Details of VAR-200602-0446

ID

VAR-200602-0446

CVE

CVE-2006-0848

TITLE

Apple Safari WebKit component vulnerable to buffer overflow

Trust: 0.8

sources: CERT/CC: VU#351217

DESCRIPTION

The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension. Apple Safari WebKit component is vulnerable to buffer overflow. Mac OS X of Web browser Safari Contains an arbitrary code execution vulnerability in its default configuration. Safari Now, in the default settings, Resource forks Refer to the file type defined in .If the file type is image / video / compressed file, "Safe" file Will be processed automatically. This allows for crafted files "Safe" file There is a possibility that arbitrary code execution may be executed as a result. Exploit code that exploits this vulnerability has already been published.A remote third party could execute arbitrary code with the privileges of the logged-in user. If a user is logged in with an account with administrator privileges, the resulting vulnerable system could be completely controlled. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA19064 VERIFY ADVISORY: http://secunia.com/advisories/19064/ CRITICAL: Extremely critical IMPACT: Security Bypass, Cross Site Scripting, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Various security issues exist in the PHP Apache module and scripting environment. For more information: SA17371 2) An error in automount makes it possible for malicious file servers to cause a vulnerable system to mount file systems with reserved names, which can cause a DoS (Denial of Service) or potentially allow arbitrary code execution. 3) An input validation error in the BOM framework when unpacking certain archives can be exploited to cause files to be unpacked to arbitrary locations via directory traversal attacks. 4) The "passwd" program creates temporary files insecurely, which can be exploited via symlink attacks to create or overwrite arbitrary files with "root" privileges. 5) User directories are insecurely mounted when a FileVault image is created, which may allow unauthorised access to files. 6) An error in IPSec when handling certain error conditions can be exploited to cause a DoS against VPN connections. 7) An error in the LibSystem component can be exploited by malicious people to cause a heap-based buffer overflow via applications when requesting large amounts of memory. 8) The "Download Validation" in the Mail component fails to warn users about unsafe file types when an e-mail attachment is double-clicked. 9) In certain cases a Perl program may fail to drop privileges. For more information: SA17922 10) A boundary error in rsync can be exploited by authenticated users to cause a heap-based buffer overflow when it's allowed to transfer extended attributes. 11) A boundary error in WebKit's handling of certain HTML can be exploited to cause a heap-based buffer overflow. 12) A boundary error in Safari when parsing JavaScript can be exploited to cause a stack-based buffer overflow and allows execution of arbitrary code when a malicious web page including specially crafted JavaScript is viewed. 13) An error in Safari's security model when handling HTTP redirection can be exploited to execute JavaScript in the local domain via a specially crafted web site. This vulnerability is related to: SA18963 15) An input validation error in the Syndication (Safari RSS) component can be exploited to conduct cross-site scripting attacks when subscribing to malicious RSS content. SOLUTION: Apply Security Update 2006-001. 4) Vade 79 (the vendor also credits Ilja van Sprundel and iDEFENSE). 6) The vendor credits OUSPG from the University of Oulu, NISCC, and CERT-FI. 7) The vendor credits Neil Archibald, Suresec LTD. 10) The vendor credits Jan-Derk Bakker. 11) The vendor credits Suresec LTD. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303382 Vade79: http://fakehalo.us/xosx-passwd.pl OTHER REFERENCES: SA18963: http://secunia.com/advisories/18963/ SA17922: http://secunia.com/advisories/17922/ SA17371: http://secunia.com/advisories/17371/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.51

sources: NVD: CVE-2006-0848 // CERT/CC: VU#351217 // CERT/CC: VU#999708 // JVNDB: JVNDB-2006-000877 // BID: 16736 // VULHUB: VHN-16956 // PACKETSTORM: 44297

AFFECTED PRODUCTS

vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.5	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.5	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.3.9	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.4.5	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.3.9	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.4.5	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.9	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.9	Trust: 0.3

sources: CERT/CC: VU#351217 // CERT/CC: VU#999708 // BID: 16736 // JVNDB: JVNDB-2006-000877 // CNNVD: CNNVD-200602-347 // NVD: CVE-2006-0848

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-0848
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#351217
value:	17.21
Trust: 0.8
CARNEGIE MELLON:	VU#999708
value:	35.44
Trust: 0.8
NVD:	CVE-2006-0848
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200602-347
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-16956
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2006-0848
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-16956
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#351217 // CERT/CC: VU#999708 // VULHUB: VHN-16956 // JVNDB: JVNDB-2006-000877 // CNNVD: CNNVD-200602-347 // NVD: CVE-2006-0848

PROBLEMTYPE DATA

problemtype:

CWE-16

Trust: 1.1

sources: VULHUB: VHN-16956 // NVD: CVE-2006-0848

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200602-347

TYPE

configuration error

Trust: 0.6

sources: CNNVD: CNNVD-200602-347

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-000877

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-16956

PATCH

title:	TA23971	url:	http://support.apple.com/kb/TA23971	Trust: 0.8
title:	TA23971	url:	http://support.apple.com/kb/TA23971?viewlocale=ja_JP	Trust: 0.8

sources: JVNDB: JVNDB-2006-000877

EXTERNAL IDS

db:	NVD	id:	CVE-2006-0848	Trust: 3.6
db:	CERT/CC	id:	VU#999708	Trust: 3.3
db:	BID	id:	16736	Trust: 2.8
db:	SECTRACK	id:	1015652	Trust: 2.5
db:	SECUNIA	id:	18963	Trust: 2.5
db:	USCERT	id:	TA06-053A	Trust: 2.5
db:	OSVDB	id:	23510	Trust: 1.7
db:	USCERT	id:	TA06-062A	Trust: 1.7
db:	VUPEN	id:	ADV-2006-0671	Trust: 1.7
db:	XF	id:	24808	Trust: 1.4
db:	SECUNIA	id:	19064	Trust: 0.9
db:	SECUNIA	id:	18220	Trust: 0.8
db:	CERT/CC	id:	VU#351217	Trust: 0.8
db:	JVNDB	id:	JVNDB-2006-000877	Trust: 0.8
db:	CNNVD	id:	CNNVD-200602-347	Trust: 0.7
db:	CERT/CC	id:	TA06-053A	Trust: 0.6
db:	CERT/CC	id:	TA06-062A	Trust: 0.6
db:	PACKETSTORM	id:	82306	Trust: 0.1
db:	EXPLOIT-DB	id:	16866	Trust: 0.1
db:	SEEBUG	id:	SSVID-88754	Trust: 0.1
db:	SEEBUG	id:	SSVID-71364	Trust: 0.1
db:	VULHUB	id:	VHN-16956	Trust: 0.1
db:	PACKETSTORM	id:	44297	Trust: 0.1

sources: CERT/CC: VU#351217 // CERT/CC: VU#999708 // VULHUB: VHN-16956 // BID: 16736 // JVNDB: JVNDB-2006-000877 // PACKETSTORM: 44297 // CNNVD: CNNVD-200602-347 // NVD: CVE-2006-0848

REFERENCES

url:	http://docs.info.apple.com/article.html?artnum=303382	Trust: 3.4
url:	http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.html	Trust: 2.5
url:	http://www.heise.de/english/newsticker/news/69862	Trust: 2.5
url:	http://www.securityfocus.com/bid/16736	Trust: 2.5
url:	http://www.kb.cert.org/vuls/id/999708	Trust: 2.5
url:	http://www.us-cert.gov/cas/techalerts/ta06-053a.html	Trust: 1.7
url:	http://www.us-cert.gov/cas/techalerts/ta06-062a.html	Trust: 1.7
url:	http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php	Trust: 1.7
url:	http://www.osvdb.org/23510	Trust: 1.7
url:	http://securitytracker.com/id?1015652	Trust: 1.7
url:	http://secunia.com/advisories/18963	Trust: 1.7
url:	http://xforce.iss.net/xforce/xfdb/24808	Trust: 1.4
url:	http://docs.info.apple.com/article.html?artnum=303453	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/0671	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/24808	Trust: 1.1
url:	http://secunia.com/advisories/19064/	Trust: 0.9
url:	http://secunia.com/advisories/18963/	Trust: 0.9
url:	http://security-protocols.com/advisory/sp-x22-advisory.txt	Trust: 0.8
url:	http://secunia.com/advisories/18220/	Trust: 0.8
url:	http://webkit.opendarwin.org/	Trust: 0.8
url:	http://developer.apple.com/documentation/carbon/conceptual/launchservicesconcepts/lscconcepts/chapter_2_section_8.html	Trust: 0.8
url:	http://developer.apple.com/technotes/tn/tn2017.html	Trust: 0.8
url:	http://developer.apple.com/documentation/mac/moretoolbox/moretoolbox-11.html	Trust: 0.8
url:	http://docs.info.apple.com/article.html?artnum=108009	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-0397	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-0398	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-0399	Trust: 0.8
url:	http://securitytracker.com/alerts/2006/feb/1015652.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0848	Trust: 0.8
url:	http://jvn.jp/cert/jvnta06-053a/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-0848	Trust: 0.8
url:	http://www.frsirt.com/english/advisories/2006/0671	Trust: 0.6
url:	http://www.info.apple.com/usen/security/security_updates.html	Trust: 0.3
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	http://secunia.com/advisories/17922/	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://www.apple.com/support/downloads/securityupdate2006001macosx1045clientintel.html	Trust: 0.1
url:	http://www.apple.com/support/downloads/securityupdate20060011039server.html	Trust: 0.1
url:	http://www.apple.com/support/downloads/securityupdate2006001macosx1045ppc.html	Trust: 0.1
url:	http://secunia.com/advisories/17371/	Trust: 0.1
url:	http://www.apple.com/support/downloads/securityupdate20060011039client.html	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/product/96/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1
url:	http://fakehalo.us/xosx-passwd.pl	Trust: 0.1

CREDITS

Michael Lehn

Trust: 0.6

sources: CNNVD: CNNVD-200602-347

SOURCES

db:	CERT/CC	id:	VU#351217
db:	CERT/CC	id:	VU#999708
db:	VULHUB	id:	VHN-16956
db:	BID	id:	16736
db:	JVNDB	id:	JVNDB-2006-000877
db:	PACKETSTORM	id:	44297
db:	CNNVD	id:	CNNVD-200602-347
db:	NVD	id:	CVE-2006-0848

LAST UPDATE DATE

2024-09-18T23:00:35.600000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#351217	date:	2006-03-06T00:00:00
db:	CERT/CC	id:	VU#999708	date:	2006-12-07T00:00:00
db:	VULHUB	id:	VHN-16956	date:	2017-07-20T00:00:00
db:	BID	id:	16736	date:	2016-07-06T14:40:00
db:	JVNDB	id:	JVNDB-2006-000877	date:	2009-04-03T00:00:00
db:	CNNVD	id:	CNNVD-200602-347	date:	2006-08-28T00:00:00
db:	NVD	id:	CVE-2006-0848	date:	2017-07-20T01:30:07.427

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#351217	date:	2006-03-03T00:00:00
db:	CERT/CC	id:	VU#999708	date:	2006-02-21T00:00:00
db:	VULHUB	id:	VHN-16956	date:	2006-02-22T00:00:00
db:	BID	id:	16736	date:	2006-02-21T00:00:00
db:	JVNDB	id:	JVNDB-2006-000877	date:	2009-04-03T00:00:00
db:	PACKETSTORM	id:	44297	date:	2006-03-02T21:01:19
db:	CNNVD	id:	CNNVD-200602-347	date:	2006-02-22T00:00:00
db:	NVD	id:	CVE-2006-0848	date:	2006-02-22T23:02:00