ID

VAR-200512-0291

CVE

CVE-2005-3704

TITLE

Mac OS X and OS X Server Syslog server message spoofing vulnerability

DESCRIPTION

System log server in Mac OS X and OS X Server 10.4 through 10.4.3 allows remote attackers to spoof syslog messages in log files by injecting various control characters such as newline (NL). Apple has released Security Update 2005-008 to address multiple Mac OS X local and remote vulnerabilities. NOTE: This BID is being retired because the issues are now documented in the following individual records: 16882 Apple Mac OS X CoreFoundation Remote Buffer Overflow Vulnerability 16903 Apple Mac OS X Iodbcadmintool Local Privilege Escalation Vulnerability 16904 Apple Mac OS X Passwordserver Local Privilege Escalation Vulnerability 16926 Apple Safari Remote Directory Traversal Vulnerability 29011 Apple Safari WebKit Unspecified Heap Overflow Vulnerability 14106 Apache HTTP Request Smuggling Vulnerability 14721 Apache Mod_SSL SSLVerifyClient Restriction Bypass Vulnerability 15102 Multiple Vendor WGet/Curl NTLM Username Buffer Overflow Vulnerability 15071 OpenSSL Insecure Protocol Negotiation Weakness 14620 PCRE Regular Expression Heap Overflow Vulnerability 14011 Apple Safari Dialog Box Origin Spoofing Vulnerability 13993 Todd Miller Sudo Local Race Condition Vulnerability. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. CoreFoundation CVE-ID: CVE-2005-2757 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Resolving a maliciously-crafted URL may result in crashes or arbitrary code execution Description: By carefully crafting a URL, an attacker can trigger a heap buffer overflow in CoreFoundation which may result in a crash or arbitrary code execution. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. curl CVE-ID: CVE-2005-3185 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting a malicious HTTP server and using NTLM authentication may result in arbitrary code execution Description: Using curl with NTLM authentication enabled to download an HTTP resource may allow an attacker to supply an overlong user or domain name. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. iodbcadmintool CVE-ID: CVE-2005-3700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may gain elevated privileges Description: The ODBC Administrator utility includes a helper tool called iodbcadmintool that executes with raised privileges. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. passwordserver CVE-ID: CVE-2005-3701 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Local users on Open Directory master servers may gain elevated privileges Description: When creating an Open Directory master server, credentials may be compromised. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. Safari CVE-ID: CVE-2005-2491 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Processing a regular expressions may result in arbitrary code execution Description: The JavaScript engine in Safari uses a version of the PCRE library that is vulnerable to a potentially exploitable heap overflow. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. Safari CVE-ID: CVE-2005-3705 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting malicious web sites with WebKit-based applications may lead to arbitrary code execution Description: WebKit contains a heap overflow that may lead to the execution of arbitrary code. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 544f51a7bc73a57dbca95e05693904aadb2f94b1 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: b7620426151b8f1073c9ff73b2adf43b3086cc60 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9 Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4 YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ== =jnz9 -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Unknown

EXTERNAL IDS

REFERENCES

CREDITS

Todd C. Miller Todd.Miller@courtesan.com

SOURCES

LAST UPDATE DATE

2024-08-14T12:36:55.496000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE