VARIoT IoT vulnerabilities database

VAR-200701-0516 | CVE-2007-0021 | Apple iChat AIM URI handler format string vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Format string vulnerability in Apple iChat 3.1.6 allows remote attackers to cause a denial of service (null pointer dereference and application crash) and possibly execute arbitrary code via format string specifiers in an aim:// URI. Apple iChat contains a format string vulnerability. This vulnerability may allow a remote, unauthenticated attacker to execute arbitary code. A vulnerability in the way Apple Mac OS X handles corrupted Universal Mach-O Binaries may result in execution of arbitrary code or denial of service. Apple iChat is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.
Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary.
The vulnerability is reported in a fully patched Mac OS X
(2006-11-26).
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0510 | CVE-2007-0102 | Apple Mac OS X Preview Implemented in Adobe PDF Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. Microsoft Publisher is prone to a remote code-execution vulnerability.
An attacker could exploit this issue by enticing a victim to open a malicious Publisher file.
Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user. Publisher is a tool in the Microsoft Office suite of office software for creating, personalizing and sharing a variety of publications and marketing materials. Publisher did not properly validate application data when loading Publisher files into memory, and did not validate memory index values when opening specially crafted Publisher files. If a user is tricked into opening a malicious .pub file, memory corruption could be triggered, resulting in arbitrary command execution.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary.
The vulnerability is reported in a fully patched Mac OS X
(2006-11-26). Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0400 | CVE-2007-0467 | Apple CrashDump privilege escalation |
CVSS V2: 6.2 CVSS V3: - Severity: MEDIUM |
crashdump in Apple Mac OS X 10.4.8 allows local users in the admin group to modify arbitrary files or gain privileges via a symlink attack on application logs in /Library/Logs/CrashReporter/. CrashReporter contains a privilege escalation vulnerability that may allow authenticated users to run commands as root. In order to exploit this vulnerability, — Must belong to the management group of Cull. Mac OS X is prone to a denial-of-service vulnerability. Local attackers may use this vulnerability to elevate their privileges. If an anomaly is detected, a crashdump is launched to investigate the cause of the crash and report it to the user. When reporting an exception, crashdump will first try to write the report to the user's home directory (/Users/[user]/Library/Logs/CrashReporter/), and if the home directory is unavailable due to permissions, etc., it will try to use the system A scoped log directory, such as /Library/Logs/CrashReporter/. But crashdump follows symlinks and users in the administrators group have write access to the directory. Since crashreporterd runs with root privileges, an attacker can embed a symbolic link in the /Library/Logs/CrashReporter/ directory to modify arbitrary files.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0396 | CVE-2007-0463 | Apple Software Update Format String Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in Apple Software Update 2.0.5 on Mac OS X 10.4.8 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in (1) SWUTMP or (2) SUCATALOG filenames, or using the (3) application/x-apple.sucatalog+xml MIME type. (1) SWUTMP File name format string specifier (2) SUCATALOG File name format string specifier (3) application/x-apple.sucatalog+xml MIME Using types. Apple Software Update is prone to a format-string vulnerability.
This issue presents itself because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
A successful attack may crash the application or possibly lead to arbitrary code execution. This may facilitate unauthorized access or privilege escalation in the context of the user running the application. Apple Software Update is used to distribute patches to end users via the HTTP protocol.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary.
The vulnerability is reported in a fully patched Mac OS X
(2006-11-26). Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0341 | CVE-2007-0614 | Apple Mac OS X fails to properly handle corrupted Universal Mach-O Binaries |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (persistent application crash) via a crafted phsh hash attribute in a TXT key. A vulnerability in the way Apple Mac OS X handles corrupted Universal Mach-O Binaries may result in execution of arbitrary code or denial of service. According to Apple information, iChat of Bonjour In message processing NULL Pointer Dereferencing causes the application to crash.Third parties on the local network can cause the application to crash. Apple iChat is prone to multiple remote denial-of-service vulnerabilities. These issues affect the Bonjour functionality.
Apple iChat 3.1.6 is reported affected; other versions may be vulnerable as well. Apple iChat is a video chat tool bundled with Apple's family of operating systems. Several denial-of-service vulnerabilities exist in iChat's Bonjour feature, which allows automatic discovery of computers. There are no restrictions on finding available contacts via mDNS queries, iChat will add the broadcasted _presence._tcp record even if the contact does not exist, so a malicious user can broadcast a fake record so that iChat users using Bonjour cannot discover more peers, unable to communicate reliably. In addition, the iChat agent may have an exception when processing a specially crafted TXT key hash, resulting in a crash when sending a SIGTRAP signal to the process. Trying to start iChat Bonjour again will fail because mDNSResponder keeps a specially crafted record.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary.
The vulnerability is reported in a fully patched Mac OS X
(2006-11-26).
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0320 | CVE-2007-0588 | Apple QuickDraw Manager heap buffer overflow vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The InternalUnpackBits function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT file that triggers memory corruption in the _GetSrcBits32ARGB function. NOTE: this issue might overlap CVE-2007-0462. Apple QuickDraw contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition. Quicktime Used in etc. Mac OS X QuickDraw is prone to a remote memory-corruption vulnerability because the software fails to properly handle malformed PICT image files.
Successfully exploiting this issue allows remote attackers to corrupt memory and to crash the affected software.
Mac OS X 10.4.8 is vulnerable to this issue; other versions are also likely affected, since the vulnerable component has been included in Apple operating systems since System 6.0.4. QuickDraw is a graphics processing tool bundled in the Apple operating system. A memory corruption vulnerability exists in QuickDraw when parsing PICT graphics with malformed ARGB records. Remote attackers may exploit this vulnerability to perform denial of service attacks on user machines. If the user is tricked into opening a malicious graphics file, this vulnerability will be triggered, destroying the pointer sent to the _GetSrcBits32ARGB function, resulting in a denial of service.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary.
The vulnerability is reported in a fully patched Mac OS X
(2006-11-26). Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0124 | CVE-2007-0267 | Mac OS X and FreeBSD Kernel ufs_lookup Denial of service in function (DoS) Vulnerability |
CVSS V2: 6.6 CVSS V3: - Severity: MEDIUM |
The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries. Apple Mac OS X is prone to a remote denial-of-service vulnerability. This issue occurs when the UFS filesystem handler fails to handle specially crafted DMG images.
A successful exploit can allow a remote attacker to cause kernel panic, resulting in a denial-of-service condition.
Mac OS X 10.4.8 is vulnerable; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0036 | CVE-2007-0318 | Mac OS X of do_hfs_truncate Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The do_hfs_truncate function in Mac OS X 10.4.8 allows context-dependent attackers to cause a denial of service (kernel panic) via a crafted HFS+ filesystem in a DMG image, which causes an access of an invalid vnode structure during file removal. Mac OS X is prone to a denial-of-service vulnerability. This would cause access to an invalid vnode structure during the file move.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200701-0021 | CVE-2007-0236 | Apple Mac OS X of _ATPsndrsp Double release vulnerability in functions |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow. Apple Mac OS X AppleTalk is prone to a heap-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.
An attacker could leverage this issue to have arbitrary code execute with administrative privileges. A successful exploit could result in the complete compromise of the affected system.
Apple Mac OS X version 10.4.8 is reported vulnerable; other versions may be vulnerable as well. This request triggers a heap buffer overflow vulnerability.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200611-0417 | CVE-2006-6173 | Mac OS X of shared_region_make_private_np Buffer overflow vulnerability in functions |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Buffer overflow in the shared_region_make_private_np function in vm/vm_unix.c in Mac OS X 10.4.6 and earlier allows local users to execute arbitrary code via (1) a small range count, which causes insufficient memory allocation, or (2) a large number of ranges in the shared_region_make_private_np_args parameter. Apple Mac OS X is prone to a local memory-corruption vulnerability. This issue occurs when the operating system fails to handle specially crafted arguments to a system call.
Attackers may exploit this issue to cause a kernel panic, effectively denying further service to legitimate users. Due to the nature of this issue, successful exploits may potentially result in the execution of arbitrary machine code in the context of the affected kernel, but this has not been confirmed.
Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200612-0489 | CVE-2006-6238 | Apple Safari of AutoFill Vulnerabilities that capture important information on functions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The AutoFill feature in Apple Safari 2.0.4 does not properly verify that all automatically populated form fields are visible to the user, which allows remote attackers to obtain sensitive information, such as usernames and passwords, via input fields of zero width, a variant of CVE-2006-6077.
This issue may allow attackers to obtain user credentials that have been saved in forms deriving from the same website where attack code resides. The most common manifestation of this condition would typically be in blogs or forums. This may allow attackers to gain access to potentially sensitive information that would facilitate the success of phishing attacks. is a variant of CVE-2006-6077.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Safari AutoFill Information Disclosure
SECUNIA ADVISORY ID:
SA23066
VERIFY ADVISORY:
http://secunia.com/advisories/23066/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
A vulnerability has been discovered in Safari, which can be exploited
by malicious people to conduct phishing attacks. This may be exploited to steal user
credentials via malicious forms in the same domain.
Successful exploitation requires that the "User names and passwords"
option is enabled in the AutoFill preferences.
The vulnerability is confirmed in version 2.0.4. Other versions may
also be affected.
SOLUTION:
Disable the "AutoFill" option for user names and passwords in the
preferences.
ORIGINAL ADVISORY:
https://bugzilla.mozilla.org/show_bug.cgi?id=360493
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200611-0472 | CVE-2006-6130 | Apple Mac OS X AppleTalk AIOCRegLocalZN IOCTL Stack Buffer Overflow Vulnerability |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X AppleTalk allows local users to cause a denial of service (kernel panic) by calling the AIOCREGLOCALZN ioctl command with a crafted data structure on an AppleTalk socket. Apple Mac OS X is prone to a local memory-corruption vulnerability. This issue occurs when the operating system fails to handle specially crafted arguments to an IOCTL call.
Due to the nature of this issue, an attacker may be able to execute arbitrary machine code in the context of the affected kernel, but this has not been confirmed. Failed exploit attempts result in kernel panics, denying service to legitimate users.
Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Mac OS X Mach-O Universal Binary Memory Corruption
SECUNIA ADVISORY ID:
SA23088
VERIFY ADVISORY:
http://secunia.com/advisories/23088/
CRITICAL:
Less critical
IMPACT:
DoS, System access
WHERE:
Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
LMH has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to cause a DoS (Denial of Service) or
potentially gain escalated privileges.
The vulnerability is caused due to an error in the fatfile_getarch2()
function. This can be exploited to cause an integer overflow and may
potentially allow execution of arbitrary code with kernel privileges
via a specially crafted Mach-O Universal binary. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
LMH
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-26-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200611-0471 | CVE-2006-6129 | Apple Mac OS X fails to properly handle corrupted Universal Mach-O Binaries |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Integer overflow in the fatfile_getarch2 in Apple Mac OS X allows local users to cause a denial of service and possibly execute arbitrary code via a crafted Mach-O Universal program that triggers memory corruption. Apple Mac OS X is prone to a local integer-overflow vulnerability. This issue occurs when the operating system fails to handle specially crafted binaries.
A successful exploit would allow a local attacker to execute arbitrary code with kernel-level privileges, leading to the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. A remote attacker may use this vulnerability to execute arbitrary instructions on the user's machine. If a local unprivileged user is tricked into opening a specially crafted Mach-O universal binary, it could lead to arbitrary kernel mode code execution
VAR-200612-0689 | CVE-2006-6200 | PHP-Nuke News Module Index.PHP SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple SQL injection vulnerabilities in the (1) rate_article and (2) rate_complete functions in modules/News/index.php in the News module in Francisco Burzi PHP-Nuke 7.9 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the sid parameter. The PHP-Nuke News module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
PHP-Nuke 7.9 and prior versions are vulnerable.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
PHP-Nuke "modules/News/index.php" SQL Injection Vulnerabilities
SECUNIA ADVISORY ID:
SA23128
VERIFY ADVISORY:
http://secunia.com/advisories/23128/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data, Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
PHP-Nuke 7.x
http://secunia.com/product/2385/
DESCRIPTION:
Paisterist has discovered two vulnerabilities in PHP-Nuke, which can
be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "sid" parameter in modules/News/index.php from
modules.php is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Successful exploitation allows retrieval of administrator usernames
and password hashes, but requires that "magic_quotes_gpc" is disabled
and that the attacker knows the prefix for the database tables.
The vulnerabilities are confirmed in version 7.9.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Set "magic_quotes_gpc" in php.ini to On.
Use another product.
PROVIDED AND/OR DISCOVERED BY:
Paisterist
ORIGINAL ADVISORY:
http://www.neosecurityteam.net/index.php?action=advisories&id=30
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200611-0468 | CVE-2006-6126 | Apple Mac OS X Mach-O Binary Loading Privilege Escalation Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Apple Mac OS X allows local users to cause a denial of service (memory corruption) via a crafted Mach-O binary with a malformed load_command data structure. Apple Mac OS X is prone to privilege-escalation vulnerability. This issue occurs when the operating system fails to handle specially crafted binaries.
A successful exploit would allow a local attacker to execute arbitrary code with kernel-level privileges. A successful exploit would lead to the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition
VAR-200611-0469 | CVE-2006-6127 | Apple Mac OS X KQueue Local Denial of Service Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Apple Mac OS X kernel allows local users to cause a denial of service via a process that uses kevent to register a queue and an event, then fork a child process that uses kevent to register an event for the same queue as the parent. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Exploiting this issue allows local, unprivileged users to crash affected kernels, denying further service to legitimate users.
Apple Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA27643
VERIFY ADVISORY:
http://secunia.com/advisories/27643/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
13) An integer overflow error in the "i386_set_ldt" system call can
be exploited by malicious, local users to execute arbitrary code with
escalated privileges.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
19) A double-free error in the handling of certain IPV6 packets can
potentially be exploited to execute arbitrary code with system
privileges.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations. This can be exploited by malicious, local users to cause
a heap-based buffer overflow and execute arbitrary code with system
privileges by sending a maliciously crafted AppleTalk message.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
VAR-200612-0711 | CVE-2006-6290 | MailEnable IMAP Service Multiple Buffer Overflow Vulnerabilities |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Multiple stack-based buffer overflows in the IMAP module (MEIMAPS.EXE) in MailEnable Professional 1.6 through 1.82 and 2.0 through 2.33, and MailEnable Enterprise 1.1 through 1.30 and 2.0 through 2.33 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a long argument to the (1) EXAMINE or (2) SELECT command. MailEnable is a commercial POP3 and SMTP server. MailEnable has a vulnerability in handling user requests. MailEnable is prone to multiple buffer-overflow vulnerabilities in the IMAP service because the application fails to properly bounds-check various types of user-supplied data.
This issues are reported to affect the following MailEnable versions, but other versions may also be vulnerable:
1.6-1.86 Professional Edition
1.1-1.40 Enterprise Edition
2.0-2.33 Professional Edition
2.0-2.33 Enterprise Edition.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
MailEnable IMAP Service Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA23047
VERIFY ADVISORY:
http://secunia.com/advisories/23047/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
MailEnable Enterprise Edition 1.x
http://secunia.com/product/4325/
MailEnable Enterprise Edition 2.x
http://secunia.com/product/10427/
MailEnable Professional 2.x
http://secunia.com/product/10625/
MailEnable Professional 1.x
http://secunia.com/product/3474/
DESCRIPTION:
A vulnerability has been reported in MailEnable IMAP service, which
can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise a vulnerable system.
Successful exploitation may allow execution of arbitrary code.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.mailenable.com/hotfix/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200611-0467 | CVE-2006-6125 | NetGear wireless driver fails to properly process specially-crafted 802.11 management frames |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the wireless driver (WG311ND5.SYS) 2.3.1.10 for NetGear WG311v1 wireless adapter allows remote attackers to execute arbitrary code via an 802.11 management frame with a long SSID. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions.
Although the WG311v1ND5.SYS driver is used primarily on Microsoft Windows, users of Linux and BSD machines running the 'ndiswrapper' tool should determine if they are using a vulnerable instance of the driver.
Version 2.3.1.10 of the WG311v1ND5.SYS driver is vulnerable to this issue; other versions may also be affected. WG311 is a 54M wireless PCI card. Remote attackers can trigger this vulnerability by sending specially crafted packets, which may result in denial of service or execution of arbitrary commands. The problem exists in the WG311ND5.SYS driver, which is reproduced on Windows systems, but Linux and FreeBSD may also be affected by similar vulnerabilities.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
The vulnerability is caused due to a boundary error in the
WG311ND5.SYS device driver when handling long SSIDs. This can be
exploited to cause a heap-based buffer overflow via a specially
crafted packet.
SOLUTION:
Turn off the wireless card when not in use.
PROVIDED AND/OR DISCOVERED BY:
Laurent Butti
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-22-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200611-0421 | CVE-2006-6010 | SAP Vulnerability in which important information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SAP allows remote attackers to obtain potentially sensitive information such as operating system and SAP version via an RFC_SYSTEM_INFO RfcCallReceive request, a different vulnerability than CVE-2003-0747
VAR-200611-0422 | CVE-2006-6011 | SAP Web Application Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash," a different vulnerability than CVE-2006-5785