Details of VAR-200609-0484

ID

VAR-200609-0484

CVE

CVE-2006-4866

TITLE

Apple OS X of kextload Vulnerable to buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2006-001274

DESCRIPTION

Buffer overflow in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via a long extension argument. Apple Mac OS X kextload is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied data before copying it to a finite-sized memory buffer. This issue is not exploitable by itself, because kextload is not installed as a setuid-superuser application by default. To exploit this issue, an attacker must use another program running with elevated privileges to directly manipulate the arguments passed to kextload. An attacker can exploit this issue to execute arbitrary machine code with superuser privileges. A successful exploit may result in the complete compromise of the affect computer

Trust: 1.98

sources: NVD: CVE-2006-4866 // JVNDB: JVNDB-2006-001274 // BID: 20034 // VULHUB: VHN-20974

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.7	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.3	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.8	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.2	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.5	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.6	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.1	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.4.4	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.9	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.0.3	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.8	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.5	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.2	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.1.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.1.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.0.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.1	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.0.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.1.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.1	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.1	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.5	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.3	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.1.1	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.3	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.5	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.4	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.1	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.3	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.1.4	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.1.4	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.7	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.7	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.1.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.7	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.2	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2.7	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.0.4	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.1.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.3	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.7	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.3	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.8	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.9	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.1.3	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.3.2	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.1.3	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.3.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2.8	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.8	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.1.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.0.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.8	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.1.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.0.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.1.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.1.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.1.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.1.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.9	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.1.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.9	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.1.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.0	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.1.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.0	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.3	Trust: 0.3
vendor:	cosmicperl	model:	directory pro	scope:	eq	version:	10.0.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.1.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.7	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.3.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.3.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.0.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.0.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.03	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.1	Trust: 0.3

sources: BID: 20034 // JVNDB: JVNDB-2006-001274 // CNNVD: CNNVD-200609-331 // NVD: CVE-2006-4866

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-4866
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2006-4866
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200609-331
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-20974
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2006-4866
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-20974
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-20974 // JVNDB: JVNDB-2006-001274 // CNNVD: CNNVD-200609-331 // NVD: CVE-2006-4866

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-4866

THREAT TYPE

local

Trust: 0.9

sources: BID: 20034 // CNNVD: CNNVD-200609-331

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200609-331

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-001274

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-20974

PATCH

title:

Top Page

url:

http://www.apple.com/macosx/

Trust: 0.8

sources: JVNDB: JVNDB-2006-001274

EXTERNAL IDS

db:	NVD	id:	CVE-2006-4866	Trust: 2.5
db:	BID	id:	20034	Trust: 2.0
db:	JVNDB	id:	JVNDB-2006-001274	Trust: 0.8
db:	CNNVD	id:	CNNVD-200609-331	Trust: 0.7
db:	FULLDISC	id:	20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7 HELPER APP - LOCAL ROOT COMROMISE]	Trust: 0.6
db:	EXPLOIT-DB	id:	28578	Trust: 0.1
db:	SEEBUG	id:	SSVID-82136	Trust: 0.1
db:	VULHUB	id:	VHN-20974	Trust: 0.1

sources: VULHUB: VHN-20974 // BID: 20034 // JVNDB: JVNDB-2006-001274 // CNNVD: CNNVD-200609-331 // NVD: CVE-2006-4866

REFERENCES

url:	http://lists.grok.org.uk/pipermail/full-disclosure/2006-september/049452.html	Trust: 2.0
url:	http://www.securityfocus.com/bid/20034	Trust: 1.7
url:	http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-4866	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-4866	Trust: 0.8
url:	http://developer.apple.com/documentation/darwin/reference/manpages/man8/kextload.8.html	Trust: 0.3
url:	http://www.roxio.com/en/products/toast/index.jhtml	Trust: 0.3

sources: VULHUB: VHN-20974 // BID: 20034 // JVNDB: JVNDB-2006-001274 // CNNVD: CNNVD-200609-331 // NVD: CVE-2006-4866

CREDITS

Adriel T. Desautels is credited with the discovery of this vulnerability.

Trust: 0.9

sources: BID: 20034 // CNNVD: CNNVD-200609-331

SOURCES

db:	VULHUB	id:	VHN-20974
db:	BID	id:	20034
db:	JVNDB	id:	JVNDB-2006-001274
db:	CNNVD	id:	CNNVD-200609-331
db:	NVD	id:	CVE-2006-4866

LAST UPDATE DATE

2024-08-14T15:15:07.346000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-20974	date:	2008-09-05T00:00:00
db:	BID	id:	20034	date:	2006-09-15T19:27:00
db:	JVNDB	id:	JVNDB-2006-001274	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200609-331	date:	2006-09-21T00:00:00
db:	NVD	id:	CVE-2006-4866	date:	2008-09-05T21:10:47

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-20974	date:	2006-09-19T00:00:00
db:	BID	id:	20034	date:	2006-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2006-001274	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200609-331	date:	2006-09-19T00:00:00
db:	NVD	id:	CVE-2006-4866	date:	2006-09-19T19:07:00