Sign-up

ID

VAR-200906-0281


CVE

CVE-2009-1719


TITLE

Mac OS X Running on Java Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2009-001831

DESCRIPTION

The Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X 10.5 allows remote attackers to execute arbitrary code via a call to the undocumented apple.laf.CColourUIResource constructor with a crafted value in the first argument, which is dereferenced as a pointer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists in the undocumented apple.laf.CColourUIResource(long, int, int ,int, int) constructor. When passing a long integer value as the first argument, the value is interpreted as pointer to an Objective-C object. By constructing a special memory structure and passing the pointer to the first argument an attacker may execute arbitrary code. Sun Java Runtime Environment (JRE) is prone to a privilege-escalation vulnerability. This issue affects JRE 1.5 running on Mac OS X 10.5. NOTE: This BID is being retied because the vulnerability was previously documented in BID 35381 (Sun Java Runtime Environment Aqua Look and Feel Privilege Escalation Vulnerability). The Aqua Look and Feel interface package implemented by Java does not correctly verify the parameters passed to the apple.laf.CColourUIResource(long, int, int ,int, int) constructor, if a super long integer is passed to the first parameter value, which is interpreted as a pointer to an Objective-C object. ZDI-09-043: Apple Java CColorUIResource Pointer Derference Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-043 June 16, 2009 -- CVE ID: CVE-2009-1719 -- Affected Vendors: Apple -- Affected Products: Apple Java -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6800. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3632 -- Disclosure Timeline: 2009-01-26 - Vulnerability reported to vendor 2009-06-16 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/

Trust: 2.97

sources: NVD: CVE-2009-1719 // JVNDB: JVNDB-2009-001831 // ZDI: ZDI-09-043 // BID: 35401 // BID: 35381 // VULHUB: VHN-39165 // PACKETSTORM: 78473

AFFECTED PRODUCTS

vendor:sunmodel:jre 1.5.0 12scope: - version: -

Trust: 1.8

vendor:sunmodel:jre 04scope:eqversion:1.5

Trust: 1.8

vendor:sunmodel:jre 1.5.0 11scope: - version: -

Trust: 1.8

vendor:sunmodel:jre 06scope:eqversion:1.5

Trust: 1.8

vendor:sunmodel:jre 1.5.0 14scope: - version: -

Trust: 1.8

vendor:sunmodel:jre 02scope:eqversion:1.5

Trust: 1.8

vendor:sunmodel:jre 01scope:eqversion:1.5

Trust: 1.8

vendor:sunmodel:jre 1.5.0 10scope: - version: -

Trust: 1.8

vendor:sunmodel:jre 05scope:eqversion:1.5

Trust: 1.8

vendor:sunmodel:jre 1.5.0 17scope: - version: -

Trust: 1.8

vendor:sunmodel:jre 03scope:eqversion:1.5

Trust: 1.8

vendor:sunmodel:jre 1.5.0 13scope: - version: -

Trust: 1.8

vendor:sunmodel:jrescope:eqversion:1.5

Trust: 1.2

vendor:sunmodel:jre 1.5.0.0 08scope: - version: -

Trust: 1.2

vendor:sunmodel:jre 1.5.0.0 07scope: - version: -

Trust: 1.2

vendor:sunmodel:jre 1.5.0.0 09scope: - version: -

Trust: 1.2

vendor:sunmodel:jrescope:eqversion:1.5.0

Trust: 1.0

vendor:sunmodel:jrescope:eqversion:1.5.0_11-b03

Trust: 1.0

vendor:applemodel:javascope: - version: -

Trust: 0.7

vendor:sunmodel:jre betascope:eqversion:1.5.0

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.6

vendor:sunmodel:jre 07scope:eqversion:1.5

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.6

vendor:sunmodel:jre 1.5.0 09scope: - version: -

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.6

vendor:sunmodel:jre 1.5.0 08scope: - version: -

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.6

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.5.7

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.2

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.1

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.4

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.5

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.0

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.7

Trust: 0.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.3

Trust: 0.6

sources: ZDI: ZDI-09-043 // BID: 35401 // BID: 35381 // CNNVD: CNNVD-200906-280 // NVD: CVE-2009-1719

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1719
value: HIGH

Trust: 1.0

NVD: CVE-2009-1719
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200906-280
value: HIGH

Trust: 0.6

VULHUB: VHN-39165
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2009-1719
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-39165
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-39165 // JVNDB: JVNDB-2009-001831 // CNNVD: CNNVD-200906-280 // NVD: CVE-2009-1719

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-39165 // JVNDB: JVNDB-2009-001831 // NVD: CVE-2009-1719

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 78473 // CNNVD: CNNVD-200906-280

TYPE

Design Error

Trust: 0.6

sources: BID: 35401 // BID: 35381

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001831

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-39165

PATCH
title:HT3632url:http://support.apple.com/kb/HT3632
Trust: 1.5
title:HT3632url:http://support.apple.com/kb/HT3632?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            ZDI: ZDI-09-043 // 
            
            
            
            JVNDB: JVNDB-2009-001831

EXTERNAL IDS
db:NVDid:CVE-2009-1719
Trust: 3.9
db:ZDIid:ZDI-09-043
Trust: 3.1
db:BIDid:35381
Trust: 2.8
db:BIDid:35401
Trust: 2.0
db:XFid:51185
Trust: 1.4
db:JVNDBid:JVNDB-2009-001831
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-416
Trust: 0.7
db:BUGTRAQid:20090616 ZDI-09-043: APPLE JAVA CCOLORUIRESOURCE POINTER DERFERENCE CODE EXECUTION VULNERABILITY
Trust: 0.6
db:APPLEid:APPLE-SA-2009-06-15-1
Trust: 0.6
db:CNNVDid:CNNVD-200906-280
Trust: 0.6
db:PACKETSTORMid:78473
Trust: 0.2
db:VULHUBid:VHN-39165
Trust: 0.1
sources:
            
            
            ZDI: ZDI-09-043 // 
            
            
            
            VULHUB: VHN-39165 // 
            
            
            
            BID: 35401 // 
            
            
            
            BID: 35381 // 
            
            
            
            JVNDB: JVNDB-2009-001831 // 
            
            
            
            PACKETSTORM: 78473 // 
            
            
            
            CNNVD: CNNVD-200906-280 // 
            
            
            
            NVD: CVE-2009-1719

REFERENCES
url:http://support.apple.com/kb/ht3632
Trust: 2.5
url:http://www.securityfocus.com/bid/35381
Trust: 2.5
url:http://www.zerodayinitiative.com/advisories/zdi-09-043
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2009/jun/msg00003.html
Trust: 1.7
url:http://www.securityfocus.com/bid/35401
Trust: 1.7
url:http://xforce.iss.net/xforce/xfdb/51185
Trust: 1.4
url:http://www.securityfocus.com/archive/1/504364/100/0/threaded
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/51185
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1719
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1719
Trust: 0.8
url:http://www.zerodayinitiative.com/advisories/zdi-09-043/
Trust: 0.6
url:http://software.cisco.com/download/navigator.html?mdfid=283613663
Trust: 0.6
url:http://java.sun.com/index.jsp
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/504364/100/0/threaded
Trust: 0.6
url:http://www.zerodayinitiative.com/advisories/disclosure_policy/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2009-1719
Trust: 0.1
url:http://www.tippingpoint.com
Trust: 0.1
url:http://www.zerodayinitiative.com
Trust: 0.1
sources:
            
            
            ZDI: ZDI-09-043 // 
            
            
            
            VULHUB: VHN-39165 // 
            
            
            
            BID: 35401 // 
            
            
            
            BID: 35381 // 
            
            
            
            JVNDB: JVNDB-2009-001831 // 
            
            
            
            PACKETSTORM: 78473 // 
            
            
            
            CNNVD: CNNVD-200906-280 // 
            
            
            
            NVD: CVE-2009-1719

CREDITS
Anonymous
Trust: 0.7
sources:
            
            
            ZDI: ZDI-09-043

SOURCES
db:ZDIid:ZDI-09-043
db:VULHUBid:VHN-39165
db:BIDid:35401
db:BIDid:35381
db:JVNDBid:JVNDB-2009-001831
db:PACKETSTORMid:78473
db:CNNVDid:CNNVD-200906-280
db:NVDid:CVE-2009-1719

LAST UPDATE DATE
2025-04-10T23:16:27.017000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-09-043date:2009-06-16T00:00:00
db:VULHUBid:VHN-39165date:2018-10-10T00:00:00
db:BIDid:35401date:2009-06-16T20:09:00
db:BIDid:35381date:2009-06-16T20:09:00
db:JVNDBid:JVNDB-2009-001831date:2009-07-31T00:00:00
db:CNNVDid:CNNVD-200906-280date:2009-06-23T00:00:00
db:NVDid:CVE-2009-1719date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:ZDIid:ZDI-09-043date:2009-06-16T00:00:00
db:VULHUBid:VHN-39165date:2009-06-16T00:00:00
db:BIDid:35401date:2009-06-16T00:00:00
db:BIDid:35381date:2009-06-15T00:00:00
db:JVNDBid:JVNDB-2009-001831date:2009-07-31T00:00:00
db:PACKETSTORMid:78473date:2009-06-17T00:52:13
db:CNNVDid:CNNVD-200906-280date:2009-06-16T00:00:00
db:NVDid:CVE-2009-1719date:2009-06-16T23:30:00.233