ID

VAR-200512-0299


CVE

CVE-2005-3712


TITLE

Apple MacOS X BOMArchiveHelper Directory traversal vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200512-937

DESCRIPTION

Heap-based buffer overflow in rsync in Mac OS X 10.4 through 10.4.5 allows remote authenticated users to execute arbitrary code via long extended attributes. Apple has released Security Update 2006-001 to address multiple remote and local Mac OS X vulnerabilities. Apple has also released updates to address these issues. There is a directory traversal vulnerability in the implementation of this framework. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-053A Apple Mac OS X Safari Command Execution Vulnerability Original release date: February 22, 2006 Last revised: -- Source: US-CERT Systems Affected Apple Safari running on Mac OS X Overview A file type determination vulnerability in Apple Safari could allow a remote attacker to execute arbitrary commands on a vulnerable system. I. Details are available in the following Vulnerability Note: VU#999708 - Apple Safari may automatically execute arbitrary shell commands II. Impact A remote, unauthenticated attacker could execute arbitrary commands with the privileges of the user running Safari. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system. III. Solution Since there is no known patch for this issue at this time, US-CERT is recommending a workaround. References * US-CERT Vulnerability Note VU#999708 - <http://www.kb.cert.org/vuls/id/999708> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/#sgeneral> * Apple - Mac OS X - Safari RSS - <http://www.apple.com/macosx/features/safari/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-053A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-053A Feedback VU#999708" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Feb 22, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ/zKN30pj593lg50AQJgoQf/ZajorZz/6quzA40dc8cLxIBT70xcClH5 CKDN5nMXl1mRYYkDPF07GbcWL3lWarW5Hif0OiZfazaGNC3p9v4ZxDx/dW/ZmsYo eDznsNWNphKB6yBSIbOUSfGyh/I7pQlG3qxXRWDTA9nVK12KIkvAAoPTgBe40obu +x58gK5/ib4d+dEZ8F9SbO7/syYtcAzfzS2HrBYhG1lWWLYTaNC3hyI2nXF5lNV/ ymwaPv0ivAB9rpalus+KkajjiV5+J08dj+1JwgwcSpvuNMQ5c/8RCIILP+1bR+CL lScvGuSRYk4S0QI9nmCDvwD52sluiwp2VO1atTQ1zcgpwhvLRGo3DQ== =P2/3 -----END PGP SIGNATURE----- . Details of the fixes are available via the PHP web site (www.php.net). PHP ships with Mac OS X but is disabled by default. automount CVE-ID: CVE-2006-0384 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Malicious network servers may cause a denial of service or arbitrary code execution Description: File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. This could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system. BOM CVE-ID: CVE-2006-0391 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Directory traversal may occur while unpacking archives with BOM Description: The BOM framework handles the unpacking of certain types of archives. This framework is vulnerable to a directory traversal attack that can allow archived files to be unpacked into arbitrary locations that are writable by the current user. This update addresses the issue by properly sanitizing those paths. Credit to Stephane Kardas of CERTA for reporting this issue. Directory Services CVE-ID: CVE-2005-2713, CVE-2005-2714 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Malicious local users may create and manipulate files as root Description: The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely. Credit to Ilja van Sprundel of Suresec LTD, vade79, and iDefense (idefense.com) for reporting this issue. FileVault CVE-ID: CVE-2006-0386 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: FileVault may permit access to files during when it is first enabled Description: User directories are mounted in an unsafe fashion when a FileVault image is created. This update secures the method in which a FileVault image is created. This update addresses the issues by correctly handling the conditions that may cause crashes. Credit to OUSPG from the University of Oulu, NISCC, and CERT-FI for coordinating and reporting this issue. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests. This issue does not affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of Suresec LTD for reporting this issue. Mail CVE-ID: CVE-2006-0395 Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Download Validation fails to warn about unsafe file types Description: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments. perl CVE-ID: CVE-2005-4217 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Perl programs may fail to drop privileges Description: When a perl program running as root attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. This update addresses the issue by preventing such applications from continuing if the operation fails. This issue does not affect Mac OS X v10.4 or later systems. Credit to Jason Self for reporting this issue. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jan-Derk Bakker for reporting this issue. This update addresses the issue by preventing the condition causing the overflow. Credit to Suresec LTD for reporting this issue. This update addresses the issue by performing additional bounds checking. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects. Safari, LaunchServices CVE-ID: CVE-2006-0394 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Viewing a malicious web site may result in arbitrary code execution Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. Syndication CVE-ID: CVE-2006-0389 Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Subscriptions to malicious RSS content can lead to cross-site scripting Description: Syndication (Safari RSS) may allow JavaScript code embedded in feeds to run within the context of the RSS reader document, allowing malicious feeds to circumvent Safari's security model. This update addresses the issue by properly removing JavaScript code from feeds. Syndication is only available in Mac OS X v10.4 and later. The following security enhancements are also included in this update: FileVault: AES-128 encrypted FileVault disk images are now created with more restrictive operating system permissions. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. iChat: A malicious application named Leap.A that attempts to propagate using iChat has been detected. Users should use caution when opening files that are obtained from the network. Further information is available via: http://docs.info.apple.com/article.html?artnum=108009 Security Update 2006-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5 The download file is named: "SecUpd2006-001Ti.dmg" Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439 For Mac OS X v10.4.5 (Intel) The download file is named: "SecUpd2006-001Intel.dmg" Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5 For Mac OS X v10.3.9 The download file is named: "SecUpd2006-001Pan.dmg" Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2006-001Pan.dmg" Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.5 (Build 5050) iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4 i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI 9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw== =1Ww0 -----END PGP SIGNATURE-----

Trust: 1.44

sources: NVD: CVE-2005-3712 // BID: 16907 // VULHUB: VHN-14920 // PACKETSTORM: 44162 // PACKETSTORM: 44321

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.4.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.5

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4.3

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.4

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4.2

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4.5

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.4.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.3

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.4.1

Trust: 1.0

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

sources: BID: 16907 // CNNVD: CNNVD-200512-937 // NVD: CVE-2005-3712

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2005-3712
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-200512-937
value: MEDIUM

Trust: 0.6

VULHUB: VHN-14920
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2005-3712
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-14920
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-14920 // CNNVD: CNNVD-200512-937 // NVD: CVE-2005-3712

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.1

sources: VULHUB: VHN-14920 // NVD: CVE-2005-3712

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 44162 // CNNVD: CNNVD-200512-937

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200512-937

EXTERNAL IDS

db:NVDid:CVE-2005-3712

Trust: 2.1

db:BIDid:16907

Trust: 2.0

db:SECUNIAid:19064

Trust: 1.7

db:OSVDBid:23648

Trust: 1.7

db:USCERTid:TA06-062A

Trust: 1.7

db:VUPENid:ADV-2006-0791

Trust: 1.7

db:CNNVDid:CNNVD-200512-937

Trust: 0.7

db:NSFOCUSid:8546

Trust: 0.6

db:NSFOCUSid:8245

Trust: 0.6

db:NSFOCUSid:8546※8245※8361※8246

Trust: 0.6

db:NSFOCUSid:8246

Trust: 0.6

db:NSFOCUSid:8361

Trust: 0.6

db:CERT/CCid:TA06-062A

Trust: 0.6

db:XFid:25029

Trust: 0.6

db:APPLEid:APPLE-SA-2006-03-01

Trust: 0.6

db:VULHUBid:VHN-14920

Trust: 0.1

db:USCERTid:TA06-053A

Trust: 0.1

db:CERT/CCid:VU#999708

Trust: 0.1

db:PACKETSTORMid:44162

Trust: 0.1

db:PACKETSTORMid:44321

Trust: 0.1

sources: VULHUB: VHN-14920 // BID: 16907 // PACKETSTORM: 44162 // PACKETSTORM: 44321 // CNNVD: CNNVD-200512-937 // NVD: CVE-2005-3712

REFERENCES

url:http://lists.apple.com/archives/security-announce/2006/mar/msg00000.html

Trust: 1.7

url:http://www.securityfocus.com/bid/16907

Trust: 1.7

url:http://www.us-cert.gov/cas/techalerts/ta06-062a.html

Trust: 1.7

url:http://docs.info.apple.com/article.html?artnum=303382

Trust: 1.7

url:http://www.osvdb.org/23648

Trust: 1.7

url:http://secunia.com/advisories/19064

Trust: 1.7

url:http://www.vupen.com/english/advisories/2006/0791

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/25029

Trust: 1.1

url:http://www.frsirt.com/english/advisories/2006/0791

Trust: 0.6

url:http://xforce.iss.net/xforce/xfdb/25029

Trust: 0.6

url:http://www.nsfocus.net/vulndb/8546※8245※8361※8246

Trust: 0.6

url:http://www.apple.com/macosx/

Trust: 0.3

url:http://www.suresec.org/advisories/adv11.pdf

Trust: 0.3

url:/archive/1/426586

Trust: 0.3

url:http://www.kb.cert.org/vuls/id/999708>

Trust: 0.1

url:http://www.us-cert.gov/cas/techalerts/ta06-053a.html>

Trust: 0.1

url:http://www.apple.com/macosx/features/safari/>

Trust: 0.1

url:http://www.us-cert.gov/cas/signup.html>.

Trust: 0.1

url:http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>

Trust: 0.1

url:http://www.us-cert.gov/legal.html>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-2713

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0387

Trust: 0.1

url:http://docs.info.apple.com/article.html?artnum=61798

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-4504

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-3712

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-2714

Trust: 0.1

url:http://www.apple.com/support/security/pgp/

Trust: 0.1

url:http://www.apple.com/support/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0394

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-3391

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0395

Trust: 0.1

url:https://www.php.net).

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-4217

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0391

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-3319

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0383

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0384

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-3353

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0388

Trust: 0.1

url:http://docs.info.apple.com/article.html?artnum=108009

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-3706

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2006-0386

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2005-3392

Trust: 0.1

sources: VULHUB: VHN-14920 // BID: 16907 // PACKETSTORM: 44162 // PACKETSTORM: 44321 // CNNVD: CNNVD-200512-937 // NVD: CVE-2005-3712

CREDITS

Stéphane Kardas

Trust: 0.6

sources: CNNVD: CNNVD-200512-937

SOURCES

db:VULHUBid:VHN-14920
db:BIDid:16907
db:PACKETSTORMid:44162
db:PACKETSTORMid:44321
db:CNNVDid:CNNVD-200512-937
db:NVDid:CVE-2005-3712

LAST UPDATE DATE

2024-11-23T21:00:47.004000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-14920date:2017-07-11T00:00:00
db:BIDid:16907date:2006-04-11T19:02:00
db:CNNVDid:CNNVD-200512-937date:2006-09-27T00:00:00
db:NVDid:CVE-2005-3712date:2024-11-21T00:02:29.987

SOURCES RELEASE DATE

db:VULHUBid:VHN-14920date:2005-12-31T00:00:00
db:BIDid:16907date:2006-03-01T00:00:00
db:PACKETSTORMid:44162date:2006-02-26T03:08:24
db:PACKETSTORMid:44321date:2006-03-03T08:09:05
db:CNNVDid:CNNVD-200512-937date:2005-11-14T00:00:00
db:NVDid:CVE-2005-3712date:2005-12-31T05:00:00