Details of VAR-200505-0310

ID

VAR-200505-0310

CVE

CVE-2005-1342

TITLE

Apple Terminal fails to properly sanitize input for "x-man-page" URI

Trust: 0.8

sources: CERT/CC: VU#356070

DESCRIPTION

The x-man-page: URI handler for Apple Terminal 1.4.4 in Mac OS X 10.3.9 does not cleanse terminal escape sequences, which allows remote attackers to execute arbitrary commands. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have published advisories for 4 security vulnerabilities in Mac OS X that were addressed by Apple Security Update 2005-005, released today. <http://docs.info.apple.com/article.html?artnum=301528>. This email contains brief summaries of the problems. Full details can be found on my web site <http://remahl.se/david/vuln/>. Description: help: URI handler execution of JavaScripts with known paths vulnerability My name: DR004 <http://remahl.se/david/vuln/004/> CVE: CAN-2005-1337 [yes, cool, isn't it ;-)] Summary: The Help Viewer application allows JavaScript and is thus vulnerable to having scripts with arbitrary paths run with the privileges granted to file: protocol URIs. The files can be started with a URI on the form of help:///path/to/file.html. Combined with XMLHttpRequest's ability to disclose arbitrary files, this security bug becomes critcal. Description: Invisible characters in applescript: URL protocol messaging vulnerability My name: DR010 <http://remahl.se/david/vuln/010/> CVE: CAN-2005-1331 Summary: URL Protocol Messaging is a technique used by Script Editor to facilitate sharing of AppleScripts between users. By clicking a link (for example in a web forum), a user can create a new Script Editor document automatically, with text from the query string of the URI. This avoids problems with copying text from the web or manually typing code snippets. However, the technique can be used to trick users into running dangerous code (with embedded control characters), since insufficient input validation is performed. Using escape sequences and social engineering attacks it is in some cases possible to trick the user into performing arbitrary commands. I would like to acknowledge the willingness of Apple's Product Security team to cooperate with me in resolving these issues. CERT's assistance has also been helpful. / Regards, David Remahl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCd9mHFlFiDoclYIURAjgqAJ9mLbjrfJr17eenCK6qp5S6HXKzgACeIH+a PJwheHWkjnBAG4kNnAa/6QE= =iJNj -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2005-1342 // CERT/CC: VU#356070 // BID: 13502 // VULHUB: VHN-12551 // PACKETSTORM: 38718

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.6	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.7	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.4	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.3	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.1	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.9	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.5	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.8	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3	Trust: 1.6
vendor:	apple	model:	terminal	scope:	eq	version:	1.4.4	Trust: 1.0
vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.9	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.8	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.9	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.7	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3	Trust: 0.3

sources: CERT/CC: VU#356070 // BID: 13502 // CNNVD: CNNVD-200505-910 // NVD: CVE-2005-1342

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2005-1342
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#356070
value:	22.31
Trust: 0.8
CNNVD:	CNNVD-200505-910
value:	HIGH
Trust: 0.6
VULHUB:	VHN-12551
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2005-1342
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-12551
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#356070 // VULHUB: VHN-12551 // CNNVD: CNNVD-200505-910 // NVD: CVE-2005-1342

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2005-1342

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200505-910

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-200505-910

EXTERNAL IDS

db:	OSVDB	id:	16084	Trust: 2.5
db:	SECUNIA	id:	15227	Trust: 2.5
db:	CERT/CC	id:	VU#356070	Trust: 2.5
db:	NVD	id:	CVE-2005-1342	Trust: 2.1
db:	BID	id:	13480	Trust: 1.7
db:	USCERT	id:	TA05-136A	Trust: 1.7
db:	VUPEN	id:	ADV-2005-0455	Trust: 1.7
db:	BID	id:	13502	Trust: 1.2
db:	CNNVD	id:	CNNVD-200505-910	Trust: 0.7
db:	CERT/CC	id:	TA05-136A	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2005-05-03	Trust: 0.6
db:	VULHUB	id:	VHN-12551	Trust: 0.1
db:	PACKETSTORM	id:	38718	Trust: 0.1

sources: CERT/CC: VU#356070 // VULHUB: VHN-12551 // BID: 13502 // PACKETSTORM: 38718 // CNNVD: CNNVD-200505-910 // NVD: CVE-2005-1342

REFERENCES

url:	http://remahl.se/david/vuln/011/	Trust: 2.8
url:	http://lists.apple.com/archives/security-announce/2005/may/msg00001.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/13480	Trust: 1.7
url:	http://www.us-cert.gov/cas/techalerts/ta05-136a.html	Trust: 1.7
url:	http://www.kb.cert.org/vuls/id/356070	Trust: 1.7
url:	http://www.osvdb.org/16084	Trust: 1.7
url:	http://secunia.com/advisories/15227	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2005/0455	Trust: 1.1
url:	http://docs.info.apple.com/article.html?artnum=301528	Trust: 0.8
url:	http://secunia.com/advisories/15227/	Trust: 0.8
url:	http://www.securityfocus.com/bid/13502/	Trust: 0.8
url:	http://www.osvdb.org/displayvuln.php?osvdb_id=16084	Trust: 0.8
url:	http://www.frsirt.com/english/advisories/2005/0455	Trust: 0.6
url:	http://www.apple.com	Trust: 0.3
url:	/archive/1/397489	Trust: 0.3
url:	-	Trust: 0.1
url:	http://remahl.se/david/vuln/010/>	Trust: 0.1
url:	http://remahl.se/david/vuln/012/>	Trust: 0.1
url:	http://remahl.se/david/vuln/011/>	Trust: 0.1
url:	http://docs.info.apple.com/article.html?artnum=301528>.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-1342	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-1341	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-1331	Trust: 0.1
url:	http://remahl.se/david/vuln/004/>	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2005-1337	Trust: 0.1
url:	http://remahl.se/david/vuln/>.	Trust: 0.1

sources: CERT/CC: VU#356070 // VULHUB: VHN-12551 // BID: 13502 // PACKETSTORM: 38718 // CNNVD: CNNVD-200505-910 // NVD: CVE-2005-1342

CREDITS

David Remahl※ vuln@remahl.se

Trust: 0.6

sources: CNNVD: CNNVD-200505-910

SOURCES

db:	CERT/CC	id:	VU#356070
db:	VULHUB	id:	VHN-12551
db:	BID	id:	13502
db:	PACKETSTORM	id:	38718
db:	CNNVD	id:	CNNVD-200505-910
db:	NVD	id:	CVE-2005-1342

LAST UPDATE DATE

2024-09-20T21:22:51.233000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#356070	date:	2005-05-16T00:00:00
db:	VULHUB	id:	VHN-12551	date:	2011-03-08T00:00:00
db:	BID	id:	13502	date:	2009-07-12T14:06:00
db:	CNNVD	id:	CNNVD-200505-910	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2005-1342	date:	2011-03-08T02:21:38.847

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#356070	date:	2005-05-06T00:00:00
db:	VULHUB	id:	VHN-12551	date:	2005-05-04T00:00:00
db:	BID	id:	13502	date:	2005-05-03T00:00:00
db:	PACKETSTORM	id:	38718	date:	2005-07-15T06:39:33
db:	CNNVD	id:	CNNVD-200505-910	date:	2005-05-04T00:00:00
db:	NVD	id:	CVE-2005-1342	date:	2005-05-04T04:00:00