Details of VAR-200701-0518

ID

VAR-200701-0518

CVE

CVE-2007-0023

TITLE

Apple UserNotificationCenter Local Privilege Escalation Vulnerability

Trust: 0.9

sources: BID: 22188 // CNNVD: CNNVD-200701-405

DESCRIPTION

The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. Apple's UserNotificationCenter contains a vulnerability that may allow local users to gain elevated privileges. According to Apple's information, gaining elevated privileges could result in unauthorized overwriting or modification of system files. This issue stems from a flaw in the UserNotificationCenter application that results in arbitrary code-execution with wheel-group privileges. This issue affects Apple Mac OS X version 10.4.8; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability exists due to an error in the "fpathconf()" syscall when it is called with an unsupported file type and can be exploited to cause a system panic. The vulnerability is confirmed in version 10.4.8. Other versions may also be affected. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Initially discovered in FreeBSD and reported in Mac OS X by Ilja Van Sprundel. ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-09-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 4.23

sources: NVD: CVE-2007-0023 // CERT/CC: VU#315856 // CERT/CC: VU#346656 // CERT/CC: VU#765096 // JVNDB: JVNDB-2007-000077 // BID: 22188 // VULHUB: VHN-23385 // PACKETSTORM: 51846

AFFECTED PRODUCTS

vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 2.4
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4.8	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.3.x	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.4.x	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.3.x	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.4.x	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.8	Trust: 0.3

sources: CERT/CC: VU#315856 // CERT/CC: VU#346656 // CERT/CC: VU#765096 // BID: 22188 // JVNDB: JVNDB-2007-000077 // CNNVD: CNNVD-200701-405 // NVD: CVE-2007-0023

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-0023
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#315856
value:	1.49
Trust: 0.8
CARNEGIE MELLON:	VU#346656
value:	17.10
Trust: 0.8
CARNEGIE MELLON:	VU#765096
value:	5.18
Trust: 0.8
NVD:	CVE-2007-0023
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200701-405
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-23385
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2007-0023
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-23385
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#315856 // CERT/CC: VU#346656 // CERT/CC: VU#765096 // VULHUB: VHN-23385 // JVNDB: JVNDB-2007-000077 // CNNVD: CNNVD-200701-405 // NVD: CVE-2007-0023

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-0023

THREAT TYPE

local

Trust: 1.0

sources: BID: 22188 // PACKETSTORM: 51846 // CNNVD: CNNVD-200701-405

TYPE

Design Error

Trust: 0.9

sources: BID: 22188 // CNNVD: CNNVD-200701-405

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-000077

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-23385

PATCH

title:	Security Update 2007-002 (Panther)	url:	http://www.apple.com/support/downloads/securityupdate2007002panther.html	Trust: 0.8
title:	Security Update 2007-002 (PPC)	url:	http://www.apple.com/support/downloads/securityupdate2007002ppc.html	Trust: 0.8
title:	Security Update 2007-002 (Universal)	url:	http://www.apple.com/support/downloads/securityupdate2007002universal.html	Trust: 0.8
title:	Security Update 2007-002	url:	http://docs.info.apple.com/article.html?artnum=305102-en	Trust: 0.8
title:	Security Update 2007-002	url:	http://docs.info.apple.com/article.html?artnum=305102-ja	Trust: 0.8
title:	Security Update 2007-002 (PPC)	url:	http://www.apple.com/jp/ftp-info/reference/securityupdate2007002ppc.html	Trust: 0.8
title:	Security Update 2007-002 (Universal)	url:	http://www.apple.com/jp/ftp-info/reference/securityupdate2007002universal.html	Trust: 0.8
title:	Security Update 2007-002 (Panther)	url:	http://www.apple.com/jp/ftp-info/reference/securityupdate2007002panther.html	Trust: 0.8

sources: JVNDB: JVNDB-2007-000077

EXTERNAL IDS

db:	CERT/CC	id:	VU#315856	Trust: 3.6
db:	SECUNIA	id:	24198	Trust: 3.3
db:	SECUNIA	id:	23846	Trust: 3.3
db:	BID	id:	22188	Trust: 2.8
db:	NVD	id:	CVE-2007-0023	Trust: 2.8
db:	USCERT	id:	TA07-047A	Trust: 2.5
db:	SECTRACK	id:	1017542	Trust: 1.7
db:	VUPEN	id:	ADV-2007-0074	Trust: 1.7
db:	OSVDB	id:	32695	Trust: 1.7
db:	SECUNIA	id:	24479	Trust: 1.6
db:	SECTRACK	id:	1017751	Trust: 1.6
db:	SECUNIA	id:	22808	Trust: 0.9
db:	SECUNIA	id:	23088	Trust: 0.8
db:	BID	id:	21291	Trust: 0.8
db:	CERT/CC	id:	VU#346656	Trust: 0.8
db:	BID	id:	20982	Trust: 0.8
db:	CERT/CC	id:	VU#765096	Trust: 0.8
db:	USCERT	id:	SA07-047A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2007-000077	Trust: 0.8
db:	CNNVD	id:	CNNVD-200701-405	Trust: 0.7
db:	XF	id:	31676	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2007-02-15	Trust: 0.6
db:	CERT/CC	id:	TA07-047A	Trust: 0.6
db:	PACKETSTORM	id:	53874	Trust: 0.1
db:	EXPLOIT-DB	id:	3181	Trust: 0.1
db:	VULHUB	id:	VHN-23385	Trust: 0.1
db:	PACKETSTORM	id:	51846	Trust: 0.1

sources: CERT/CC: VU#315856 // CERT/CC: VU#346656 // CERT/CC: VU#765096 // VULHUB: VHN-23385 // BID: 22188 // JVNDB: JVNDB-2007-000077 // PACKETSTORM: 51846 // CNNVD: CNNVD-200701-405 // NVD: CVE-2007-0023

REFERENCES

url:	http://projects.info-pull.com/moab/moab-22-01-2007.html	Trust: 2.8
url:	http://www.kb.cert.org/vuls/id/315856	Trust: 2.8
url:	http://docs.info.apple.com/article.html?artnum=305102	Trust: 2.5
url:	http://www.securityfocus.com/bid/22188	Trust: 2.5
url:	http://www.us-cert.gov/cas/techalerts/ta07-047a.html	Trust: 2.5
url:	http://lists.apple.com/archives/security-announce/2007/feb/msg00000.html	Trust: 1.7
url:	http://www.osvdb.org/32695	Trust: 1.7
url:	http://securitytracker.com/id?1017542	Trust: 1.7
url:	http://secunia.com/advisories/23846	Trust: 1.7
url:	http://secunia.com/advisories/24198	Trust: 1.7
url:	http://secunia.com/advisories/23846/	Trust: 1.6
url:	http://secunia.com/advisories/24198/	Trust: 1.6
url:	http://docs.info.apple.com/article.html?artnum=305214	Trust: 1.6
url:	http://secunia.com/advisories/24479/	Trust: 1.6
url:	http://securitytracker.com/alerts/2007/mar/1017751.html	Trust: 1.6
url:	http://www.vupen.com/english/advisories/2007/0074	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/31676	Trust: 1.1
url:	http://projects.info-pull.com/mokb/mokb-09-11-2006.html	Trust: 0.9
url:	http://secunia.com/advisories/22808/	Trust: 0.9
url:	http://developer.apple.com/documentation/corefoundation/reference/cfusernotificationref/reference/reference.html	Trust: 0.8
url:	http://www.cocoadev.com/index.pl?inputmanager	Trust: 0.8
url:	http://projects.info-pull.com/mokb/mokb-26-11-2006.html	Trust: 0.8
url:	http://projects.info-pull.com/mokb/bug-files/mokb-26-11-2006.bz2	Trust: 0.8
url:	http://secunia.com/advisories/23088/	Trust: 0.8
url:	http://www.securityfocus.com/bid/21291	Trust: 0.8
url:	http://www.securityfocus.com/bid/20982	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-0023	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-0023	Trust: 0.8
url:	http://www.us-cert.gov/cas/alerts/sa07-047a.html	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/31676	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2007/0074	Trust: 0.6
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://corporate.secunia.com/products/48/?r=l	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/product/96/	Trust: 0.1
url:	http://corporate.secunia.com/how_to_buy/15/?r=l	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

CREDITS

LMH lmh@info-pull.com

Trust: 0.6

sources: CNNVD: CNNVD-200701-405

SOURCES

db:	CERT/CC	id:	VU#315856
db:	CERT/CC	id:	VU#346656
db:	CERT/CC	id:	VU#765096
db:	VULHUB	id:	VHN-23385
db:	BID	id:	22188
db:	JVNDB	id:	JVNDB-2007-000077
db:	PACKETSTORM	id:	51846
db:	CNNVD	id:	CNNVD-200701-405
db:	NVD	id:	CVE-2007-0023

LAST UPDATE DATE

2024-11-09T21:51:45.962000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#315856	date:	2007-02-19T00:00:00
db:	CERT/CC	id:	VU#346656	date:	2007-03-30T00:00:00
db:	CERT/CC	id:	VU#765096	date:	2007-07-21T00:00:00
db:	VULHUB	id:	VHN-23385	date:	2017-07-29T00:00:00
db:	BID	id:	22188	date:	2007-02-20T20:27:00
db:	JVNDB	id:	JVNDB-2007-000077	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200701-405	date:	2007-01-24T00:00:00
db:	NVD	id:	CVE-2007-0023	date:	2017-07-29T01:29:54.670

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#315856	date:	2007-02-19T00:00:00
db:	CERT/CC	id:	VU#346656	date:	2007-03-14T00:00:00
db:	CERT/CC	id:	VU#765096	date:	2007-03-14T00:00:00
db:	VULHUB	id:	VHN-23385	date:	2007-01-24T00:00:00
db:	BID	id:	22188	date:	2007-01-22T00:00:00
db:	JVNDB	id:	JVNDB-2007-000077	date:	2007-04-01T00:00:00
db:	PACKETSTORM	id:	51846	date:	2006-11-10T16:02:24
db:	CNNVD	id:	CNNVD-200701-405	date:	2007-01-23T00:00:00
db:	NVD	id:	CVE-2007-0023	date:	2007-01-24T01:28:00