VARIoT IoT vulnerabilities database

Darwin Streaming Server 5.0.1, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) via a DESCRIBE request with a location that contains a null byte. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. BACKGROUND Darwin Streaming Server is an open source version of Apple's QuickTime Streaming Server technology that allows you to send streaming media to clients across the Internet using the industry standard RTP and RTSP protocols. II. The vulnerability specifically occurs due to insufficient sanity checking on arguments to DESCRIBE requests. [Switching to Thread 1026 (LWP 9648)] 0x4207ac9e in chunk_free () from /lib/i686/libc.so.6 (gdb) bt #0 0x4207ac9e in chunk_free () from /lib/i686/libc.so.6 #1 0x4207ac24 in free () from /lib/i686/libc.so.6 #2 0x08096406 in FindOrCreateSession (inPath=0x408caf3c, inParams=0x81746f0, inData=0x0, isPush=0, foundSessionPtr=0x0) at APIModules/QTSSReflectorModule/QTSSReflectorModule.cpp:1262 III. ANALYSIS Successful exploitation allows any remote unauthenticated attacker to crash the targeted server, thereby preventing legitimate users from accessing streamed content. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Darwin Streaming Server 5.0.1. It is suspected that earlier versions are also vulnerable. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-1123 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/10/2004 Initial vendor notification 09/15/2004 Initial vendor response 12/03/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Unknown vulnerability in Apple Mac OS X 10.3.6 server, when using Kerberos authentication and Cyrus IMAP allows local users to access mailboxes of other users. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087

Terminal for Apple Mac OS X 10.3.6 may indicate that "Secure Keyboard Entry" is enabled even when it is not, which could result in a false sense of security for the user. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087

Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5, allows remote attackers to send mail without authentication by replaying authentication information. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087

Buffer overflow in PSNormalizer for Apple Mac OS X 10.3.6 allows remote attackers to execute arbitrary code via a crafted PostScript input file. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087

The Application Framework (AppKit) for Apple Mac OS X 10.2.8 and 10.3.6 does not properly restrict access to a secure text input field, which allows local users to read keyboard input from other applications within the same window session. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087

Human Interface Toolbox (HIToolBox) for Apple Mac 0S X 10.3.6 allows local users to exit applications via the force-quit key combination, even when the system is running in kiosk mode. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087

Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Apple has released Security Update 2004-01-26 to address multiple previously known and newly discovered security vulnerabilities in Mac OS X 10.1.x through 10.3.x. Apache is a popular WEB server program. The mod_cgid module included with Apache has issues when using the threaded MPM, which can cause data redirection to leak sensitive information or improperly authorize access. When the threaded MPM is used, mod_cgid mishandles the CGI redirect path, which can lead to incorrectly directing CGI output to the client. Mis-redirecting data can reveal sensitive information or improperly authorize access

Apache for Apple Mac OS X 10.2.8 and 10.3.6 allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+, which bypass Apache file handles. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available. Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues. Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues. Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue. CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues. CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues. Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues. HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue. Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues. loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue. Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue. MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues. OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues. ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue. QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue. Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues. SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue. servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue. servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue. SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues. traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue. WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue. Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue. X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue. zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue may allow an attacker to send mail without requiring authentication. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID of this problem is CAN-2004-1084. The CVE ID of this problem is CAN-2004-1088. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program

Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate capitalization. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available. Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues. Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues. Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue. CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues. CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues. Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues. HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue. Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues. loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue. Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue. MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues. OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues. ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue. QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue. Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues. SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue. servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue. servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue. SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues. traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue. WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue. Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue. X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue. zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue may allow an attacker to send mail without requiring authentication. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. The CVE ID of this problem is CAN-2004-1084. The CVE ID of this problem is CAN-2004-1088. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program

Apple Safari 1.0 through 1.2.3 allows remote attackers to spoof the URL displayed in the status bar via TABLE tags. Multiple web browsers do not properly display the location of HTML documents in the status bar. An attacker could exploit this behavior to mislead users into revealing sensitive information. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. The first issue affects Apple's Apache configuration. Apparently Apple's default Apache configuration fails to properly block access to certain files. This issue has been assigned the CVE ID CAN-2004-1083 and is resolved in the attached Apple security update. The second issue reported in the referenced advisory affects the Apache web server on Mac OS X. This issue arises due to a failure of the affected server to properly handle HFS+ files system file resources. This issue has been assigned the CVE ID CAN-2004-1084 and is resolved in the attached Apple security update. The third issue affects Apple's windowing system and development kit (Appkit). This issue will allow and attacker to capture keyboard input that is supposed to be secure. This issue has been assigned the CVE ID CAN-2004-1081 and is resolved in the attached security update. The fourth issue surrounds the Cyrus IMAP server implementation when working with Kerberos authentication and may facilitate authentication bypass attacks. It should be noted that this issue only affects Mac OS X Server 10.3.X and earlier. This issue has been assigned CVE ID CAN-2004-1089 and is resolved in the attached security update. The fifth issue surrounds the HIToolBox. It affects only Mac OS X, and Mac OS X Server 10.3.X, the 10.2.X systems are not affected. This issue may allow an attacker to kill applications when running in kiosk mode. This issue has been assigned CVE ID CAN-2004-1085 and is resolved in the attached security update. The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update. The seventh issue surrounds the PSNormalizer utilities on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to execute arbitrary code in the context of a user running a vulnerable version of the operating system. This issue has been assigned the CVE ID CAN-2004-1086 and is resolved in the attached security update. The eighth issue affects the QuickTime Streaming Server. An attacker may leverage this issue to trigger a denial of service condition in the affected server. This issue has been assigned the CVE ID CAN-2004-1123 and is resolved in the attached security update. Finally, a vulnerability affects Apple's Terminal application. This issue may lead to a false sense of security as the affected application may report that the 'Secure Keyboard Entry' functionality is active when it is not. This issue has been assigned the CVE ID CAN-2004-1087 and is resolved in the attached security update. An attacker may leverage these issues to carry out information disclosure, authentication bypass, code execution, privilege escalation, a false sense of security, and denial of service attacks. A URI obfuscation weakness reportedly affects the Apple Safari Web Browser. This issue may be leveraged by an attacker to display false information in the status bar of an unsuspecting user, allowing an attacker to present web pages to users that seem to originate from a trusted location. The CVE ID for this issue is CAN-2004-1083. The CVE ID of this problem is CAN-2004-1084. The CVE ID for this issue is CAN-2004-1089. The CVE ID for this issue is CAN-2004-1085. The CVE ID of this problem is CAN-2004-1088. The CVE ID for this issue is CAN-2004-1086. Attackers can use this vulnerability to carry out denial-of-service attacks on the service program. The CVE ID for this issue is CAN-2004-1123. The CVE ID for this issue is CAN-2004-1087. TITLE: Safari "Javascript Disabled" Status Bar Spoofing SECUNIA ADVISORY ID: SA13047 VERIFY ADVISORY: http://secunia.com/advisories/13047/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Safari 1.x http://secunia.com/product/1543/ DESCRIPTION: A weakness has been discovered in Safari, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs. For more information: SA13015 Successful exploitation allows a malicious web site to obfuscate URLs in the status bar, even when javascript support has been disabled. The vulnerability has been confirmed in version 1.2.3. Other versions may also be affected. SOLUTION: Never follow links from untrusted sources. PROVIDED AND/OR DISCOVERED BY: Reported in Safari by: dereklam Vulnerability originally discovered by: Benjamin Tobias Franz OTHER REFERENCES: SA13015: http://secunia.com/advisories/13015/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging.". Apple Mac OS X Safari fails to properly display URLs in the status bar. The individual security issues include: Improved notification logging (CAN-2004-0168). Undisclosed DiskArbitration security improvements for handling writeable removable media (CAN-2004-0167). Undisclosed IPSec key exchange issue (CAN-2004-0164). pppd daemon format string vulnerability described in BID 9730(Apple Mac OS X PPPD Format String Memory Disclosure Vulnerability) (CAN-2004-0165). Unspecified security vulnerability (CAN-2004-0089) in QuickTime Streaming Server that is related to handling of request data. URI display issue (CAN-2004-0166) in the Safari web browser. Finally 3 vulnerabilities in tcpdump. These issues are described in BID 9507(TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability), BID 7090(TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability) and BID 9423(TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities). These issues are currently undergoing further analysis. Where it is appropriate, each individual issue will be assigned a unique BID and any existing BIDs will be updated accordingly to reflect the release of this Security Update. A local attacker could exploit this vulnerability to read part of the pppd process memory information. However, this format string problem does not allow the use of \\%n to attack, but due to the lack of filtering when receiving command line parameters, the format string problem can be triggered when submitted to the vslprintf() function, and the part of the pppd process memory can be obtained by using this problem Information, such as PAP or CHAP authentication information

DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. The individual security issues include: Improved notification logging (CAN-2004-0168). Undisclosed DiskArbitration security improvements for handling writeable removable media (CAN-2004-0167). Undisclosed IPSec key exchange issue (CAN-2004-0164). pppd daemon format string vulnerability described in BID 9730(Apple Mac OS X PPPD Format String Memory Disclosure Vulnerability) (CAN-2004-0165). Unspecified security vulnerability (CAN-2004-0089) in QuickTime Streaming Server that is related to handling of request data. URI display issue (CAN-2004-0166) in the Safari web browser. Finally 3 vulnerabilities in tcpdump. These issues are described in BID 9507(TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability), BID 7090(TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability) and BID 9423(TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities). These issues are currently undergoing further analysis. Where it is appropriate, each individual issue will be assigned a unique BID and any existing BIDs will be updated accordingly to reflect the release of this Security Update. A local attacker could exploit this vulnerability to read part of the pppd process memory information. However, this format string problem does not allow the use of \\%n to attack, but due to the lack of filtering when receiving command line parameters, the format string problem can be triggered when submitted to the vslprintf() function, and the part of the pppd process memory can be obtained by using this problem Information, such as PAP or CHAP authentication information

Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar.". The individual security issues include: Improved notification logging (CAN-2004-0168). Undisclosed DiskArbitration security improvements for handling writeable removable media (CAN-2004-0167). Undisclosed IPSec key exchange issue (CAN-2004-0164). pppd daemon format string vulnerability described in BID 9730(Apple Mac OS X PPPD Format String Memory Disclosure Vulnerability) (CAN-2004-0165). Unspecified security vulnerability (CAN-2004-0089) in QuickTime Streaming Server that is related to handling of request data. URI display issue (CAN-2004-0166) in the Safari web browser. Finally 3 vulnerabilities in tcpdump. These issues are described in BID 9507(TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability), BID 7090(TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability) and BID 9423(TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities). These issues are currently undergoing further analysis. Where it is appropriate, each individual issue will be assigned a unique BID and any existing BIDs will be updated accordingly to reflect the release of this Security Update. A local attacker could exploit this vulnerability to read part of the pppd process memory information. However, this format string problem does not allow the use of \\%n to attack, but due to the lack of filtering when receiving command line parameters, the format string problem can be triggered when submitted to the vslprintf() function, and the part of the pppd process memory can be obtained by using this problem Information, such as PAP or CHAP authentication information

Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Apple has released Security Update 2004-01-26 to address multiple previously known and newly discovered security vulnerabilities in Mac OS X 10.1.x through 10.3.x. Apache is a popular WEB server program. The mod_cgid module included with Apache has issues when using the threaded MPM, which can cause data redirection to leak sensitive information or improperly authorize access. When the threaded MPM is used, mod_cgid mishandles the CGI redirect path, which can lead to incorrectly directing CGI output to the client. Mis-redirecting data can reveal sensitive information or improperly authorize access

The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Apple has released Security Update 2004-01-26 to address multiple previously known and newly discovered security vulnerabilities in Mac OS X 10.1.x through 10.3.x. Apache is a popular WEB server program. The mod_cgid module included with Apache has issues when using the threaded MPM, which can cause data redirection to leak sensitive information or improperly authorize access. When the threaded MPM is used, mod_cgid mishandles the CGI redirect path, which can lead to incorrectly directing CGI output to the client. Mis-redirecting data can reveal sensitive information or improperly authorize access

The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Apple has released Security Update 2004-01-26 to address multiple previously known and newly discovered security vulnerabilities in Mac OS X 10.1.x through 10.3.x. Apache is a popular WEB server program. The mod_cgid module included with Apache has issues when using the threaded MPM, which can cause data redirection to leak sensitive information or improperly authorize access. When the threaded MPM is used, mod_cgid mishandles the CGI redirect path, which can lead to incorrectly directing CGI output to the client. Mis-redirecting data can reveal sensitive information or improperly authorize access

Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Apple has released Security Update 2004-01-26 to address multiple previously known and newly discovered security vulnerabilities in Mac OS X 10.1.x through 10.3.x. Apache is a popular WEB server program. The mod_cgid module included with Apache has issues when using the threaded MPM, which can cause data redirection to leak sensitive information or improperly authorize access. When the threaded MPM is used, mod_cgid mishandles the CGI redirect path, which can lead to incorrectly directing CGI output to the client. Mis-redirecting data can reveal sensitive information or improperly authorize access

Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Apple has reported multiple previously known and newly discovered security vulnerabilities in Mac OS X (Client and Server). The individual security issues include: Improved notification logging (CAN-2004-0168). Undisclosed DiskArbitration security improvements for handling writeable removable media (CAN-2004-0167). Undisclosed IPSec key exchange issue (CAN-2004-0164). Unspecified security vulnerability (CAN-2004-0089) in QuickTime Streaming Server that is related to handling of request data. URI display issue (CAN-2004-0166) in the Safari web browser. Finally 3 vulnerabilities in tcpdump. These issues are described in BID 9507(TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability), BID 7090(TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability) and BID 9423(TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities). These issues are currently undergoing further analysis. Where it is appropriate, each individual issue will be assigned a unique BID and any existing BIDs will be updated accordingly to reflect the release of this Security Update. When the ppp daemon processes an invalid command line argument, a function, error(), is called on the user-supplied data. Format specifiers that are contained within the supplied data will be interpreted literally, providing an attacker a conduit to read from pppd process memory. However, this format string problem does not allow the use of \\%n to attack, but due to the lack of filtering when receiving command line parameters, the format string problem can be triggered when submitted to the vslprintf() function, and the part of the pppd process memory can be obtained by using this problem Information, such as PAP or CHAP authentication information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. The vulnerability is in a function specific to pppd that does not allow for traditional exploitation (arbitrary data written to arbitrary memory locations) via %n. However, it is possible to read arbitrary data out of pppd's process. Under certain circumstances, it is also possible to 'steal' PAP/CHAP authentication credentials. This function is a custom replacement for vsnprintf(), and does contains a small subset of the format specifiers. The offending function is called option_error: void option_error __V((char *fmt, ...)) { va_list args; char buf[256]; #if defined(__STDC__) va_start(args, fmt); #else char *fmt; va_start(args); fmt = va_arg(args, char *); #endif vslprintf(buf, sizeof(buf), fmt, args); va_end(args); if (phase == PHASE_INITIALIZE) fprintf(stderr, "%s: %s\n", progname, buf); #ifdef __APPLE__ error(buf); #else syslog(LOG_ERR, "%s", buf); #endif } As we can see, there is a specific Apple ifdef that will pass our buffer directly to error(). Information about Apple Security Updates may be found at http://www.info.apple.com/ Recommendation: Install the vendor supplied upgrade. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQDqNV0e9kNIfAm4yEQJDyACfdyoktRpVe2HdeJ+OXFrO0PCH5L4Anj1t ayzDBWIsuXib+mhqIjrG7wDI =4K2F -----END PGP SIGNATURE-----

Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Apple has reported multiple previously known and newly discovered security vulnerabilities in Mac OS X (Client and Server). The individual security issues include: Improved notification logging (CAN-2004-0168). Undisclosed DiskArbitration security improvements for handling writeable removable media (CAN-2004-0167). Undisclosed IPSec key exchange issue (CAN-2004-0164). pppd daemon format string vulnerability described in BID 9730(Apple Mac OS X PPPD Format String Memory Disclosure Vulnerability) (CAN-2004-0165). Unspecified security vulnerability (CAN-2004-0089) in QuickTime Streaming Server that is related to handling of request data. URI display issue (CAN-2004-0166) in the Safari web browser. Finally 3 vulnerabilities in tcpdump. These issues are described in BID 9507(TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability), BID 7090(TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability) and BID 9423(TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities). These issues are currently undergoing further analysis. Where it is appropriate, each individual issue will be assigned a unique BID and any existing BIDs will be updated accordingly to reflect the release of this Security Update. The issue has been reported to exist due to a lack of sufficient boundary checks performed on data contained in Environment variables, before they are copied into a reserved buffer in TruBlueEnvironment stack based memory. It should be noted that this vulnerability was originally described as an unspecified issue in 9504. It is now being assigned a unique BID. TruBlueEnvironment is installed with the setuid root attribute by default