VARIoT IoT vulnerabilities database
| VAR-200803-0240 | CVE-2008-0998 | Apple Mac OS X of NetCfgTool Authentication bypass vulnerability |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in NetCfgTool in the System Configuration component in Apple Mac OS X 10.4.11 and 10.5.2 allows local users to bypass authorization and execute arbitrary code via crafted distributed objects. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. The NetCfgTool privileged tool uses distributed objects to communicate with untrusted client programs on the local machine. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. Safari).
20) A race condition error exists in NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0244 | CVE-2008-1002 | Apple Safari vulnerable to xss via the processing of JavaScript URLs |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible.
These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista.
NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI)
has been available for corporate users for almost 1 year and its been
a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the
award winning Secunia PSI, which has already been downloaded and
installed on more than 400,000 computers world wide.
For more information:
SA29393
SOLUTION:
Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been
issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA29393
VERIFY ADVISORY:
http://secunia.com/advisories/29393/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access
WHERE:
>From remote
SOFTWARE:
Safari 3.x
http://secunia.com/product/17989/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Some vulnerabilities have been reported in Safari, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to compromise
a vulnerable system.
2) An error exists the handling of web pages that have explicitly set
the document.domain property. This can be exploited to conduct
cross-site scripting attacks in sites that set the document.domain
property or between HTTP and HTTPS sites with the same
document.domain.
3) An error in Web Inspector can be exploited to inject script code
that will run in other domains and can read the user's file system
when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can
result in exposing the password field on the display when reverse
conversion is requested.
5) An error within the handling of the "window.open()" function can
be used to change the security context of a web page to the caller's
context.
6) The frame navigation policy is not enforced for Java applets. This
can be exploited to conduct cross-site scripting attacks using java
and to gain escalated privileges by enticing a user to open a
specially crafted web page.
7) An unspecified error in the handling of the document.domain
property can be exploited to conduct cross-site scripting attacks
when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be
exploited to inject javascript code that will run in the context of
other frames.
9) A boundary error exists in the handling of javascript regular
expressions, which can be exploited to cause a buffer overflow via a
specially crafted web page.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be
called in the context of another frame. This can be exploited to
conduct cross-site scripting attacks.
SOLUTION:
Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY:
1) Robert Swiecki of Google Information Security Team
2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University
10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy
and Will Drewry of Google Security Team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0241 | CVE-2008-0999 | Apple Mac OS X of UDF Service operation interruption in file system (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Apple Mac OS X 10.5.2 allows user-assisted attackers to cause a denial of service (crash) via a crafted Universal Disc Format (UDF) disk image, which triggers a NULL pointer dereference.
Attackers can leverage this issue to cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0239 | CVE-2008-0997 | Apple Mac OS X of AppKit In PPD Buffer overflow vulnerability in file handling |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows user-assisted remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted PostScript Printer Description (PPD) file that is not properly handled when querying a network printer. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0233 | CVE-2008-0990 | Apple Mac OS X of notifyd Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
notifyd in Apple Mac OS X 10.4.11 does not verify that Mach port death notifications have originated from the kernel, which allows local users to cause a denial of service via spoofed death notifications that prevent other applications from receiving notifications. (DoS) There is a vulnerability that becomes a condition.Disguised disabling notifications by a malicious local user can prevent other applications from receiving notifications.
Attackers can leverage this issue to cause denial-of-service conditions.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0238 | CVE-2008-0996 | Mac OS X Vulnerabilities that cause login credentials to be disclosed |
CVSS V2: 1.7 CVSS V3: - Severity: LOW |
The Printing component in Apple Mac OS X 10.5.2 might save authentication credentials to disk when starting a job on an authenticated print queue, which might allow local users to obtain the credentials.
Attackers can leverage this issue to gain access to privileged authentication credentials. Other attacks are also possible. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28356 Apple Safari CFNetwork Arbitrary Secure Website Spoofing Vulnerability
28321 Apple Safari Error Page Cross-Site Scripting Vulnerability
28328 Apple Safari Javascript URL Parsing Cross-Site Scripting Vulnerability
28330 Apple Safari WebCore 'document.domain' Cross-Site Scripting Vulnerability
28347 Apple Safari Web Inspector Remote Code Injection Vulnerability
28326 Apple Safari WebCore 'Kotoeri' Password Field Information Disclosure Vulnerability
28332 Apple Safari WebCore 'window.open()' Function Cross-Site Scripting Vulnerability
28335 Apple Safari WebCore Java Frame Navigation Cross-Site Scripting Vulnerability
28336 Apple Safari WebCore 'document.domain' Variant Cross-Site Scripting Vulnerability
28337 Apple Safari WebCore History Object Cross-Site Scripting Vulnerability
28338 Apple Safari WebKit JavaScript Regular Expression Handling Buffer Overflow Vulnerability
28342 Apple Safari WebKit Frame Method Cross-Site Scripting Vulnerability. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0235 | CVE-2008-0993 | Apple Mac OS X of Podcast Vulnerability in password capture in the capture application |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Podcast Capture in Podcast Producer for Apple Mac OS X 10.5.2 invokes a subtask with passwords in command line arguments, which allows local users to read the passwords via process listings.
Attackers can leverage this issue to gain access to privileged authentication credentials. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0228 | CVE-2008-1009 | Apple Safari of WebCore Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary JavaScript by modifying the history object. Apple Safari is prone to 12 security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible.
These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista.
NOTE: This BID is being retired.
An attacker may leverage this issue to execute arbitrary script code in other frames loaded from the same web page. This may help the attacker steal potentially sensitive information and launch other attacks.
NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. Safari version 3.1 fixes several security vulnerabilities, as follows: A JavaScript injection vulnerability exists in the handling of history objects, where frames set history object properties in all other frames loaded by the same web page. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI)
has been available for corporate users for almost 1 year and its been
a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the
award winning Secunia PSI, which has already been downloaded and
installed on more than 400,000 computers world wide.
For more information:
SA29393
SOLUTION:
Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been
issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA29393
VERIFY ADVISORY:
http://secunia.com/advisories/29393/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access
WHERE:
>From remote
SOFTWARE:
Safari 3.x
http://secunia.com/product/17989/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Some vulnerabilities have been reported in Safari, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to compromise
a vulnerable system.
2) An error exists the handling of web pages that have explicitly set
the document.domain property. This can be exploited to conduct
cross-site scripting attacks in sites that set the document.domain
property or between HTTP and HTTPS sites with the same
document.domain.
3) An error in Web Inspector can be exploited to inject script code
that will run in other domains and can read the user's file system
when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can
result in exposing the password field on the display when reverse
conversion is requested.
5) An error within the handling of the "window.open()" function can
be used to change the security context of a web page to the caller's
context.
6) The frame navigation policy is not enforced for Java applets. This
can be exploited to conduct cross-site scripting attacks using java
and to gain escalated privileges by enticing a user to open a
specially crafted web page.
7) An unspecified error in the handling of the document.domain
property can be exploited to conduct cross-site scripting attacks
when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be
exploited to inject javascript code that will run in the context of
other frames.
9) A boundary error exists in the handling of javascript regular
expressions, which can be exploited to cause a buffer overflow via a
specially crafted web page.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be
called in the context of another frame. This can be exploited to
conduct cross-site scripting attacks.
SOLUTION:
Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY:
1) Robert Swiecki of Google Information Security Team
2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University
10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy
and Will Drewry of Google Security Team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0230 | CVE-2008-1011 | Apple Safari of WebKit Vulnerable to cross-site scripting due to incomplete instance handling |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame. Apple Safari is prone to 12 security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible.
These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista.
NOTE: This BID is being retired.
An attacker may leverage this issue to access frame methods in another domain. This may help the attacker steal potentially sensitive information and launch other attacks.
NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. If a user is tricked into visiting a malicious web page, sensitive information will be leaked. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI)
has been available for corporate users for almost 1 year and its been
a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the
award winning Secunia PSI, which has already been downloaded and
installed on more than 400,000 computers world wide.
For more information:
SA29393
SOLUTION:
Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been
issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA29393
VERIFY ADVISORY:
http://secunia.com/advisories/29393/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access
WHERE:
>From remote
SOFTWARE:
Safari 3.x
http://secunia.com/product/17989/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Some vulnerabilities have been reported in Safari, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to compromise
a vulnerable system.
1) An error in the processing of "javascript:" URLs can be exploited
to execute arbitrary HTML and script code in context of another site
via a specially crafted web page.
2) An error exists the handling of web pages that have explicitly set
the document.domain property. This can be exploited to conduct
cross-site scripting attacks in sites that set the document.domain
property or between HTTP and HTTPS sites with the same
document.domain.
3) An error in Web Inspector can be exploited to inject script code
that will run in other domains and can read the user's file system
when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can
result in exposing the password field on the display when reverse
conversion is requested.
5) An error within the handling of the "window.open()" function can
be used to change the security context of a web page to the caller's
context. This can be exploited to execute arbitrary script code in
the user's security context via a specially crafted web page.
6) The frame navigation policy is not enforced for Java applets. This
can be exploited to conduct cross-site scripting attacks using java
and to gain escalated privileges by enticing a user to open a
specially crafted web page.
7) An unspecified error in the handling of the document.domain
property can be exploited to conduct cross-site scripting attacks
when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be
exploited to inject javascript code that will run in the context of
other frames.
9) A boundary error exists in the handling of javascript regular
expressions, which can be exploited to cause a buffer overflow via a
specially crafted web page.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be
called in the context of another frame. This can be exploited to
conduct cross-site scripting attacks.
SOLUTION:
Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY:
1) Robert Swiecki of Google Information Security Team
2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University
10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy
and Will Drewry of Google Security Team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0236 | CVE-2008-0994 | Apple Mac OS X Encrypted in preview of PDF File decryption vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Preview in Apple Mac OS X 10.5.2 uses 40-bit RC4 when saving a PDF file with encryption, which makes it easier for attackers to decrypt the file via brute force methods.
Attackers can use trivial brute-force tactics to view data that was encrypted with the insecure algorithm. Information harvested may aid in further attacks. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0234 | CVE-2008-0992 | Apple Mac OS X of pax Command execution arbitrary code vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Array index error in pax in Apple Mac OS X 10.5.2 allows context-dependent attackers to execute arbitrary code via an archive with a crafted length value. This will facilitate the remote compromise of affected computers. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0226 | CVE-2008-1007 | Apple Safari of WebCore Cross-site scripting vulnerability due to inapplicability of frame navigation policy |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WebCore, as used in Apple Safari before 3.1, does not enforce the frame navigation policy for Java applets, which allows remote attackers to conduct cross-site scripting (XSS) attacks. Apple Safari is prone to 12 security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible.
These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista.
NOTE: This BID is being retired.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI)
has been available for corporate users for almost 1 year and its been
a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the
award winning Secunia PSI, which has already been downloaded and
installed on more than 400,000 computers world wide.
For more information:
SA29393
SOLUTION:
Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been
issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA29393
VERIFY ADVISORY:
http://secunia.com/advisories/29393/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access
WHERE:
>From remote
SOFTWARE:
Safari 3.x
http://secunia.com/product/17989/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Some vulnerabilities have been reported in Safari, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to compromise
a vulnerable system.
2) An error exists the handling of web pages that have explicitly set
the document.domain property. This can be exploited to conduct
cross-site scripting attacks in sites that set the document.domain
property or between HTTP and HTTPS sites with the same
document.domain.
3) An error in Web Inspector can be exploited to inject script code
that will run in other domains and can read the user's file system
when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can
result in exposing the password field on the display when reverse
conversion is requested.
5) An error within the handling of the "window.open()" function can
be used to change the security context of a web page to the caller's
context.
7) An unspecified error in the handling of the document.domain
property can be exploited to conduct cross-site scripting attacks
when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be
exploited to inject javascript code that will run in the context of
other frames.
9) A boundary error exists in the handling of javascript regular
expressions, which can be exploited to cause a buffer overflow via a
specially crafted web page.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be
called in the context of another frame. This can be exploited to
conduct cross-site scripting attacks.
SOLUTION:
Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY:
1) Robert Swiecki of Google Information Security Team
2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University
10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy
and Will Drewry of Google Security Team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0227 | CVE-2008-1008 | Apple Safari of WebCore In document.domain Cross-site scripting vulnerability due to property deficiencies |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via the document.domain property. Apple Safari is prone to 12 security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible.
These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista.
NOTE: This BID is being retired.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal potentially sensitive information and launch other attacks.
NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI)
has been available for corporate users for almost 1 year and its been
a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the
award winning Secunia PSI, which has already been downloaded and
installed on more than 400,000 computers world wide.
For more information:
SA29393
SOLUTION:
Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been
issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA29393
VERIFY ADVISORY:
http://secunia.com/advisories/29393/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access
WHERE:
>From remote
SOFTWARE:
Safari 3.x
http://secunia.com/product/17989/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Some vulnerabilities have been reported in Safari, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to compromise
a vulnerable system.
2) An error exists the handling of web pages that have explicitly set
the document.domain property. This can be exploited to conduct
cross-site scripting attacks in sites that set the document.domain
property or between HTTP and HTTPS sites with the same
document.domain.
3) An error in Web Inspector can be exploited to inject script code
that will run in other domains and can read the user's file system
when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can
result in exposing the password field on the display when reverse
conversion is requested.
5) An error within the handling of the "window.open()" function can
be used to change the security context of a web page to the caller's
context.
6) The frame navigation policy is not enforced for Java applets. This
can be exploited to conduct cross-site scripting attacks using java
and to gain escalated privileges by enticing a user to open a
specially crafted web page.
7) An unspecified error in the handling of the document.domain
property can be exploited to conduct cross-site scripting attacks
when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be
exploited to inject javascript code that will run in the context of
other frames.
9) A boundary error exists in the handling of javascript regular
expressions, which can be exploited to cause a buffer overflow via a
specially crafted web page.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be
called in the context of another frame. This can be exploited to
conduct cross-site scripting attacks.
SOLUTION:
Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY:
1) Robert Swiecki of Google Information Security Team
2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University
10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy
and Will Drewry of Google Security Team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0225 | CVE-2008-0988 | Apple Mac OS X of libc of strnstr API One-off error vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Off-by-one error in the Libsystem strnstr API in libc on Apple Mac OS X 10.4.11 allows context-dependent attackers to cause a denial of service (crash) via crafted arguments that trigger a buffer over-read.
An attacker can exploit this issue to cause denial-of-service conditions on applications that use the affected API. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. A single-byte bug existed in Libsystem's strnstr(3) implementation, and an application using the strnstr API could read a byte outside the user-specified limit, causing the application to terminate unexpectedly. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0224 | CVE-2008-0987 | Apple Mac OS X of DNG File processing buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in Image Raw in Apple Mac OS X 10.5.2, and Digital Camera RAW Compatibility before Update 2.0 for Aperture 2 and iPhoto 7.1.2, allows remote attackers to execute arbitrary code via a crafted Adobe Digital Negative (DNG) image. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability.
The vulnerability has been reported in Aperture 2 and iPhoto 7.1.2
with iLife Support 8.2.
Digital Camera RAW Compatibility Update 2.0:
http://www.apple.com/support/downloads/digitalcamerarawcompatibilityupdate20.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Clint Ruoho, Laconic Security.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT1232
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. Safari).
20) A race condition error exists in NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0232 | CVE-2008-0989 | Apple Mac OS X Format string vulnerability in host name handling |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in mDNSResponderHelper in Apple Mac OS X 10.5.2 allows local users to execute arbitrary code via format string specifiers in the local hostname. This occurs because 'mDNSResponderHelper' fails to adequately sanitize user-supplied input before passing it to a formatted-printing function. Failed exploit attempts will likely result in a denial of service. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. There is a format string vulnerability in mDNSResponderHelper. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: mDNSResponder: Multiple vulnerabilities
Date: January 20, 2012
Bugs: #290822
ID: 201201-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in mDNSResponder, which could
lead to execution of arbitrary code with root privileges.
Background
==========
mDNSResponder is a component of Apple's Bonjour, an initiative for
zero-configuration networking. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mDNSResponder users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mDNSResponder-212.1"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since November 21, 2009. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2007-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2386
[ 2 ] CVE-2007-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3744
[ 3 ] CVE-2007-3828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3828
[ 4 ] CVE-2008-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0989
[ 5 ] CVE-2008-2326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2326
[ 6 ] CVE-2008-3630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3630
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML. This can be exploited to
execute arbitrary code by enticing a user to process an XML file in
an application which uses NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0229 | CVE-2008-1010 | Apple Safari of WebKit Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in WebKit, as used in Apple Safari before 3.1, allows remote attackers to execute arbitrary code via crafted regular expressions in JavaScript. Apple Safari is prone to 12 security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible.
These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista.
NOTE: This BID is being retired.
NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI)
has been available for corporate users for almost 1 year and its been
a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the
award winning Secunia PSI, which has already been downloaded and
installed on more than 400,000 computers world wide.
For more information:
SA29393
SOLUTION:
Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been
issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA29393
VERIFY ADVISORY:
http://secunia.com/advisories/29393/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access
WHERE:
>From remote
SOFTWARE:
Safari 3.x
http://secunia.com/product/17989/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Some vulnerabilities have been reported in Safari, which can be
exploited by malicious people to bypass certain security
restrictions, conduct cross-site scripting attacks, or to compromise
a vulnerable system.
2) An error exists the handling of web pages that have explicitly set
the document.domain property. This can be exploited to conduct
cross-site scripting attacks in sites that set the document.domain
property or between HTTP and HTTPS sites with the same
document.domain.
3) An error in Web Inspector can be exploited to inject script code
that will run in other domains and can read the user's file system
when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can
result in exposing the password field on the display when reverse
conversion is requested.
5) An error within the handling of the "window.open()" function can
be used to change the security context of a web page to the caller's
context.
6) The frame navigation policy is not enforced for Java applets. This
can be exploited to conduct cross-site scripting attacks using java
and to gain escalated privileges by enticing a user to open a
specially crafted web page.
7) An unspecified error in the handling of the document.domain
property can be exploited to conduct cross-site scripting attacks
when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be
exploited to inject javascript code that will run in the context of
other frames.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be
called in the context of another frame. This can be exploited to
conduct cross-site scripting attacks.
SOLUTION:
Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY:
1) Robert Swiecki of Google Information Security Team
2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University
10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy
and Will Drewry of Google Security Team
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
VLC media player XSPF Memory Corruption
1. *Advisory Information*
Title: VLC media player XSPF Memory Corruption
Advisory ID: CORE-2008-1010
Advisory URL: http://www.coresecurity.com/content/vlc-xspf-memory-corruption
Date published: 2008-10-14
Date of last update: 2008-10-14
Vendors contacted: VLC
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Memory corruption
Remotely Exploitable: Yes (client side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: N/A
3. *Vulnerability Description*
VLC media player is an open-source, highly portable multimedia player
for various audio and video formats, as well as DVDs, VCDs, and various
streaming protocols. It can also be used as a server to stream in
unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
VLC media player is vulnerable to a memory corruption vulnerability,
which can be exploited by malicious remote attackers to compromise a
user's system, by providing a specially crafted XSPF playlist file. The
vulnerability exists because the VLC ('demux/playlist/xspf.c') library
does not properly perform bounds-checking on an 'identifier' tag from an
XSPF file before using it to index an array on the heap. This can be
exploited to overwrite an arbitrary memory address in the context of the
VLC media player process, and eventually get arbitrary code execution by
opening a specially crafted file.
4. *Vulnerable packages*
. VLC media player 0.9.2
5. *Non-vulnerable packages*
. VLC media player 0.9.3 (no official binary files available for
Windows platform)
. VLC media player 0.9.4
6. *Vendor Information, Solutions and Workarounds*
Update to VLC media player 0.9.4, available at
http://www.videolan.org/vlc/.
7. *Credits*
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
VLC media player has support for the XML-based XSPF playlist format [1].
Every track in an XSPF playlist has a number of attributes, such as
'identifier, location, title and duration'. The 'identifier' attribute
is a numeric value that indicates the position of the track in the
tracklist. Here's a sample playlist in XSPF format:
/-----------
<?xml version="1.0" encoding="UTF-8"?>
<playlist version="1" xmlns="http://xspf.org/ns/0/">
<title>Sample playlist</title>
<location>C:\my-playlist.xspf</location>
<trackList>
<track>
<identifier>0</identifier>
<location>C:\My%20music\track1.mp3</location>
<extension application="http://www.videolan.org/vlc/playlist/0">
</extension>
<duration>239099</duration>
</track>
<track>
<identifier>1</identifier>
<location>C:\My%20music\track2.mp3</location>
</track>
<track>
<identifier>2</identifier>
<location>C:\My%20music\track3.mp3</location>
</track>
</trackList>
<extension application="http://www.videolan.org/vlc/playlist/0">
<item href="0" />
<item href="1" />
<item href="2" />
</extension>
</playlist>
- -----------/
VLC media player's XSPF playlist format parser
('demux/playlist/xspf.c') does not properly perform bounds-checking
before using the 'identifier' attribute value to index an array on the
heap to write data on it.
In the first place, the parser reads the 'identifier' attribute of a
track and converts its value to 'int' type using the 'atoi' function
from the standard C library, and saves it to the 'i_identifier' field of
a 'demux_sys_t' structure:
/-----------
575 else if( !strcmp( p_handler->name, "identifier" ) )
576 {
577 p_demux->p_sys->i_identifier = atoi( psz_value );
578 }
- -----------/
After that, at lines 501-502, the parser compares 'i_identifier' with
'i_tracklist_entries'. This last field is a counter that holds the
number of tracklist entries that were successfully parsed at the moment.
If 'i_identifier' is less than 'i_tracklist_entries', the value of
'i_identifier' is used to index the 'pp_tracklist' array, and
'p_new_input' is written on that position (at line '505').
/-----------
501 if( p_demux->p_sys->i_identifier <
502 p_demux->p_sys->i_tracklist_entries )
503 {
504 p_demux->p_sys->pp_tracklist[
505 p_demux->p_sys->i_identifier ] = p_new_input;
506 }
- -----------/
Since the XSPF parser does not perform bounds-checking before indexing
the array to write on it, and having 'i_identifier' fully controlled by
the user, an attacker may overwrite almost any memory address with
'p_new_input'.
This is the disassembled vulnerable code:
/-----------
70246981 . 39C2 CMP EDX,EAX ;
i_identifier < i_tracklist_entries?
70246983 . 7D 29 JGE SHORT libplayl.702469AE
70246985 . 8B2B MOV EBP,DWORD PTR DS:[EBX] ;
EBP = pp_tracklist = 0
70246987 . 8B7C24 44 MOV EDI,DWORD PTR SS:[ESP+44] ;
EDI = p_new_input
7024698B . 897C95 00 MOV DWORD PTR SS:[EBP+EDX*4],EDI ;
Saves p_new_input in pp_tracklist[i_identifier]
- -----------/
At this point, when parsing the first track of the playlist,
'i_tracklist_entries' value is 0. The parser performs a signed
comparison between 'i_identifier' and 'i_tracklist_entries', so by
providing a negative value for 'i_identifier', an attacker can avoid
that conditional JGE jump to be executed. After that, EBP is always 0
and the attacker controls EDX, so he can write 'p_new_input' to almost
any memory address aligned to a 4-byte boundary. 'p_new_input' is a
pointer to a structure of type 'input_item_t', that holds information
about the playlist item being processed. At 'p_new_input + 0x10' there
is a pointer to the track filename (provided by the 'location'
attribute), excluding the path.
This track filename (which is UTF-8 encoded) is controlled by the user
too, so if an attacker overwrites a specially chosen memory address and
the program executes some instructions that load 'p_new_input' into a
CPU register and perform an indirect call like 'CALL DWORD[R32 + 0x10]'
(where R32 is a 32-bit register), it will be possible to get arbitrary
code execution with the privileges of the current user.
The following Python code will generate an XSPF file that, when opened
with VLC media player 0.9.2, will crash the application when trying to
write 'p_new_input' to memory address 41424344.
/-----------
xspf_file_content = '''
<?xml version="1.0" encoding="UTF-8"?>
<playlist version="1" xmlns="http://xspf.org/ns/0/">
<title>XSPF PoC</title>
<location>C:\My%20Music\playlist.xspf</location>
<trackList>
<track>
<identifier>-1873768239</identifier>
<location>C:\My%20Music\Track1.mp3</location>
<extension application="http://www.videolan.org/vlc/playlist/0">
</extension>
<duration>239099</duration>
</track>
</trackList>
<extension application="http://www.videolan.org/vlc/playlist/0">
<item href="0" />
</extension>
</playlist>
'''
crafted_xspf_file = open('playlist.xspf','w')
crafted_xspf_file.write(xspf_file_content)
crafted_xspf_file.close()
- -----------/
9. *Report Timeline*
2008-10-10: Core Security Technologies notifies the VLC team of the
vulnerability, and that the advisory CORE-2008-1010 will be published on
October 14th, since the vulnerability is already fixed in VLC versions
0.9.3 and 0.9.4.
2008-10-12: VLC team confirms that the vulnerability has been fixed (the
vulnerability was discovered and fixed by the VLC team on September 15th).
2008-10-14: Advisory CORE-2008-1010 is published.
10. *References*
[1] XSPF format http://www.xspf.org/
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj1DEkACgkQyNibggitWa2M+ACghrS9hKB5saDl3ufp69iJ46P5
DHoAn2Ygu5INc0u2P+tW+m+JZATCFXp0
=LilF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200803-0026 | CVE-2008-0060 | Apple Mac OS X of Help Viewer In any AppleScript Vulnerability in which is executed |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Help Viewer in Apple Mac OS X 10.4.11 and 10.5.2 allows remote attackers to execute arbitrary Applescript via a help:topic_list URL that injects HTML or JavaScript into a topic list page, as demonstrated using a help:runscript link.
An attacker can exploit this issue by enticing an unsuspecting user to visit a malicious 'help:topic_list' URI. This may allow arbitrary Applescript code to run in the context of the user running the application. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0025 | CVE-2008-0059 | Apple Mac OS X of NSXML Race condition vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Race condition in NSXML in Foundation for Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via a crafted XML file, related to "error handling logic.".
An attacker can exploit this issue by enticing an unsuspecting user to process a malicious XML file with an application that uses the 'NSXML' API. This can allow arbitrary code to run with the privileges of the user running the application that uses the affected API. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044.
28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994
28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048
28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049
28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057
28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997
28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046
28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051
28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052
28334 CUPS Multiple Unspecified Input Validation Vulnerabilities
28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability
28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability
28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability
28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability
28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability
28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability
28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability
28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability
28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness
28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness
28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability
28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability
28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability
28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability
28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability
28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability
28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200803-0024 | CVE-2008-0058 | Apple Mac OS X Cache management race condition vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Race condition in the NSURLConnection cache management functionality in Foundation for Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary code via unspecified manipulations that cause messages to be sent to a deallocated object.
An attacker can exploit this issue by enticing an unsuspecting user to visit a malicious webpage with the Safari browser. This can allow arbitrary code to run with the privileges of the user running the browser or an application that uses the affected API. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier.
NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID:
28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) Multiple boundary errors in AFP client when processing "afp://"
URLs can be exploited to cause stack-based buffer overflows when a
user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal
realm names. This can be exploited to make unauthorized connections
to the server when cross-realm authentication with AFP Server is
used.
3) Multiple vulnerabilities in Apache can be exploited by malicious
people to conduct cross-site scripting attacks, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
For more information:
SA18008
SA21197
SA26636
SA27906
SA28046
4) A boundary error within the handling of file names in the
NSDocument API in AppKit can be exploited to cause a stack-based
buffer overflow.
6) Multiple integer overflow errors exist in the parser for a legacy
serialization format. This can be exploited to cause a heap-based
buffer overflow when a specially crafted serialized property list is
parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites
via 502 Bad Gateway errors from a malicious HTTPS proxy server.
8) Multiple vulnerabilities in ClamAV can be exploited by malicious
people to cause a DoS (Denial of Service) or to compromise a
vulnerable system.
For more information:
SA23347
SA24187
SA24891
SA26038
SA26530
SA28117
SA28907
9) An integer overflow error exists in CoreFoundation when handling
time zone data.
10) The problem is that files with names ending in ".ief" can be
automatically opened in AppleWorks if "Open 'Safe' files" is enabled
in Safari.
For more information:
SA29431
12) Multiple input validation errors exist in CUPS, which can be
exploited to execute arbitrary code with system privileges.
13) A boundary error in curl can be exploited to compromise a user's
system.
For more information:
SA17907
14) A vulnerability in emacs can be exploited by malicious people to
compromise a user's system.
For more information:
SA27508
15) A vulnerability in "file" can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA24548
16) An input validation error exists in the NSSelectorFromString API,
which can potentially be exploited to execute arbitrary code via a
malformed selector name.
17) A race condition error in NSFileManager can potentially be
exploited to gain escalated privileges.
18) A boundary error in NSFileManager can potentially be exploited to
cause a stack-based buffer overflow via an overly long pathname with a
specially crafted structure.
19) A race condition error exists in the cache management of
NSURLConnection. This can be exploited to cause a DoS or execute
arbitrary code in applications using the library (e.g. Safari).
20) A race condition error exists in NSXML.
21) An error in Help Viewer can be exploited to insert arbitrary HTML
or JavaScript into the generated topic list page via a specially
crafted "help:topic_list" URL and may redirect to a Help Viewer
"help:runscript" link that runs Applescript.
22) A boundary error exists in Image Raw within the handling of Adobe
Digital Negative (DNG) image files. This can be exploited to cause a
stack-based buffer overflow by enticing a user to open a maliciously
crafted image file.
23) Multiple vulnerabilities in Kerberos can be exploited to cause a
DoS or to compromise a vulnerable system.
For more information:
SA29428
24) An off-by-one error the "strnstr()" in libc can be exploited to
cause a DoS.
25) A format string error exists in mDNSResponderHelper, which can be
exploited by a malicious, local user to cause a DoS or execute
arbitrary code with privileges of mDNSResponderHelper by setting the
local hostname to a specially crafted string.
26) An error in notifyd can be exploited by a malicious, local user
to deny access to notifications by sending fake Mach port death
notifications to notifyd.
27) An array indexing error in the pax command line tool can be
exploited to execute arbitrary code.
28) Multiple vulnerabilities in php can be exploited to bypass
certain security restrictions.
For more information:
SA27648
SA28318
29) A security issue is caused due to the Podcast Capture application
providing passwords to a subtask through the arguments.
30) Printing and Preview handle PDF files with weak encryption.
31) An error in Printing in the handling of authenticated print
queues can lead to credentials being saved to disk.
33) A null-pointer dereference error exists in the handling of
Universal Disc Format (UDF) file systems, which can be exploited to
cause a system shutdown by enticing a user to open a maliciously
crafted disk image.
35) Some vulnerabilities in X11 can be exploited by malicious, local
users to gain escalated privileges.
For more information:
SA27040
SA28532
36) Some vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA22900
SA25292
SA27093
SA27130
SOLUTION:
Apply Security Update 2008-002.
Security Update 2008-002 v1.0 (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html
Security Update 2008-002 v1.0 (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10universal.html
Security Update 2008-002 v1.0 (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html
Security Update 2008-002 v1.0 Server (Leopard):
http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html
Security Update 2008-002 v1.0 Server (PPC):
http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html
Security Update 2008-002 v1.0 Server (Universal):
http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm
11) regenrecht via iDefense
19) Daniel Jalkut, Red Sweater Software
22) Brian Mastenbrook
24) Mike Ash, Rogue Amoeba Software
29) Maximilian Reiss, Chair for Applied Software Engineering, TUM
33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega
34) Rodrigo Carvalho CORE Security Technologies
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307562
CORE-2008-0123:
http://www.coresecurity.com/?action=item&id=2189
OTHER REFERENCES:
SA17907:
http://secunia.com/advisories/17907/
SA18008:
http://secunia.com/advisories/18008/
SA21187:
http://secunia.com/advisories/21197/
SA22900:
http://secunia.com/advisories/22900/
SA23347:
http://secunia.com/advisories/23347/
SA24187:
http://secunia.com/advisories/24187/
SA24548:
http://secunia.com/advisories/24548/
SA24891:
http://secunia.com/advisories/24891/
SA25292:
http://secunia.com/advisories/25292/
SA26038:
http://secunia.com/advisories/26038/
SA26530:
http://secunia.com/advisories/26530/
SA26636:
http://secunia.com/advisories/26636/
SA27040:
http://secunia.com/advisories/27040/
SA27093:
http://secunia.com/advisories/27093/
SA27130:
http://secunia.com/advisories/27130/
SA27648:
http://secunia.com/advisories/27648/
SA27508:
http://secunia.com/advisories/27508/
SA27906:
http://secunia.com/advisories/27906/
SA28046:
http://secunia.com/advisories/28046/
SA28117:
http://secunia.com/advisories/28117/
SAS28318:
http://secunia.com/advisories/28318/
SA28532:
http://secunia.com/advisories/28532/
SA28907:
http://secunia.com/advisories/28907/
SA29428:
http://secunia.com/advisories/29428/
SA29431:
http://secunia.com/advisories/29431/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------