ID

VAR-200505-0355

CVE

CVE-2005-1337

TITLE

Apple Mac OS X Code execution vulnerability

DESCRIPTION

Apple Help Viewer 2.0.7 and 3.0.0 in Mac OS X 10.3.9 allows remote attackers to read and execute arbitrary scrpts with less restrictive privileges via a help:// URI. Apple Mac OS X is prone to a JavaScript execution vulnerability. This issue exists in the Help Viewer URI handler. A maliciously crafted JavaScript file loaded by the Help Viewer would be executed with local privileges. This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have published advisories for 4 security vulnerabilities in Mac OS X that were addressed by Apple Security Update 2005-005, released today. <http://docs.info.apple.com/article.html?artnum=301528>. This email contains brief summaries of the problems. Full details can be found on my web site <http://remahl.se/david/vuln/>. Description: help: URI handler execution of JavaScripts with known paths vulnerability My name: DR004 <http://remahl.se/david/vuln/004/> CVE: CAN-2005-1337 [yes, cool, isn't it ;-)] Summary: The Help Viewer application allows JavaScript and is thus vulnerable to having scripts with arbitrary paths run with the privileges granted to file: protocol URIs. The files can be started with a URI on the form of help:///path/to/file.html. Combined with XMLHttpRequest's ability to disclose arbitrary files, this security bug becomes critcal. Description: Invisible characters in applescript: URL protocol messaging vulnerability My name: DR010 <http://remahl.se/david/vuln/010/> CVE: CAN-2005-1331 Summary: URL Protocol Messaging is a technique used by Script Editor to facilitate sharing of AppleScripts between users. By clicking a link (for example in a web forum), a user can create a new Script Editor document automatically, with text from the query string of the URI. This avoids problems with copying text from the web or manually typing code snippets. However, the technique can be used to trick users into running dangerous code (with embedded control characters), since insufficient input validation is performed. Description: Apple Terminal insufficient input sanitation of x-man- path: URIs vulnerability My name: DR011 <http://remahl.se/david/vuln/011/> CVE: CAN-2005-1342 Summary: Apple Terminal fails to properly sanitize the contents of x- man-path: URIs passed to it. This can lead to execution of arbitrary commands, aided by some of the escape sequences that Terminal supports. Description: Mac OS X terminal emulators allow reading and writing of window title through escape sequences My name: DR012 <http://remahl.se/david/vuln/012/> CVE: CAN-2005-1341 Summary: Apple Terminal (often referred to as Terminal.app) and xterm which both ship with current versions of Mac OS X are vulnerable to a well-known type of attack when displaying untrusted content. Using escape sequences and social engineering attacks it is in some cases possible to trick the user into performing arbitrary commands. I would like to acknowledge the willingness of Apple's Product Security team to cooperate with me in resolving these issues. CERT's assistance has also been helpful. / Regards, David Remahl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCd9mHFlFiDoclYIURAjgqAJ9mLbjrfJr17eenCK6qp5S6HXKzgACeIH+a PJwheHWkjnBAG4kNnAa/6QE= =iJNj -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

access verification error

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

David Remahl※ vuln@remahl.se

SOURCES

LAST UPDATE DATE

2024-08-14T12:12:15.084000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE