VARIoT IoT vulnerabilities database

IOKit in Apple Mac OS X before 10.6.2 allows local users to modify the firmware of a (1) USB or (2) Bluetooth keyboard via unspecified vectors. Successful exploits may lead to other attacks

Buffer overflow in FTP Server in Apple Mac OS X before 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a CWD command specifying a pathname in a deeply nested hierarchy of directories, related to a "CWD command line tool.". Apple Mac OS X is prone to a buffer-overflow vulnerability that affects the FTP component. Successful exploits may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. Issuing CWD commands to deeply nested directory structures may lead to unexpected application termination or arbitrary code execution

AFP Client in Apple Mac OS X 10.5.8 allows remote AFP servers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via unspecified vectors. Attackers can leverage these issues to execute arbitrary code with system-level privileges. Failed attacks will likely result in denial-of-service conditions. NOTE: These issues were previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but have been assigned their own record to better document them. The issues affect the following: Mac OS X 10.5.8 and earlier Mac OS X Server 10.5.8 and earlier

Dictionary in Apple Mac OS X 10.5.8 allows remote attackers to create arbitrary files with any contents, and thereby execute arbitrary code, via crafted JavaScript, related to a "design issue.". An attacker can exploit this issue to execute JavaScript code in the context of the logged-in user. Successful exploits can compromise the affected computer. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it

Event Monitor in Apple Mac OS X 10.5.8 does not properly handle crafted authentication data sent to an SSH daemon, which allows remote attackers to cause a denial of service via vectors involving processing of XML log documents by other services, related to a "log injection" issue. Apple Mac OS X is prone to a denial-of-service vulnerability that affects the Event Monitor component. Attackers may exploit this issue to cause denial-of-service conditions in services that process the SSH server log data. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. This issue affects Mac OS X Server 10.5.8 and prior. There is a log injection vulnerability in Event Monitor, which can lead to log injection by connecting to the SSH server with specially crafted authentication information

Multiple buffer overflows in Christos Zoulas file before 5.03 in Apple Mac OS X 10.6.x before 10.6.2 allow user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Common Document Format (CDF) file. NOTE: this might overlap CVE-2009-1515. Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: These issues were previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but have been assigned their own record to better document them

Adaptive Firewall in Apple Mac OS X before 10.6.2 does not properly handle invalid usernames in SSH login attempts, which makes it easier for remote attackers to obtain login access via a brute-force attack (aka dictionary attack). Apple Mac OS X is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform various attacks. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. This issue affects the following: Mac OS X Server v10.5.8 and prior Mac OS X Server v10.6.1 and prior. Adaptive Firewall responds to suspicious behavior, such as high volumes of access attempts, by creating temporary rules to limit access

The server in DirectoryService in Apple Mac OS X 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. Apple Mac OS X is prone to a memory-corruption vulnerability that affects the DirectoryService component. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it

Heap-based buffer overflow in Disk Images in Apple Mac OS X 10.5.8 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FAT filesystem on a disk image. Successfully exploiting this issue may allow attackers to execute arbitrary code with superuser privileges, completely compromising affected computers. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects the following: Mac OS X 10.5.8 and prior Mac OS X Server 10.5.8 and prior NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. A heap overflow exists when handling disk images containing FAT filesystems

Multiple integer overflows in CoreGraphics in Apple Mac OS X 10.5.8 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document that triggers a heap-based buffer overflow. Apple Mac OS X is prone to multiple memory-corruption vulnerabilities that affect the CoreGraphics component. Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. These issues affect the following: Mac OS X v10.5.8 and prior Mac OS X Server v10.5.8 and prior NOTE: These issues were previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but have been assigned their own record to better document them. There are multiple integer overflows that can lead to heap overflow in CoreGraphics processing PDF files

Certificate Assistant in Apple Mac OS X before 10.6.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This vulnerability CVE-2009-2408 And is related.A crafted certificate allows any man-in-the-middle attacker to SSL There is a possibility of impersonating a server. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-006. This BID is being retired; the following individual records now document these issues: 36988 Apple Mac OS X QuickLook Remote Code Execution Vulnerability 36987 Apple Mac OS X Launch Services Remote Security Bypass Vulnerability 36985 Apple Mac OS X QuickDraw Manager Remote Code Execution Vulnerability 36984 Apple Mac OS X Login Window Race Condition Vulnerability 36983 Apple Mac OS X Kernel Multiple Vulnerabilities 36982 Apple Mac OS X International Components for Unicode Buffer Overflow Vulnerability 36978 Apple Mac OS X Dictionary Arbitrary Script Injection Vulnerability 36979 Apple Mac OS X IOKit Keyboard Firmware Local Unauthorized Access Vulnerability 36977 Apple Mac OS X Help Viewer Spoofed HTTP Response Remote Code Execution Vulnerability 36975 Apple Mac OS X FTP Server CWD Command Buffer Overflow Vulnerability 36973 Apple Mac OS X Disk Images FAT Filesystem Heap Buffer Overflow Vulnerability 36974 Apple Mac OS X CDF File Multiple Buffer Overflow Vulnerabilities 36972 Apple Mac OS X DirectoryService Memory Corruption Vulnerability 36961 Apple Mac OS X AFP Client Multiple Remote Code Execution Vulnerabilities 36966 Apple Mac OS X Event Monitor Log Parsing Denial of Service Vulnerability 36967 Apple Mac OS X Spotlight Insecure Temporary File Handling Vulnerability 36964 Apple Mac OS X Screen Sharing Client Multiple Remote Code Execution Vulnerabilities 36963 Apple Mac OS X Adaptive Firewall Security Bypass Vulnerability 36962 Apple Mac OS X CoreGraphics Multiple Heap-Overflow Vulnerabilities 36959 Apple Mac OS X Apple Type Services Multiple Memory Corruption Vulnerabilities 36990 Apple Mac OS X Apache HTTP TRACE Cross Site Scripting Vulnerability. There was a bug in the handling of SSL certificates that contained null characters in the CN field, and users could be misled into accepting a specially crafted certificate that looked like it matched the domain the user was visiting

Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 allow remote attackers to execute arbitrary code via a crafted embedded font in a document. Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. These issues affect the following: Mac OS X v10.5.8 and prior Mac OS X Server v10.5.8 and prior NOTE: These issues were previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but have been assigned their own record to better document them

Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary files, which allows local users to overwrite arbitrary files in the context of a different user's privileges via unspecified vectors. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it

Screen Sharing in Apple Mac OS X 10.5.8 allows remote VNC servers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. An attacker can exploit these issues to execute arbitrary code in the context of the vulnerable process. Failed exploit attempts are likely to result in denial-of-service conditions. NOTE: These issues were previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but have been assigned their own record to better document them

Integer overflow in QuickLook in Apple Mac OS X 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Microsoft Office document that triggers a buffer overflow. Apple Mac OS X is prone to a remote code-execution vulnerability that affects QuickLook. Successfully exploiting this issue may allow attackers to execute arbitrary code and compromise the affected computer. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. An integer overflow exists in QuickLook's handling of Microsoft Office files. Downloading a malicious Microsoft Office file may cause the application to terminate unexpectedly or execute arbitrary code

Race condition in Login Window in Apple Mac OS X 10.6.x before 10.6.2, when at least one account has a blank password, allows attackers to bypass password authentication and obtain login access to an arbitrary account via unspecified vectors. Apple Mac OS X is prone to a race-condition vulnerability in Login Window. Under certain circumstances, a local attacker can exploit this issue to access the system with elevated privileges. This issue affects the following: Mac OS X 10.6 and 10.6.1 Mac OS X Server 10.6 and 10.6.1 NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it

The kernel in Apple Mac OS X before 10.6.2 does not properly handle task state segments, which allows local users to gain privileges, cause a denial of service (system crash), or obtain sensitive information via unspecified vectors. Apple Mac OS X kernel is prone to multiple vulnerabilities. Successfully exploiting these issues may allow local attackers to execute arbitrary code with kernel-level privileges, to completely compromise affected computers, to obtain sensitive information, and to trigger denial-of-service conditions. NOTE: These issues were previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but have been assigned their own record to better document them

Launch Services in Apple Mac OS X 10.6.x before 10.6.2 recursively clears quarantine information upon opening a quarantined folder, which allows user-assisted remote attackers to execute arbitrary code via a quarantined application that does not trigger a "potentially unsafe" warning message. Apple Mac OS X is prone to a remote security-bypass vulnerability that affects the Launch Services API. An attacker can exploit this issue by enticing a user to download a malicious file and launch it without being warned. Successful exploits may bypass the security feature that displays a warning dialog box before executing malicious files from the quarantined directory. This issue affects the following: Mac OS X 10.6 and 10.6.1 Mac OS X Server 10.6 and 10.6.1 NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. This may allow unsafe items such as applications to be launched without a warning dialog

Help Viewer in Apple Mac OS X before 10.6.2 does not use an HTTPS connection to retrieve Apple Help content from a web site, which allows man-in-the-middle attackers to send a crafted help:runscript link, and thereby execute arbitrary code, via a spoofed response. Apple Mac OS X is prone to a remote code-execution vulnerability. Successful exploits may allow attackers with access to the local area network access to execute arbitrary code within the context of the application. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it

Heap-based buffer overflow in QuickDraw Manager in Apple Mac OS X before 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image. Apple Mac OS X is prone to a remote code-execution vulnerability that affects the QuickDraw Manager. Successfully exploiting this issue may allow attackers to execute arbitrary code and compromise the affected computer. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. VUPEN Security Research - Apple Quicktime PICT Handling Heap Overflow Vulnerability http://www.vupen.com/english/research.php I. BACKGROUND --------------------- "Apple QuickTime is software that allows Mac and Windows users to play back audio and video on their computers. But taking a deeper look, QuickTime is many things: a file format, an environment for media authoring and a suite of applications" from Apple.com II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered a vulnerability in Apple Quicktime. III. AFFECTED PRODUCTS -------------------------------- Apple QuickTime versions prior to 7.6.6 IV. Exploits - PoCs & Binary Analysis ---------------------------------------- In-depth binary analysis of the vulnerability and an exploit code have been released by VUPEN through the VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits V. SOLUTION ---------------- Upgrade to Apple QuickTime version 7.6.6 : http://www.apple.com/quicktime/download/ VI. CREDIT -------------- The vulnerability was discovered by Nicolas Joly of VUPEN Security VII. ABOUT VUPEN Security --------------------------------- VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services * VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits VIII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/0746 http://support.apple.com/kb/HT4104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2837 IX. DISCLOSURE TIMELINE ----------------------------------- 2009-05-28 - Vendor notified 2009-05-28 - Vendor response 2009-07-18 - Status update received 2009-10-30 - Status update received 2010-01-07 - Status update received 2010-03-11 - Status update received 2010-03-31 - Coordinated public Disclosure