include XTerm and Luit may also be vulnerable, but this has not been confirmed. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.34

sources: NVD: CVE-2009-0141 // JVNDB: JVNDB-2009-001085 // BID: 33759 // BID: 33798 // VULHUB: VHN-37587 // PACKETSTORM: 74951

AFFECTED PRODUCTS

vendor:applemodel:mac os x serverscope:eqversion:10.5.6

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.6

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.11

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4.11

Trust: 1.6

vendor:アップルmodel:apple mac os xscope:eqversion:v10.4.11

Trust: 0.8

vendor:アップルmodel:apple mac os x serverscope:eqversion:v10.4.11

Trust: 0.8

vendor:アップルmodel:apple mac os xscope:eqversion:server v10.4.11

Trust: 0.8

vendor:アップルmodel:apple mac os x serverscope:eqversion:v10.5.6

Trust: 0.8

vendor:アップルmodel:apple mac os xscope:eqversion:v10.5.6

Trust: 0.8

vendor:アップルmodel:apple mac os xscope:eqversion:server v10.5.6

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.4.8

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.9

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.9

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.10

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.6

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.10

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.5

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.7

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.7

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.6

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.11

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.4.8

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.4.11

Trust: 0.6

sources: BID: 33759 // BID: 33798 // JVNDB: JVNDB-2009-001085 // CNNVD: CNNVD-200902-318 // NVD: CVE-2009-0141

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0141
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0141
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200902-318
value: LOW

Trust: 0.6

VULHUB: VHN-37587
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2009-0141
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-37587
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2009-0141
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2009-0141
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-37587 // JVNDB: JVNDB-2009-001085 // CNNVD: CNNVD-200902-318 // NVD: CVE-2009-0141

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.0

problemtype:Improper permission assignment for critical resources (CWE-732) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-264

Trust: 0.1

sources: VULHUB: VHN-37587 // JVNDB: JVNDB-2009-001085 // NVD: CVE-2009-0141

THREAT TYPE

local

Trust: 0.9

sources: BID: 33798 // CNNVD: CNNVD-200902-318

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200902-318

PATCH

title:HT3438 Apple  Security updateurl:http://support.apple.com/kb/HT3438

Trust: 0.8

sources: JVNDB: JVNDB-2009-001085

EXTERNAL IDS

db:NVDid:CVE-2009-0141

Trust: 3.6

db:SECUNIAid:33937

Trust: 2.6

db:SECTRACKid:1021729

Trust: 2.5

db:VUPENid:ADV-2009-0422

Trust: 2.5

db:BIDid:33798

Trust: 2.0

db:XFid:48727

Trust: 1.4

db:BIDid:33759

Trust: 0.9

db:JVNDBid:JVNDB-2009-001085

Trust: 0.8

db:CNNVDid:CNNVD-200902-318

Trust: 0.7

db:APPLEid:APPLE-SA-2009-02-12

Trust: 0.6

db:VULHUBid:VHN-37587

Trust: 0.1

db:PACKETSTORMid:74951

Trust: 0.1

sources: VULHUB: VHN-37587 // BID: 33759 // BID: 33798 // JVNDB: JVNDB-2009-001085 // PACKETSTORM: 74951 // CNNVD: CNNVD-200902-318 // NVD: CVE-2009-0141

REFERENCES

url:http://securitytracker.com/alerts/2009/feb/1021729.html

Trust: 2.5

url:http://secunia.com/advisories/33937

Trust: 2.5

url:http://support.apple.com/kb/ht3438

Trust: 2.4

url:http://www.vupen.com/english/advisories/2009/0422

Trust: 1.9

url:http://lists.apple.com/archives/security-announce/2009/feb/msg00000.html

Trust: 1.7

url:http://xforce.iss.net/xforce/xfdb/48727

Trust: 1.4

url:http://www.securityfocus.com/bid/33798

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/48727

Trust: 1.1

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0141

Trust: 0.8

url:http://www.apple.com/macosx/

Trust: 0.6

url:http://www.securityfocus.com/bid/33759

Trust: 0.6

url:http://www.frsirt.com/english/advisories/2009/0422

Trust: 0.6

url:http://secunia.com/advisories/20100/

Trust: 0.1

url:http://secunia.com/advisories/33937/

Trust: 0.1

url:http://secunia.com/advisories/30742/

Trust: 0.1

url:http://secunia.com/advisories/26837/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/advisories/32663/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://www.apple.com/support/downloads/

Trust: 0.1

url:http://secunia.com/advisories/business_solutions/

Trust: 0.1

url:http://secunia.com/advisories/30627/

Trust: 0.1

url:http://secunia.com/advisories/32143/

Trust: 0.1

url:http://secunia.com/advisories/27546/

Trust: 0.1

url:http://secunia.com/advisories/24768/

Trust: 0.1

url:http://secunia.com/advisories/31305/

Trust: 0.1

url:http://secunia.com/advisories/product/96/

Trust: 0.1

url:http://secunia.com/advisories/24741/

Trust: 0.1

url:http://secunia.com/advisories/30600/

Trust: 0.1

url:http://secunia.com/advisories/32926/

Trust: 0.1

sources: VULHUB: VHN-37587 // BID: 33759 // BID: 33798 // JVNDB: JVNDB-2009-001085 // PACKETSTORM: 74951 // CNNVD: CNNVD-200902-318 // NVD: CVE-2009-0141

CREDITS

Graham PerrinClint RuohoBilly Rios

Trust: 0.6

sources: CNNVD: CNNVD-200902-318

SOURCES

db:VULHUBid:VHN-37587
db:BIDid:33759
db:BIDid:33798
db:JVNDBid:JVNDB-2009-001085
db:PACKETSTORMid:74951
db:CNNVDid:CNNVD-200902-318
db:NVDid:CVE-2009-0141

LAST UPDATE DATE

2025-04-10T22:28:53.011000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-37587date:2017-08-08T00:00:00
db:BIDid:33759date:2009-02-18T16:37:00
db:BIDid:33798date:2009-02-17T22:38:00
db:JVNDBid:JVNDB-2009-001085date:2024-02-22T02:33:00
db:CNNVDid:CNNVD-200902-318date:2009-02-20T00:00:00
db:NVDid:CVE-2009-0141date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:VULHUBid:VHN-37587date:2009-02-13T00:00:00
db:BIDid:33759date:2009-02-12T00:00:00
db:BIDid:33798date:2009-02-13T00:00:00
db:JVNDBid:JVNDB-2009-001085date:2009-03-19T00:00:00
db:PACKETSTORMid:74951date:2009-02-13T16:11:49
db:CNNVDid:CNNVD-200902-318date:2009-02-13T00:00:00
db:NVDid:CVE-2009-0141date:2009-02-13T00:30:05.077