Details of VAR-200512-0623

ID

VAR-200512-0623

CVE

CVE-2005-1726

TITLE

Apple Mac OS X Illegal access vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200512-759

DESCRIPTION

The CoreGraphics Window Server in Mac OS X 10.4.1 allows local users with console access to gain privileges by "launching commands into root sessions.". Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. Successful exploitation allows execution of arbitrary code. 2) A bug in AFP Server when using an ACL-enabled storage volume may in certain situations result in an ACL remaining attached when a file with POSIX-only permissions is copied. 3) An input validation error can be exploited to access arbitrary files on a Bluetooth-enabled system using directory traversal attacks via the Bluetooth file and object exchange services. 4) A weakness in CoreGraphics can be exploited via a specially crafted PDF document to crash an application using either PDFKit or CoreGraphics to rendor PDF documents. 7) A race condition in the temporary file creation of launchd can be exploited by malicious, local users to take ownership of arbitrary files on the system. 8) An error in LaunchServices can result in file extensions and MIME types marked as unsafe to bypass download safety checks if they're not mapped to an Apple UTI (Uniform Type Identifier). 10) A security issue in NFS causes a NFS export restricted using "-network" and "-mask" to be exported to "everyone". 11) Multiple vulnerabilities in PHP can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA14792 12) A boundary error in vpnd can be exploited by malicious, local users to cause a buffer overflow via an overly long Server_id parameter and execute arbitrary code with escalated privileges on systems configured as a VPN server. SOLUTION: Apply Security Update 2005-006. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005006macosx1039.html Mac OS X 10.4.1: http://www.apple.com/support/downloads/securityupdate2005006macosx1041.html PROVIDED AND/OR DISCOVERED BY: 3) Kevin Finisterre, digitalmunition.com. 4) Chris Evans 6) Michael Haller 7) Neil Archibald 12) Pieter de Boer ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301742 OTHER REFERENCES: SA14792: http://secunia.com/advisories/14792/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2005-1726 // BID: 13899 // VULHUB: VHN-12935 // PACKETSTORM: 37938

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.1	Trust: 1.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.9	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.9	Trust: 0.3

sources: BID: 13899 // CNNVD: CNNVD-200512-759 // NVD: CVE-2005-1726

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2005-1726
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200512-759
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-12935
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2005-1726
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-12935
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-12935 // CNNVD: CNNVD-200512-759 // NVD: CVE-2005-1726

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2005-1726

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-200512-759

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200512-759

EXTERNAL IDS

db:	NVD	id:	CVE-2005-1726	Trust: 2.0
db:	BID	id:	13899	Trust: 1.4
db:	SECUNIA	id:	15481	Trust: 1.2
db:	VUPEN	id:	ADV-2005-0712	Trust: 1.1
db:	OSVDB	id:	17266	Trust: 1.1
db:	SECTRACK	id:	1014144	Trust: 1.1
db:	CNNVD	id:	CNNVD-200512-759	Trust: 0.7
db:	APPLE	id:	APPLE-SA-2005-06-08	Trust: 0.6
db:	VULHUB	id:	VHN-12935	Trust: 0.1
db:	PACKETSTORM	id:	37938	Trust: 0.1

sources: VULHUB: VHN-12935 // BID: 13899 // PACKETSTORM: 37938 // CNNVD: CNNVD-200512-759 // NVD: CVE-2005-1726

REFERENCES

url:	http://docs.info.apple.com/article.html?artnum=301742	Trust: 1.8
url:	http://lists.apple.com/archives/security-announce/2005/jun/msg00000.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/13899	Trust: 1.1
url:	http://www.osvdb.org/17266	Trust: 1.1
url:	http://securitytracker.com/id?1014144	Trust: 1.1
url:	http://secunia.com/advisories/15481	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2005/0712	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/20954	Trust: 1.1
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	http://www.info.apple.com/usen/security/security_updates.html	Trust: 0.3
url:	http://www.suresec.org/advisories/adv3.pdf	Trust: 0.3
url:	http://www.apple.com	Trust: 0.3
url:	/archive/1/401822	Trust: 0.3
url:	http://www.apple.com/support/downloads/securityupdate2005006macosx1041.html	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/secunia_vacancies/	Trust: 0.1
url:	http://secunia.com/advisories/15481/	Trust: 0.1
url:	http://secunia.com/advisories/14792/	Trust: 0.1
url:	http://www.apple.com/support/downloads/securityupdate2005006macosx1039.html	Trust: 0.1
url:	http://secunia.com/product/96/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-12935 // BID: 13899 // PACKETSTORM: 37938 // CNNVD: CNNVD-200512-759 // NVD: CVE-2005-1726

CREDITS

Discovery of the CoreGraphics issue is credited to Chris Evans. Discovery of the folder permissions issue is credited to Michael Haller. Discovery of the launchd issue is credited to Neil Archibald and Ilja Van Sprundel. Other issues were announced by

Trust: 0.6

sources: CNNVD: CNNVD-200512-759

SOURCES

db:	VULHUB	id:	VHN-12935
db:	BID	id:	13899
db:	PACKETSTORM	id:	37938
db:	CNNVD	id:	CNNVD-200512-759
db:	NVD	id:	CVE-2005-1726

LAST UPDATE DATE

2024-08-14T12:38:33.391000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-12935	date:	2017-07-11T00:00:00
db:	BID	id:	13899	date:	2009-07-12T14:56:00
db:	CNNVD	id:	CNNVD-200512-759	date:	2006-08-08T00:00:00
db:	NVD	id:	CVE-2005-1726	date:	2017-07-11T01:32:44.017

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-12935	date:	2005-12-31T00:00:00
db:	BID	id:	13899	date:	2005-06-08T00:00:00
db:	PACKETSTORM	id:	37938	date:	2005-06-16T05:01:37
db:	CNNVD	id:	CNNVD-200512-759	date:	2005-12-31T00:00:00
db:	NVD	id:	CVE-2005-1726	date:	2005-12-31T05:00:00