ID

VAR-200803-0014

CVE

CVE-2008-0048

TITLE

Apple Mac OS X of AppKit of NSDocument API Vulnerable to buffer overflow

DESCRIPTION

Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via the a long file name to the NSDocument API. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. There is a stack overflow vulnerability in the way the NSDocument API handles filenames, which is not available on most filesystems. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. Safari). 20) A race condition error exists in NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

buffer overflow

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ragnar SundbladregenrechtDaniel JalkutBrian MastenbrookClint RuohoMike Ash

SOURCES

LAST UPDATE DATE

2024-11-23T20:43:29.651000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE