VARIoT IoT vulnerabilities database
| VAR-200512-0749 | CVE-2005-4504 | Apple Safari WebKit component vulnerable to buffer overflow |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The khtml::RenderTableSection::ensureRows function in KHTMLParser in Apple Mac OS X 10.4.3 and earlier, as used by Safari and TextEdit, allows remote attackers to cause a denial of service (memory consumption and application crash) via HTML files with a large ROWSPAN attribute in a TD tag. Apple Safari is vulnerable to a stack-based buffer overflow. Apple From Security Update 2006-001 Has been released. Mac OS X, Mac OS X Server, Safari web browser Vulnerability has been confirmed in such as. For more information, Apple Security Update 2006-001 Please refer to the.The potential impact depends on each vulnerability. For more information Apple See the information provided by. These vulnerabilities could allow a remote third party to execute arbitrary code or commands, bypass access restrictions, DoS You can be attacked. Apple Mac OS X是苹果家族电脑所使用的操作系统.
Mac OS X的KHTML解析器中存在拒绝服务漏洞.
在运行特制的.html文件时,khtml::RenderTableSection::ensureRows没有正确的解析数据,导致崩溃。KTHML解析器试图将内部数组的大小调整为rowspan值所显示的单元数。如果这个值很大的话,就无法调整数组,应用程序就会终止.
下面显示的是gdb中OS X 10.4.3上使用Safari所触发的崩溃:
Program received signal SIGABRT, Aborted.
0x9004716c in kill ()
(gdb) bt
#0 0x9004716c in kill ()
#1 0x90128b98 in abort ()
#2 0x95dcd974 in khtml::sYSMALLOc () <(=-- Is called because of sYSMALLOc(1234567890)
#3 0x95dce1a4 in khtml::main_thread_realloc ()
#4 0x95bc0d64 in KWQArrayImpl::resize ()
#5 0x95c05428 in khtml::RenderTableSection::ensureRows ()
#6 0x95c0784c in khtml::RenderTableSection::addCell ()
#7 0x95c076ac in khtml::RenderTableRow::addChild ()
#8 0x95bcb2d8 in DOM::NodeImpl::createRendererIfNeeded ()
#9 0x95bcb1c4 in DOM::ElementImpl::attach ()
#10 0x95bca254 in KHTMLParser::insertNode ()
#11 0x95bcadd8 in KHTMLParser::insertNode ()
#12 0x95bcadd8 in KHTMLParser::insertNode ()
#13 0x95bc83fc in KHTMLParser::parseToken ()
#14 0x95bc54a4 in khtml::HTMLTokenizer::processToken ()
#15 0x95bc6e08 in khtml::HTMLTokenizer::parseTag ()
#16 0x95bc4d24 in khtml::HTMLTokenizer::write ()
#17 0x95bc038c in KHTMLPart::write ()
#18 0x959b510c in -[WebDataSource(WebPrivate) _commitLoadWithData:] ()
#19 0x9598165c in -[WebMainResourceClient addData:] ()
#20 0x95981588 in -[WebBaseResourceHandleDelegate didReceiveData:lengthReceived:] ()
#21 0x959db930 in -[WebMainResourceClient didReceiveData:lengthReceived:] ()
#22 0x95981524 in -[WebBaseResourceHandleDelegate connection:didReceiveData:lengthReceived:] ()
#23 0x92910a64 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] ()
#24 0x9290ef04 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()
#25 0x9290eca0 in _sendCallbacks ()
#26 0x9075db20 in __CFRunLoopDoSources0 ()
#27 0x9075cf98 in __CFRunLoopRun ()
#28 0x9075ca18 in CFRunLoopRunSpecific ()
#29 0x931861e0 in RunCurrentEventLoopInMode ()
#30 0x931857ec in ReceiveNextEventCommon ()
#31 0x931856e0 in BlockUntilNextEventMatchingListInMode ()
#32 0x93683904 in _DPSNextEvent ()
#33 0x936835c8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#34 0x00007910 in ?? ()
#35 0x9367fb0c in -[NSApplication run] ()
#36 0x93770618 in NSApplicationMain ()
#37 0x0000307c in ?? ()
#38 0x00057758 in ?? ().
Successful exploitation may cause an application employing KHTMLParser to crash. When running a specially crafted .html file, khtml::RenderTableSection::ensureRows did not parse the data correctly, causing a crash. The KTHML parser attempts to resize the internal array to the number of cells indicated by the rowspan value. If this value is large, the array cannot be resized and the application will terminate.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-053A
Apple Mac OS X Safari Command Execution Vulnerability
Original release date: February 22, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple Safari running on Mac OS X
Overview
A file type determination vulnerability in Apple Safari could allow a
remote attacker to execute arbitrary commands on a vulnerable system.
I.
Details are available in the following Vulnerability Note:
VU#999708 - Apple Safari may automatically execute arbitrary shell
commands
II. If the user is logged
on with administrative privileges, the attacker could take complete
control of an affected system.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending a workaround. References
* US-CERT Vulnerability Note VU#999708 -
<http://www.kb.cert.org/vuls/id/999708>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>
* Apple - Mac OS X - Safari RSS -
<http://www.apple.com/macosx/features/safari/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-053A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-053A Feedback VU#999708" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Feb 22, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ/zKN30pj593lg50AQJgoQf/ZajorZz/6quzA40dc8cLxIBT70xcClH5
CKDN5nMXl1mRYYkDPF07GbcWL3lWarW5Hif0OiZfazaGNC3p9v4ZxDx/dW/ZmsYo
eDznsNWNphKB6yBSIbOUSfGyh/I7pQlG3qxXRWDTA9nVK12KIkvAAoPTgBe40obu
+x58gK5/ib4d+dEZ8F9SbO7/syYtcAzfzS2HrBYhG1lWWLYTaNC3hyI2nXF5lNV/
ymwaPv0ivAB9rpalus+KkajjiV5+J08dj+1JwgwcSpvuNMQ5c/8RCIILP+1bR+CL
lScvGuSRYk4S0QI9nmCDvwD52sluiwp2VO1atTQ1zcgpwhvLRGo3DQ==
=P2/3
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2006-03-01 Security Update 2006-001
Security Update 2006-001 is now available and addresses the following
issues:
apache_mod_php
CVE-ID: CVE-2005-3319, CVE-2005-3353, CVE-2005-3391, CVE-2005-3392
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Multiple security issues in PHP 4.4
Description: PHP 4.4.1 fixes several security issues in the Apache
module and scripting environment. Details of the fixes are
available via the PHP web site (www.php.net). This framework is vulnerable to a directory
traversal attack that can allow archived files to be unpacked into
arbitrary locations that are writable by the current user. This
update addresses the issue by properly sanitizing those paths.
Credit to Stephane Kardas of CERTA for reporting this issue. This could lead to privilege elevation. This update
addresses the issue by anticipating a hostile environment and by
creating temporary files securely. Credit to Ilja van Sprundel of
Suresec LTD, vade79, and iDefense (idefense.com) for reporting this
issue. This update secures the method in
which a FileVault image is created. This update addresses the issues by
correctly handling the conditions that may cause crashes. Credit to
OUSPG from the University of Oulu, NISCC, and CERT-FI for
coordinating and reporting this issue. This update addresses the issue by
correctly handling these memory requests. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the
user if the file type is not "safe". Certain techniques can be used
to disguise the file's type so that Download Validation is
bypassed. This update addresses the issue by presenting Download
Validation with the entire file, providing more information for
Download Validation to detect unknown or unsafe file types in
attachments.
perl
CVE-ID: CVE-2005-4217
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch
to another user ID, the operation may fail without notification to
the program. This may cause a program to continue to run with root
privileges, assuming they have been dropped. This can cause
security issues in third-party tools. This update addresses the
issue by preventing such applications from continuing if the
operation fails. Credit to Jason Self for reporting this issue.
rsync
CVE-ID: CVE-2005-3712
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Authenticated users may cause an rsync server to crash or
execute arbitrary code
Description: A heap-based buffer overflow may be triggered when the
rsync server is used with the flag that allows extended attributes
to be transferred. It may be possible for a malicious user with
access to an rsync server to cause denial of service or code
execution. This update addresses the problem by ensuring that the
destination buffer is large enough to hold the extended attributes. Credit
to Jan-Derk Bakker for reporting this issue. This update
addresses the issue by preventing the condition causing the
overflow. Credit to Suresec LTD for reporting this issue. This update addresses the issue by performing additional
bounds checking. An issue involving HTTP
redirection can cause the browser to access a local file, bypassing
certain restrictions. This update addresses the issue by preventing
cross-domain HTTP redirects. When the "Open `safe' files after downloading" option
is enabled in Safari's General preferences, visiting a malicious
web site may result in the automatic download and execution of such
a file. A proof-of-concept has been detected on public web sites
that demonstrates the automatic execution of shell scripts.
Syndication
CVE-ID: CVE-2006-0389
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Subscriptions to malicious RSS content can lead to
cross-site scripting
Description: Syndication (Safari RSS) may allow JavaScript code
embedded in feeds to run within the context of the RSS reader
document, allowing malicious feeds to circumvent Safari's security
model. This update addresses the issue by properly removing
JavaScript code from feeds.
The following security enhancements are also included in this update:
FileVault: AES-128 encrypted FileVault disk images are now created
with more restrictive operating system permissions. Credit to Eric
Hall of DarkArt Consulting Services for reporting this issue.
iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected.
Users should use caution when opening files that are obtained from
the network. Further information is available via:
http://docs.info.apple.com/article.html?artnum=108009
Security Update 2006-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-001Ti.dmg"
Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439
For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-001Intel.dmg"
Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-001Pan.dmg"
Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-001Pan.dmg"
Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe
cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4
i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI
9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus
SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j
TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw==
=1Ww0
-----END PGP SIGNATURE-----
| VAR-200512-0633 | CVE-2005-2713 | Apple MacOS X BOMArchiveHelper Directory traversal vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
passwd in Directory Services in Mac OS X 10.3.x before 10.3.9 and 10.4.x before 10.4.5 allows local users to create arbitrary world-writable files as root by specifying an alternate file in the password database option.
Apple has also released updates to address these issues. Apple Mac OS X 'passwd' creates temporary files in an insecure manner. This could allow a local attacker to elevate their privileges.
These issues were originally described in BID 16907 Apple Mac OS X Security Update 2006-001 Multiple Vulnerabilities.
More information is available at the following link:
http://www.apple.com/macosx/
II.
The /usr/bin/passwd binary is a setuid application which allows users to
change their password. There are two related vulnerabilities. The passwd binary does not check that the user has
permissions to create a file in the location specified and does not set
the created file permissions. By setting the file creation mask to 0 a
user can create arbitrary files owned by root, with permissions which
allow any user to change the contents.
The second vulnerability exists in the insecure creation of temporary
files with predictable names. The temporary filename created by the
process is in the form /tmp/.pwtmp.<pid> where <pid> is the process id
of the passwd process. By creating a symbolic link to the target file,
and then changing the password, it is possible to put controllable
contents into the target file.
III.
In the case of the first vulnerability, a new file could be created in
the /etc directory, such as etc/rc.local_tuning, which is sourced if it
exists during the system start up process as the root user.
The second vulnerability would allow an attacker overwrite a file with
user controlled contents. This can be leveraged to provide privilege
escalation by, for example, creating a new /etc/sudoers file.
IV.
V. WORKAROUND
Remove the setuid bit from the /usr/bin/passwd binary by executing the
following command as root:
chmod -s /usr/bin/passwd
This workaround will prevent non-root users from being able to change
their password.
VI. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:
CVE-2005-2713 - passwd file creation and permissions
CVE-2005-2714 - temporary file symlink problem
VIII. DISCLOSURE TIMELINE
08/23/2005 Initial vendor notification
08/27/2005 Initial vendor response
03/02/2006 Coordinated public disclosure
IX. CREDIT
Discovery of these vulnerabilities are credited to vade79.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright (c) 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mail Command Execution Vulnerability
SECUNIA ADVISORY ID:
SA27785
VERIFY ADVISORY:
http://secunia.com/advisories/27785/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
A vulnerability has been reported in Apple Mail, which can be
exploited by malicious people to compromise a user's system. This can be exploited via a specially
crafted email containing an attachment of an ostensibly safe file type
(e.g. ".jpg") to execute arbitrary shell commands when the attachment
is double-clicked.
SOLUTION:
Do not open attachments from untrusted sources.
ORIGINAL ADVISORY:
http://www.heise-security.co.uk/news/99257
OTHER REFERENCES:
SA19064:
http://secunia.com/advisories/19064/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Details of the fixes are
available via the PHP web site (www.php.net). PHP ships with Mac OS
X but is disabled by default. This
could cause the systems to become unresponsive, or possibly allow
arbitrary code delivered from the file servers to run on the target
system.
BOM
CVE-ID: CVE-2006-0391
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Directory traversal may occur while unpacking archives with
BOM
Description: The BOM framework handles the unpacking of certain
types of archives. This framework is vulnerable to a directory
traversal attack that can allow archived files to be unpacked into
arbitrary locations that are writable by the current user. This
update addresses the issue by properly sanitizing those paths.
Credit to Stephane Kardas of CERTA for reporting this issue. This could lead to privilege elevation. This update
addresses the issue by anticipating a hostile environment and by
creating temporary files securely. Credit to Ilja van Sprundel of
Suresec LTD, vade79, and iDefense (idefense.com) for reporting this
issue. This update secures the method in
which a FileVault image is created. This update addresses the issues by
correctly handling the conditions that may cause crashes. Credit to
OUSPG from the University of Oulu, NISCC, and CERT-FI for
coordinating and reporting this issue.
LibSystem
CVE-ID: CVE-2005-3706
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Attackers may cause crashes or arbitrary code execution
depending upon the application
Description: An attacker able to cause an application to make
requests for large amounts of memory may also be able to trigger a
heap buffer overflow. This could cause the targeted application to
crash or execute arbitrary code. This update addresses the issue by
correctly handling these memory requests. This issue does not
affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the
user if the file type is not "safe". Certain techniques can be used
to disguise the file's type so that Download Validation is
bypassed. This update addresses the issue by presenting Download
Validation with the entire file, providing more information for
Download Validation to detect unknown or unsafe file types in
attachments.
perl
CVE-ID: CVE-2005-4217
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch
to another user ID, the operation may fail without notification to
the program. This may cause a program to continue to run with root
privileges, assuming they have been dropped. This can cause
security issues in third-party tools. This update addresses the
issue by preventing such applications from continuing if the
operation fails. This issue does not affect Mac OS X v10.4 or later
systems. Credit to Jason Self for reporting this issue.
rsync
CVE-ID: CVE-2005-3712
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Authenticated users may cause an rsync server to crash or
execute arbitrary code
Description: A heap-based buffer overflow may be triggered when the
rsync server is used with the flag that allows extended attributes
to be transferred. It may be possible for a malicious user with
access to an rsync server to cause denial of service or code
execution. This update addresses the problem by ensuring that the
destination buffer is large enough to hold the extended attributes.
This issue does not affect systems prior to Mac OS X v10.4. Credit
to Jan-Derk Bakker for reporting this issue.
Safari
CVE-ID: CVE-2005-4504
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a maliciously-crafted web page may result in
arbitrary code execution
Description: A heap-based buffer overflow in WebKit's handling of
certain HTML could allow a malicious web site to cause a crash or
execute arbitrary code as the user viewing the site. This update
addresses the issue by preventing the condition causing the
overflow. Credit to Suresec LTD for reporting this issue.
Safari
CVE-ID: CVE-2006-0387
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web page may cause arbitrary code
execution
Description: By preparing a web page including specially-crafted
JavaScript, an attacker may trigger a stack buffer overflow that
could lead to arbitrary code execution with the privileges of the
user. This update addresses the issue by performing additional
bounds checking. An issue involving HTTP
redirection can cause the browser to access a local file, bypassing
certain restrictions. This update addresses the issue by preventing
cross-domain HTTP redirects. When the "Open `safe' files after downloading" option
is enabled in Safari's General preferences, visiting a malicious
web site may result in the automatic download and execution of such
a file. A proof-of-concept has been detected on public web sites
that demonstrates the automatic execution of shell scripts.
Syndication
CVE-ID: CVE-2006-0389
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Subscriptions to malicious RSS content can lead to
cross-site scripting
Description: Syndication (Safari RSS) may allow JavaScript code
embedded in feeds to run within the context of the RSS reader
document, allowing malicious feeds to circumvent Safari's security
model. This update addresses the issue by properly removing
JavaScript code from feeds. Syndication is only available in Mac OS
X v10.4 and later.
The following security enhancements are also included in this update:
FileVault: AES-128 encrypted FileVault disk images are now created
with more restrictive operating system permissions. Credit to Eric
Hall of DarkArt Consulting Services for reporting this issue.
iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected.
Users should use caution when opening files that are obtained from
the network. Further information is available via:
http://docs.info.apple.com/article.html?artnum=108009
Security Update 2006-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-001Ti.dmg"
Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439
For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-001Intel.dmg"
Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-001Pan.dmg"
Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-001Pan.dmg"
Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe
cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4
i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI
9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus
SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j
TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw==
=1Ww0
-----END PGP SIGNATURE-----
| VAR-200512-0634 | CVE-2005-2714 | Apple MacOS X BOMArchiveHelper Directory traversal vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
passwd in Directory Services in Mac OS X 10.3.x before 10.3.9 and 10.4.x before 10.4.5 allows local users to overwrite arbitrary files via a symlink attack on the .pwtmp.[PID] temporary file.
Apple has also released updates to address these issues. This could allow a local attacker to elevate their privileges.
These issues were originally described in BID 16907 Apple Mac OS X Security Update 2006-001 Multiple Vulnerabilities.
More information is available at the following link:
http://www.apple.com/macosx/
II.
The /usr/bin/passwd binary is a setuid application which allows users to
change their password. There are two related vulnerabilities.
The first vulnerability occurs because the Mac OS X version of the
passwd utility accepts options specifying which password database to
operate on. The passwd binary does not check that the user has
permissions to create a file in the location specified and does not set
the created file permissions. By setting the file creation mask to 0 a
user can create arbitrary files owned by root, with permissions which
allow any user to change the contents.
The second vulnerability exists in the insecure creation of temporary
files with predictable names. The temporary filename created by the
process is in the form /tmp/.pwtmp.<pid> where <pid> is the process id
of the passwd process. By creating a symbolic link to the target file,
and then changing the password, it is possible to put controllable
contents into the target file.
III.
In the case of the first vulnerability, a new file could be created in
the /etc directory, such as etc/rc.local_tuning, which is sourced if it
exists during the system start up process as the root user.
The second vulnerability would allow an attacker overwrite a file with
user controlled contents. This can be leveraged to provide privilege
escalation by, for example, creating a new /etc/sudoers file.
IV.
V. WORKAROUND
Remove the setuid bit from the /usr/bin/passwd binary by executing the
following command as root:
chmod -s /usr/bin/passwd
This workaround will prevent non-root users from being able to change
their password.
VI. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:
CVE-2005-2713 - passwd file creation and permissions
CVE-2005-2714 - temporary file symlink problem
VIII. DISCLOSURE TIMELINE
08/23/2005 Initial vendor notification
08/27/2005 Initial vendor response
03/02/2006 Coordinated public disclosure
IX. CREDIT
Discovery of these vulnerabilities are credited to vade79.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright (c) 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
Get a free trial of the Secunia Vulnerability Intelligence Solutions:
http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
----------------------------------------------------------------------
TITLE:
Apple Mail Command Execution Vulnerability
SECUNIA ADVISORY ID:
SA27785
VERIFY ADVISORY:
http://secunia.com/advisories/27785/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
A vulnerability has been reported in Apple Mail, which can be
exploited by malicious people to compromise a user's system. This can be exploited via a specially
crafted email containing an attachment of an ostensibly safe file type
(e.g. ".jpg") to execute arbitrary shell commands when the attachment
is double-clicked.
SOLUTION:
Do not open attachments from untrusted sources.
ORIGINAL ADVISORY:
http://www.heise-security.co.uk/news/99257
OTHER REFERENCES:
SA19064:
http://secunia.com/advisories/19064/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Details of the fixes are
available via the PHP web site (www.php.net). PHP ships with Mac OS
X but is disabled by default. This
could cause the systems to become unresponsive, or possibly allow
arbitrary code delivered from the file servers to run on the target
system.
BOM
CVE-ID: CVE-2006-0391
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Directory traversal may occur while unpacking archives with
BOM
Description: The BOM framework handles the unpacking of certain
types of archives. This framework is vulnerable to a directory
traversal attack that can allow archived files to be unpacked into
arbitrary locations that are writable by the current user. This
update addresses the issue by properly sanitizing those paths.
Credit to Stephane Kardas of CERTA for reporting this issue. This could lead to privilege elevation. This update
addresses the issue by anticipating a hostile environment and by
creating temporary files securely. Credit to Ilja van Sprundel of
Suresec LTD, vade79, and iDefense (idefense.com) for reporting this
issue. This update secures the method in
which a FileVault image is created. This update addresses the issues by
correctly handling the conditions that may cause crashes. Credit to
OUSPG from the University of Oulu, NISCC, and CERT-FI for
coordinating and reporting this issue.
LibSystem
CVE-ID: CVE-2005-3706
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Attackers may cause crashes or arbitrary code execution
depending upon the application
Description: An attacker able to cause an application to make
requests for large amounts of memory may also be able to trigger a
heap buffer overflow. This could cause the targeted application to
crash or execute arbitrary code. This update addresses the issue by
correctly handling these memory requests. This issue does not
affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the
user if the file type is not "safe". Certain techniques can be used
to disguise the file's type so that Download Validation is
bypassed. This update addresses the issue by presenting Download
Validation with the entire file, providing more information for
Download Validation to detect unknown or unsafe file types in
attachments.
perl
CVE-ID: CVE-2005-4217
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch
to another user ID, the operation may fail without notification to
the program. This may cause a program to continue to run with root
privileges, assuming they have been dropped. This can cause
security issues in third-party tools. This update addresses the
issue by preventing such applications from continuing if the
operation fails. This issue does not affect Mac OS X v10.4 or later
systems. Credit to Jason Self for reporting this issue. It may be possible for a malicious user with
access to an rsync server to cause denial of service or code
execution. This update addresses the problem by ensuring that the
destination buffer is large enough to hold the extended attributes.
This issue does not affect systems prior to Mac OS X v10.4. Credit
to Jan-Derk Bakker for reporting this issue.
Safari
CVE-ID: CVE-2005-4504
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a maliciously-crafted web page may result in
arbitrary code execution
Description: A heap-based buffer overflow in WebKit's handling of
certain HTML could allow a malicious web site to cause a crash or
execute arbitrary code as the user viewing the site. This update
addresses the issue by preventing the condition causing the
overflow. Credit to Suresec LTD for reporting this issue.
Safari
CVE-ID: CVE-2006-0387
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web page may cause arbitrary code
execution
Description: By preparing a web page including specially-crafted
JavaScript, an attacker may trigger a stack buffer overflow that
could lead to arbitrary code execution with the privileges of the
user. This update addresses the issue by performing additional
bounds checking. An issue involving HTTP
redirection can cause the browser to access a local file, bypassing
certain restrictions. This update addresses the issue by preventing
cross-domain HTTP redirects. When the "Open `safe' files after downloading" option
is enabled in Safari's General preferences, visiting a malicious
web site may result in the automatic download and execution of such
a file. A proof-of-concept has been detected on public web sites
that demonstrates the automatic execution of shell scripts.
Syndication
CVE-ID: CVE-2006-0389
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Subscriptions to malicious RSS content can lead to
cross-site scripting
Description: Syndication (Safari RSS) may allow JavaScript code
embedded in feeds to run within the context of the RSS reader
document, allowing malicious feeds to circumvent Safari's security
model. This update addresses the issue by properly removing
JavaScript code from feeds. Syndication is only available in Mac OS
X v10.4 and later.
The following security enhancements are also included in this update:
FileVault: AES-128 encrypted FileVault disk images are now created
with more restrictive operating system permissions. Credit to Eric
Hall of DarkArt Consulting Services for reporting this issue.
iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected.
Users should use caution when opening files that are obtained from
the network. Further information is available via:
http://docs.info.apple.com/article.html?artnum=108009
Security Update 2006-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-001Ti.dmg"
Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439
For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-001Intel.dmg"
Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-001Pan.dmg"
Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-001Pan.dmg"
Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe
cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4
i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI
9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus
SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j
TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw==
=1Ww0
-----END PGP SIGNATURE-----
| VAR-200512-0299 | CVE-2005-3712 | Apple MacOS X BOMArchiveHelper Directory traversal vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in rsync in Mac OS X 10.4 through 10.4.5 allows remote authenticated users to execute arbitrary code via long extended attributes. Apple has released Security Update 2006-001 to address multiple remote and local Mac OS X vulnerabilities.
Apple has also released updates to address these issues. There is a directory traversal vulnerability in the implementation of this framework.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-053A
Apple Mac OS X Safari Command Execution Vulnerability
Original release date: February 22, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple Safari running on Mac OS X
Overview
A file type determination vulnerability in Apple Safari could allow a
remote attacker to execute arbitrary commands on a vulnerable system.
I.
Details are available in the following Vulnerability Note:
VU#999708 - Apple Safari may automatically execute arbitrary shell
commands
II. Impact
A remote, unauthenticated attacker could execute arbitrary commands
with the privileges of the user running Safari. If the user is logged
on with administrative privileges, the attacker could take complete
control of an affected system.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending a workaround. References
* US-CERT Vulnerability Note VU#999708 -
<http://www.kb.cert.org/vuls/id/999708>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>
* Apple - Mac OS X - Safari RSS -
<http://www.apple.com/macosx/features/safari/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-053A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-053A Feedback VU#999708" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Feb 22, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ/zKN30pj593lg50AQJgoQf/ZajorZz/6quzA40dc8cLxIBT70xcClH5
CKDN5nMXl1mRYYkDPF07GbcWL3lWarW5Hif0OiZfazaGNC3p9v4ZxDx/dW/ZmsYo
eDznsNWNphKB6yBSIbOUSfGyh/I7pQlG3qxXRWDTA9nVK12KIkvAAoPTgBe40obu
+x58gK5/ib4d+dEZ8F9SbO7/syYtcAzfzS2HrBYhG1lWWLYTaNC3hyI2nXF5lNV/
ymwaPv0ivAB9rpalus+KkajjiV5+J08dj+1JwgwcSpvuNMQ5c/8RCIILP+1bR+CL
lScvGuSRYk4S0QI9nmCDvwD52sluiwp2VO1atTQ1zcgpwhvLRGo3DQ==
=P2/3
-----END PGP SIGNATURE-----
. Details of the fixes are
available via the PHP web site (www.php.net). PHP ships with Mac OS
X but is disabled by default.
automount
CVE-ID: CVE-2006-0384
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Malicious network servers may cause a denial of service or
arbitrary code execution
Description: File servers on the local network may be able to cause
Mac OS X systems to mount file systems with reserved names. This
could cause the systems to become unresponsive, or possibly allow
arbitrary code delivered from the file servers to run on the target
system.
BOM
CVE-ID: CVE-2006-0391
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Directory traversal may occur while unpacking archives with
BOM
Description: The BOM framework handles the unpacking of certain
types of archives. This framework is vulnerable to a directory
traversal attack that can allow archived files to be unpacked into
arbitrary locations that are writable by the current user. This
update addresses the issue by properly sanitizing those paths.
Credit to Stephane Kardas of CERTA for reporting this issue.
Directory Services
CVE-ID: CVE-2005-2713, CVE-2005-2714
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Malicious local users may create and manipulate files as
root
Description: The passwd program is vulnerable to temporary file
attacks. This could lead to privilege elevation. This update
addresses the issue by anticipating a hostile environment and by
creating temporary files securely. Credit to Ilja van Sprundel of
Suresec LTD, vade79, and iDefense (idefense.com) for reporting this
issue.
FileVault
CVE-ID: CVE-2006-0386
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: FileVault may permit access to files during when it is
first enabled
Description: User directories are mounted in an unsafe fashion when
a FileVault image is created. This update secures the method in
which a FileVault image is created. This update addresses the issues by
correctly handling the conditions that may cause crashes. Credit to
OUSPG from the University of Oulu, NISCC, and CERT-FI for
coordinating and reporting this issue. This could cause the targeted application to
crash or execute arbitrary code. This update addresses the issue by
correctly handling these memory requests. This issue does not
affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the
user if the file type is not "safe". Certain techniques can be used
to disguise the file's type so that Download Validation is
bypassed. This update addresses the issue by presenting Download
Validation with the entire file, providing more information for
Download Validation to detect unknown or unsafe file types in
attachments.
perl
CVE-ID: CVE-2005-4217
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch
to another user ID, the operation may fail without notification to
the program. This may cause a program to continue to run with root
privileges, assuming they have been dropped. This can cause
security issues in third-party tools. This update addresses the
issue by preventing such applications from continuing if the
operation fails. This issue does not affect Mac OS X v10.4 or later
systems. Credit to Jason Self for reporting this issue. It may be possible for a malicious user with
access to an rsync server to cause denial of service or code
execution. This update addresses the problem by ensuring that the
destination buffer is large enough to hold the extended attributes.
This issue does not affect systems prior to Mac OS X v10.4. Credit
to Jan-Derk Bakker for reporting this issue. This update
addresses the issue by preventing the condition causing the
overflow. Credit to Suresec LTD for reporting this issue. This update addresses the issue by performing additional
bounds checking. An issue involving HTTP
redirection can cause the browser to access a local file, bypassing
certain restrictions. This update addresses the issue by preventing
cross-domain HTTP redirects.
Safari, LaunchServices
CVE-ID: CVE-2006-0394
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web site may result in arbitrary code
execution
Description: It is possible to construct a file which appears to be
a safe file type, such as an image or movie, but is actually an
application. When the "Open `safe' files after downloading" option
is enabled in Safari's General preferences, visiting a malicious
web site may result in the automatic download and execution of such
a file. A proof-of-concept has been detected on public web sites
that demonstrates the automatic execution of shell scripts.
Syndication
CVE-ID: CVE-2006-0389
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Subscriptions to malicious RSS content can lead to
cross-site scripting
Description: Syndication (Safari RSS) may allow JavaScript code
embedded in feeds to run within the context of the RSS reader
document, allowing malicious feeds to circumvent Safari's security
model. This update addresses the issue by properly removing
JavaScript code from feeds. Syndication is only available in Mac OS
X v10.4 and later.
The following security enhancements are also included in this update:
FileVault: AES-128 encrypted FileVault disk images are now created
with more restrictive operating system permissions. Credit to Eric
Hall of DarkArt Consulting Services for reporting this issue.
iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected.
Users should use caution when opening files that are obtained from
the network. Further information is available via:
http://docs.info.apple.com/article.html?artnum=108009
Security Update 2006-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-001Ti.dmg"
Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439
For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-001Intel.dmg"
Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-001Pan.dmg"
Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-001Pan.dmg"
Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe
cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4
i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI
9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus
SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j
TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw==
=1Ww0
-----END PGP SIGNATURE-----
| VAR-200512-0293 | CVE-2005-3706 | Apple MacOS X BOMArchiveHelper Directory traversal vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in LibSystem in Mac OS X 10.4 through 10.4.5 allows context-dependent attackers to execute arbitrary code by causing an application that uses LibSystem to request a large amount of memory. Apple has released Security Update 2006-001 to address multiple remote and local Mac OS X vulnerabilities.
Apple has also released updates to address these issues.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-053A
Apple Mac OS X Safari Command Execution Vulnerability
Original release date: February 22, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple Safari running on Mac OS X
Overview
A file type determination vulnerability in Apple Safari could allow a
remote attacker to execute arbitrary commands on a vulnerable system.
I.
Details are available in the following Vulnerability Note:
VU#999708 - Apple Safari may automatically execute arbitrary shell
commands
II. Impact
A remote, unauthenticated attacker could execute arbitrary commands
with the privileges of the user running Safari. If the user is logged
on with administrative privileges, the attacker could take complete
control of an affected system.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending a workaround. References
* US-CERT Vulnerability Note VU#999708 -
<http://www.kb.cert.org/vuls/id/999708>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>
* Apple - Mac OS X - Safari RSS -
<http://www.apple.com/macosx/features/safari/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-053A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-053A Feedback VU#999708" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Feb 22, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ/zKN30pj593lg50AQJgoQf/ZajorZz/6quzA40dc8cLxIBT70xcClH5
CKDN5nMXl1mRYYkDPF07GbcWL3lWarW5Hif0OiZfazaGNC3p9v4ZxDx/dW/ZmsYo
eDznsNWNphKB6yBSIbOUSfGyh/I7pQlG3qxXRWDTA9nVK12KIkvAAoPTgBe40obu
+x58gK5/ib4d+dEZ8F9SbO7/syYtcAzfzS2HrBYhG1lWWLYTaNC3hyI2nXF5lNV/
ymwaPv0ivAB9rpalus+KkajjiV5+J08dj+1JwgwcSpvuNMQ5c/8RCIILP+1bR+CL
lScvGuSRYk4S0QI9nmCDvwD52sluiwp2VO1atTQ1zcgpwhvLRGo3DQ==
=P2/3
-----END PGP SIGNATURE-----
. Details of the fixes are
available via the PHP web site (www.php.net). PHP ships with Mac OS
X but is disabled by default.
automount
CVE-ID: CVE-2006-0384
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Malicious network servers may cause a denial of service or
arbitrary code execution
Description: File servers on the local network may be able to cause
Mac OS X systems to mount file systems with reserved names. This
could cause the systems to become unresponsive, or possibly allow
arbitrary code delivered from the file servers to run on the target
system.
BOM
CVE-ID: CVE-2006-0391
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Directory traversal may occur while unpacking archives with
BOM
Description: The BOM framework handles the unpacking of certain
types of archives. This framework is vulnerable to a directory
traversal attack that can allow archived files to be unpacked into
arbitrary locations that are writable by the current user. This
update addresses the issue by properly sanitizing those paths.
Credit to Stephane Kardas of CERTA for reporting this issue.
Directory Services
CVE-ID: CVE-2005-2713, CVE-2005-2714
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Malicious local users may create and manipulate files as
root
Description: The passwd program is vulnerable to temporary file
attacks. This could lead to privilege elevation. This update
addresses the issue by anticipating a hostile environment and by
creating temporary files securely. Credit to Ilja van Sprundel of
Suresec LTD, vade79, and iDefense (idefense.com) for reporting this
issue.
FileVault
CVE-ID: CVE-2006-0386
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: FileVault may permit access to files during when it is
first enabled
Description: User directories are mounted in an unsafe fashion when
a FileVault image is created. This update secures the method in
which a FileVault image is created. This update addresses the issues by
correctly handling the conditions that may cause crashes. Credit to
OUSPG from the University of Oulu, NISCC, and CERT-FI for
coordinating and reporting this issue. This could cause the targeted application to
crash or execute arbitrary code. This update addresses the issue by
correctly handling these memory requests. This issue does not
affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the
user if the file type is not "safe". Certain techniques can be used
to disguise the file's type so that Download Validation is
bypassed. This update addresses the issue by presenting Download
Validation with the entire file, providing more information for
Download Validation to detect unknown or unsafe file types in
attachments.
perl
CVE-ID: CVE-2005-4217
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Perl programs may fail to drop privileges
Description: When a perl program running as root attempts to switch
to another user ID, the operation may fail without notification to
the program. This may cause a program to continue to run with root
privileges, assuming they have been dropped. This can cause
security issues in third-party tools. This update addresses the
issue by preventing such applications from continuing if the
operation fails. This issue does not affect Mac OS X v10.4 or later
systems. Credit to Jason Self for reporting this issue. It may be possible for a malicious user with
access to an rsync server to cause denial of service or code
execution. This update addresses the problem by ensuring that the
destination buffer is large enough to hold the extended attributes.
This issue does not affect systems prior to Mac OS X v10.4. Credit
to Jan-Derk Bakker for reporting this issue. This update
addresses the issue by preventing the condition causing the
overflow. Credit to Suresec LTD for reporting this issue. This update addresses the issue by performing additional
bounds checking. An issue involving HTTP
redirection can cause the browser to access a local file, bypassing
certain restrictions. This update addresses the issue by preventing
cross-domain HTTP redirects.
Safari, LaunchServices
CVE-ID: CVE-2006-0394
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web site may result in arbitrary code
execution
Description: It is possible to construct a file which appears to be
a safe file type, such as an image or movie, but is actually an
application. When the "Open `safe' files after downloading" option
is enabled in Safari's General preferences, visiting a malicious
web site may result in the automatic download and execution of such
a file. A proof-of-concept has been detected on public web sites
that demonstrates the automatic execution of shell scripts.
Syndication
CVE-ID: CVE-2006-0389
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Subscriptions to malicious RSS content can lead to
cross-site scripting
Description: Syndication (Safari RSS) may allow JavaScript code
embedded in feeds to run within the context of the RSS reader
document, allowing malicious feeds to circumvent Safari's security
model. This update addresses the issue by properly removing
JavaScript code from feeds. Syndication is only available in Mac OS
X v10.4 and later.
The following security enhancements are also included in this update:
FileVault: AES-128 encrypted FileVault disk images are now created
with more restrictive operating system permissions. Credit to Eric
Hall of DarkArt Consulting Services for reporting this issue.
iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected.
Users should use caution when opening files that are obtained from
the network. Further information is available via:
http://docs.info.apple.com/article.html?artnum=108009
Security Update 2006-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-001Ti.dmg"
Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439
For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-001Intel.dmg"
Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-001Pan.dmg"
Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-001Pan.dmg"
Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe
cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4
i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI
9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus
SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j
TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw==
=1Ww0
-----END PGP SIGNATURE-----
| VAR-200512-0212 | CVE-2005-4217 | Apple MacOS X BOMArchiveHelper Directory traversal vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Perl in Apple Mac OS X Server 10.3.9 does not properly drop privileges when using the "$<" variable to set uid, which allows attackers to gain privileges. Apple Mac OS X's Perl is susceptible to an insecure privilege-dropping weakness. This issue is due to Perl's failure to correctly drop privileges. Presumably, the cause of this issue is a flaw in Perl's compilation options.
This vulnerability may allow attackers that exploit latent vulnerabilities in Perl applications to gain elevated privileges, increasing the potential for damage. The exact impact of exploitation depends on the specific use and implementation of the privilege-dropping facilities in affected Perl applications.
Mac OS X version 10.3.9 is reported vulnerable to this issue. Other versions may also be affected.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-053A
Apple Mac OS X Safari Command Execution Vulnerability
Original release date: February 22, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple Safari running on Mac OS X
Overview
A file type determination vulnerability in Apple Safari could allow a
remote attacker to execute arbitrary commands on a vulnerable system.
I.
Details are available in the following Vulnerability Note:
VU#999708 - Apple Safari may automatically execute arbitrary shell
commands
II. Impact
A remote, unauthenticated attacker could execute arbitrary commands
with the privileges of the user running Safari. If the user is logged
on with administrative privileges, the attacker could take complete
control of an affected system.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending a workaround. References
* US-CERT Vulnerability Note VU#999708 -
<http://www.kb.cert.org/vuls/id/999708>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>
* Apple - Mac OS X - Safari RSS -
<http://www.apple.com/macosx/features/safari/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-053A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-053A Feedback VU#999708" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Feb 22, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ/zKN30pj593lg50AQJgoQf/ZajorZz/6quzA40dc8cLxIBT70xcClH5
CKDN5nMXl1mRYYkDPF07GbcWL3lWarW5Hif0OiZfazaGNC3p9v4ZxDx/dW/ZmsYo
eDznsNWNphKB6yBSIbOUSfGyh/I7pQlG3qxXRWDTA9nVK12KIkvAAoPTgBe40obu
+x58gK5/ib4d+dEZ8F9SbO7/syYtcAzfzS2HrBYhG1lWWLYTaNC3hyI2nXF5lNV/
ymwaPv0ivAB9rpalus+KkajjiV5+J08dj+1JwgwcSpvuNMQ5c/8RCIILP+1bR+CL
lScvGuSRYk4S0QI9nmCDvwD52sluiwp2VO1atTQ1zcgpwhvLRGo3DQ==
=P2/3
-----END PGP SIGNATURE-----
. Details of the fixes are
available via the PHP web site (www.php.net). This
could cause the systems to become unresponsive, or possibly allow
arbitrary code delivered from the file servers to run on the target
system. This framework is vulnerable to a directory
traversal attack that can allow archived files to be unpacked into
arbitrary locations that are writable by the current user. This
update addresses the issue by properly sanitizing those paths.
Credit to Stephane Kardas of CERTA for reporting this issue. This could lead to privilege elevation. This update
addresses the issue by anticipating a hostile environment and by
creating temporary files securely. Credit to Ilja van Sprundel of
Suresec LTD, vade79, and iDefense (idefense.com) for reporting this
issue. This update secures the method in
which a FileVault image is created. This update addresses the issues by
correctly handling the conditions that may cause crashes. Credit to
OUSPG from the University of Oulu, NISCC, and CERT-FI for
coordinating and reporting this issue.
LibSystem
CVE-ID: CVE-2005-3706
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Attackers may cause crashes or arbitrary code execution
depending upon the application
Description: An attacker able to cause an application to make
requests for large amounts of memory may also be able to trigger a
heap buffer overflow. This could cause the targeted application to
crash or execute arbitrary code. This update addresses the issue by
correctly handling these memory requests. Credit to Neil Archibald of
Suresec LTD for reporting this issue.
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the
user if the file type is not "safe". Certain techniques can be used
to disguise the file's type so that Download Validation is
bypassed. This update addresses the issue by presenting Download
Validation with the entire file, providing more information for
Download Validation to detect unknown or unsafe file types in
attachments. This may cause a program to continue to run with root
privileges, assuming they have been dropped. This can cause
security issues in third-party tools. This update addresses the
issue by preventing such applications from continuing if the
operation fails. Credit to Jason Self for reporting this issue.
rsync
CVE-ID: CVE-2005-3712
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Authenticated users may cause an rsync server to crash or
execute arbitrary code
Description: A heap-based buffer overflow may be triggered when the
rsync server is used with the flag that allows extended attributes
to be transferred. It may be possible for a malicious user with
access to an rsync server to cause denial of service or code
execution. This update addresses the problem by ensuring that the
destination buffer is large enough to hold the extended attributes. Credit
to Jan-Derk Bakker for reporting this issue.
Safari
CVE-ID: CVE-2005-4504
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a maliciously-crafted web page may result in
arbitrary code execution
Description: A heap-based buffer overflow in WebKit's handling of
certain HTML could allow a malicious web site to cause a crash or
execute arbitrary code as the user viewing the site. This update
addresses the issue by preventing the condition causing the
overflow. Credit to Suresec LTD for reporting this issue.
Safari
CVE-ID: CVE-2006-0387
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web page may cause arbitrary code
execution
Description: By preparing a web page including specially-crafted
JavaScript, an attacker may trigger a stack buffer overflow that
could lead to arbitrary code execution with the privileges of the
user. This update addresses the issue by performing additional
bounds checking.
Safari
CVE-ID: CVE-2006-0388
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Remote web sites can redirect to local resources, allowing
JavaScript to execute in the local domain
Description: Safari's security model prevents remote resources from
causing redirection to local resources. An issue involving HTTP
redirection can cause the browser to access a local file, bypassing
certain restrictions. This update addresses the issue by preventing
cross-domain HTTP redirects. When the "Open `safe' files after downloading" option
is enabled in Safari's General preferences, visiting a malicious
web site may result in the automatic download and execution of such
a file. A proof-of-concept has been detected on public web sites
that demonstrates the automatic execution of shell scripts.
Syndication
CVE-ID: CVE-2006-0389
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Subscriptions to malicious RSS content can lead to
cross-site scripting
Description: Syndication (Safari RSS) may allow JavaScript code
embedded in feeds to run within the context of the RSS reader
document, allowing malicious feeds to circumvent Safari's security
model. This update addresses the issue by properly removing
JavaScript code from feeds.
The following security enhancements are also included in this update:
FileVault: AES-128 encrypted FileVault disk images are now created
with more restrictive operating system permissions. Credit to Eric
Hall of DarkArt Consulting Services for reporting this issue.
iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected.
Users should use caution when opening files that are obtained from
the network. Further information is available via:
http://docs.info.apple.com/article.html?artnum=108009
Security Update 2006-001 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.5 (PowerPC) and Mac OS X Server v10.4.5
The download file is named: "SecUpd2006-001Ti.dmg"
Its SHA-1 digest is: 999b73a54951b4e0a7f873fecf75f92840e8b439
For Mac OS X v10.4.5 (Intel)
The download file is named: "SecUpd2006-001Intel.dmg"
Its SHA-1 digest is: 473f94264876fa49fa15a8b6bb4bc30956502ad5
For Mac OS X v10.3.9
The download file is named: "SecUpd2006-001Pan.dmg"
Its SHA-1 digest is: b6a000d451a1b1696726ff60142fc3da08042433
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2006-001Pan.dmg"
Its SHA-1 digest is: 2299380d72a61eadcbd0a5c6f46c924600ff5a9c
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBRAYYVoHaV5ucd/HdAQJQWggApQmizj2t3+/87Fqun66/HCEkFt2YhUoe
cmel0/KwJhWrk+LV+CYvixbDvKuGIjP8CWB9/s78YN93pOI5WcfyTKd07rEQYkT4
i8KPrM9QjdvgIjKd6O/VAOkzBc3DqV7KNVR2Hewa3jOigTm7Yxil9o/nZt1TLxAI
9TN0uduc13WHC8WE2N41I8MQ+VdGTX3ANZkfgR90lua4A2E1ab9kCN2qbg+E7Cus
SkwsKp0qSH7bl8v0/R6c1hsYG0T1RwSWU6arAEliqzrrIbCm0Yxtgwp/CYFWC46j
TQNCcppNgcr/pVPojACy8WFtQ3wEb6rJ4ZjH1C5nOem2EoCBh10WFw==
=1Ww0
-----END PGP SIGNATURE-----
| VAR-200512-0067 | CVE-2005-4425 | Kerio WinRoute Firewall RTSP Stream Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Kerio WinRoute Firewall before 6.1.3 allows remote attackers to cause a denial of service (crash) via certain RTSP streams. This may aid in further attacks.
TITLE:
Kerio WinRoute Firewall Potential Denial of Service and Security
Bypass
SECUNIA ADVISORY ID:
SA17519
VERIFY ADVISORY:
http://secunia.com/advisories/17519/
CRITICAL:
Less critical
IMPACT:
Security Bypass, DoS
WHERE:
>From remote
SOFTWARE:
Kerio WinRoute Firewall 6.x
http://secunia.com/product/3613/
DESCRIPTION:
Two vulnerabilities have been reported in Kerio WinRoute Firewall
which potentially can be exploited by malicious users to cause a
(DoS) Denial of Service and to bypass certain security restrictions.
2) An error in the handling of user authentication may allow users to
be successfully authenticated even when their accounts are disabled.
Some other errors, which may be security related, have also been
fixed.
SOLUTION:
Update to version 6.1.3
http://www.kerio.com/kwf_download.html
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.kerio.com/kwf_history.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200512-0601 | CVE-2005-4157 | Kerio WinRoute Firewall Unknown vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Kerio WinRoute Firewall before 6.1.3 allows remote attackers to authenticate to the service using an account that has been disabled. This issue is most likely due to an authentication error within the application. This may lead to a false sense of security.
TITLE:
Kerio WinRoute Firewall Potential Denial of Service and Security
Bypass
SECUNIA ADVISORY ID:
SA17519
VERIFY ADVISORY:
http://secunia.com/advisories/17519/
CRITICAL:
Less critical
IMPACT:
Security Bypass, DoS
WHERE:
>From remote
SOFTWARE:
Kerio WinRoute Firewall 6.x
http://secunia.com/product/3613/
DESCRIPTION:
Two vulnerabilities have been reported in Kerio WinRoute Firewall
which potentially can be exploited by malicious users to cause a
(DoS) Denial of Service and to bypass certain security restrictions.
1) An error in the handling of RTSP streams from certain RTSP servers
may cause the service to crash.
Some other errors, which may be security related, have also been
fixed.
SOLUTION:
Update to version 6.1.3
http://www.kerio.com/kwf_download.html
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.kerio.com/kwf_history.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200511-0079 | CVE-2005-3635 |
SAP Web Application Server Multiple Cross-Site Scripting Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200511-0203 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in SAP Web Application Server (WAS) 6.10 through 7.00 allow remote attackers to inject arbitrary web script or HTML via (1) the sap-syscmd in sap-syscmd and (2) the BspApplication field in the SYSTEM PUBLIC test application. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
This issue only affects the BSP runtime of SAP WAS.
1) Input passed to the "sap-syscmd" parameter in "fameset.htm" and
the "BspApplication" field in the "SYSTEM PUBLIC" test application
isn't properly sanitised before being returned to the user.
Other versions may also be affected.
2) Input passed to the query string in pages generating error
messages isn't properly sanitised before being returned to the user. Prior versions may also be
affected.
3) The problem is that an absolute URL for an external site can be
specified in the "sapexiturl" parameter passed to "fameset.htm". This
can be exploited to trick users into visiting a malicious web site by
following a specially crafted link with a trusted hostname
redirecting to the malicious web site.
Other versions may also be affected. This can be exploited to
inject arbitrary HTTP headers, which will be included in the response
sent to the user.
Other versions may also be affected.
SOLUTION:
The vendor has reportedly provided a solution for the
vulnerabilities. Customers should contact the SAP's support for
further information.
PROVIDED AND/OR DISCOVERED BY:
Leandro Meiners, Cybsec S.A.
ORIGINAL ADVISORY:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200511-0078 | CVE-2005-3634 |
SAP Web Application Server URI Redirecting vulnerability
Related entries in the VARIoT exploits database: VAR-E-200511-0480 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.
It is reported that an attacker can exploit this issue by supplying the URI of a malicious site through the 'sap-exiturl' parameter.
A successful attack may result in various attacks including theft of cookie-based authentication credentials. An attacker may also be able to exploit this vulnerability to enhance phishing style attacks.
This issue only affects the BSP runtime of SAP WAS.
1) Input passed to the "sap-syscmd" parameter in "fameset.htm" and
the "BspApplication" field in the "SYSTEM PUBLIC" test application
isn't properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Other versions may also be affected.
2) Input passed to the query string in pages generating error
messages isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site. Prior versions may also be
affected.
3) The problem is that an absolute URL for an external site can be
specified in the "sapexiturl" parameter passed to "fameset.htm". This
can be exploited to trick users into visiting a malicious web site by
following a specially crafted link with a trusted hostname
redirecting to the malicious web site.
Other versions may also be affected.
4) Input passed to the "sap-exiturl" parameter isn't properly
sanitised before being returned to the user. This can be exploited to
inject arbitrary HTTP headers, which will be included in the response
sent to the user.
Other versions may also be affected.
SOLUTION:
The vendor has reportedly provided a solution for the
vulnerabilities. Customers should contact the SAP's support for
further information.
PROVIDED AND/OR DISCOVERED BY:
Leandro Meiners, Cybsec S.A.
ORIGINAL ADVISORY:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200511-0077 | CVE-2005-3633 | SAP Web Application Server in frameset.htm of HTTP Response split vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
HTTP response splitting vulnerability in frameset.htm in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to inject arbitrary HTML headers via the sap-exiturl parameter. This issue is due to a failure in the application to properly sanitize user-supplied input.
A remote attacker may exploit this vulnerability to influence or misrepresent how Web content is served, cached or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.
This issue only affects the BSP runtime of SAP WAS.
1) Input passed to the "sap-syscmd" parameter in "fameset.htm" and
the "BspApplication" field in the "SYSTEM PUBLIC" test application
isn't properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Other versions may also be affected.
2) Input passed to the query string in pages generating error
messages isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site. Prior versions may also be
affected.
3) The problem is that an absolute URL for an external site can be
specified in the "sapexiturl" parameter passed to "fameset.htm". This
can be exploited to trick users into visiting a malicious web site by
following a specially crafted link with a trusted hostname
redirecting to the malicious web site.
Other versions may also be affected.
Other versions may also be affected.
SOLUTION:
The vendor has reportedly provided a solution for the
vulnerabilities. Customers should contact the SAP's support for
further information.
PROVIDED AND/OR DISCOVERED BY:
Leandro Meiners, Cybsec S.A.
ORIGINAL ADVISORY:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200603-0168 | CVE-2006-1039 |
SAP Website application server URI Input validation vulnerability
Related entries in the VARIoT exploits database: VAR-E-200511-0244 |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
SAP Web Application Server (WebAS) Kernel before 7.0 allows remote attackers to inject arbitrary bytes into the HTTP response and obtain sensitive authentication information, or have other impacts, via a ";%20" followed by encoded HTTP headers. SAP Web Application Server is prone to an input-validation vulnerability that results in HTTP response-splitting attacks. This issue is due to a failure in the application to properly sanitize user-supplied input.
A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.
Some unspecified input passed in the URL isn't properly sanitised
before being returned to the user. This can be exploited to
manipulate the HTTP response sent to the user and may allow execution
of arbitrary HTML and script code in a user's browser session in
context of an affected site.
The vulnerability has been reported in version 7.00 and prior.
SOLUTION:
The vendor has released fixes for the vulnerability. See SAP Note
908147 and 915084 for details.
PROVIDED AND/OR DISCOVERED BY:
Arnold Grossmann
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200511-0080 | CVE-2005-3636 |
SAP Web Application Server Error page cross-site scripting vulnerability
Related entries in the VARIoT exploits database: VAR-E-200511-0202 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in SAP Web Application Server (WAS) 6.10 allows remote attackers to inject arbitrary web script or HTML via Error Pages. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
This issue only affects the BSP runtime of SAP WAS.
1) Input passed to the "sap-syscmd" parameter in "fameset.htm" and
the "BspApplication" field in the "SYSTEM PUBLIC" test application
isn't properly sanitised before being returned to the user.
Other versions may also be affected.
2) Input passed to the query string in pages generating error
messages isn't properly sanitised before being returned to the user. Prior versions may also be
affected.
3) The problem is that an absolute URL for an external site can be
specified in the "sapexiturl" parameter passed to "fameset.htm". This
can be exploited to trick users into visiting a malicious web site by
following a specially crafted link with a trusted hostname
redirecting to the malicious web site.
Other versions may also be affected. This can be exploited to
inject arbitrary HTTP headers, which will be included in the response
sent to the user.
Other versions may also be affected.
SOLUTION:
The vendor has reportedly provided a solution for the
vulnerabilities. Customers should contact the SAP's support for
further information.
PROVIDED AND/OR DISCOVERED BY:
Leandro Meiners, Cybsec S.A.
ORIGINAL ADVISORY:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200511-0093 | CVE-2005-3621 | phpMyAdmin CRLF Injection vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows remote attackers to conduct HTTP response splitting attacks via unspecified scripts. phpMyAdmin is prone to an HTTP-response-splitting vulnerability because the application fails to properly sanitize user-supplied input.
A remote attacker may exploit this vulnerability to influence or misrepresent web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.
This issue is reported to affect phpMyAdmin version 2.7.0-beta1; other versions may also be vulnerable.
The vulnerability is caused due to an error in the register_globals
emulation layer in "grab_globals.php" where the "import_blacklist"
variable is not properly protected from being overwritten. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected
site.
http://www.phpmyadmin.net/home_page/downloads.php
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 1207-2 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
November 19th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : phpmyadmin
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-1678 CVE-2006-2418 CVE-2005-3621 CVE-2005-3665 CVE-2006-5116
Debian Bug : 339437 340438 362567 368082 391090
The phpmyadmin update in DSA 1207 introduced a regression. This update
corrects this flaw. For completeness, the original advisory text below:
Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web.
CVE-2005-3665
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST
variable and (2) various scripts in the libraries directory that
handle header generation.
CVE-2006-1678
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via scripts in the
themes directory.
CVE-2006-5116
A remote attacker could overwrite internal variables through the
_FILES global variable.
For the stable distribution (sarge) these problems have been fixed in
version 2.6.2-3sarge3.
For the upcoming stable release (etch) and unstable distribution (sid)
these problems have been fixed in version 2.9.0.3-1.
We recommend that you upgrade your phpmyadmin package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.dsc
Size/MD5 checksum: 604 32ee16f4370604bc150d93c5676fface
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.diff.gz
Size/MD5 checksum: 38520 f27c4b99bbdb3dc13fb71aef99749247
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2.orig.tar.gz
Size/MD5 checksum: 2654418 05e33121984824c43d94450af3edf267
Architecture independent components:
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3_all.deb
Size/MD5 checksum: 2769182 00f14fb52a14546e92ece84c16cd249f
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFYFPdXm3vHE4uyloRAgj5AJ4k0NXBlTZgTK+vJTlgPNTEBfeBGgCg61oX
s2aDzIfiBIc0hbLjIGOwEcQ=
=EQpq
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
For more information:
SA17578
SA17895
SA19556
SA20113
SA22126
SOLUTION:
Apply updated packages.
Some input passed to "libraries/header_http.inc.php" isn't properly
sanitised before being returned to the user. This can be exploited to
include arbitrary HTTP headers in a response sent to the user.
Successful exploitation requires that "register_globals" is enabled.
It is also possible to disclose the full path to certain scripts by
accessing them directly.
http://www.phpmyadmin.net/home_page/downloads.php
PROVIDED AND/OR DISCOVERED BY:
Toni Koivunen
ORIGINAL ADVISORY:
Toni Koivunen:
http://www.fitsec.com/advisories/FS-05-02.txt
phpMyAdmin:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200604-0373 | CVE-2006-1846 | PHP-Nuke Your_Account Module Cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to inject arbitrary HTML and web script via the ublock parameter, which is saved in the user's personal menu. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. In addition, it is unclear whether this issue is a vulnerability, since it is related to the user's personal menu, which presumably is not modifiable by others. PHPNuke is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
The application is prone to HTML- and SQL-injection vulnerabilities.
PHPNuke 7.8 is reported to be vulnerable. Other versions may also be affected. The Your_Account module in PHP-Nuke 7.8 has a cross-site scripting vulnerability.
TITLE:
PHP-Nuke Personal Menu Script Insertion and SQL Injection
SECUNIA ADVISORY ID:
SA18972
VERIFY ADVISORY:
http://secunia.com/advisories/18972/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Manipulation of data
WHERE:
>From remote
SOFTWARE:
PHP-Nuke 7.x
http://secunia.com/product/2385/
DESCRIPTION:
Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can
be exploited by malicious people to conduct SQL injection and script
insertion attacks.
Example:
<img src=javascript:[code]>
(requires the Microsoft Internet Explorer browser)
2) Input passed to the "user_id" parameter in the "Your_Home"
functionality of the "Your_Account" module isn't properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "magic_quotes_gpc" is
disabled.
The vulnerabilities have been confirmed in version 7.8.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Jason Lau
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200604-0374 | CVE-2006-1847 | PHP-Nuke Your_Account Module SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to execute arbitrary SQL commands via the user_id parameter in the Your_Home functionality. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. PHPNuke is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
The application is prone to HTML- and SQL-injection vulnerabilities.
PHPNuke 7.8 is reported to be vulnerable. Other versions may also be affected.
TITLE:
PHP-Nuke Personal Menu Script Insertion and SQL Injection
SECUNIA ADVISORY ID:
SA18972
VERIFY ADVISORY:
http://secunia.com/advisories/18972/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Manipulation of data
WHERE:
>From remote
SOFTWARE:
PHP-Nuke 7.x
http://secunia.com/product/2385/
DESCRIPTION:
Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can
be exploited by malicious people to conduct SQL injection and script
insertion attacks.
1) Input passed to the "ublock" parameter in the "Your_Home"
functionality of the "Your_Account" module isn't properly sanitised
before being saved as the user's personal menu. This can be exploited
to execute arbitrary HTML and script code in a user's browser session
in context of an affected site when the user views his personal
menu.
Example:
<img src=javascript:[code]>
(requires the Microsoft Internet Explorer browser)
2) Input passed to the "user_id" parameter in the "Your_Home"
functionality of the "Your_Account" module isn't properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code. This can be further
exploited with vulnerability #1 to inject arbitrary HTML and script
code into arbitrary user's personal menu.
Successful exploitation requires that "magic_quotes_gpc" is
disabled.
The vulnerabilities have been confirmed in version 7.8.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Jason Lau
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200511-0453 | CVE-2005-3546 | F-Secure Anti-Virus Gatekeeper for Linux and F-Secure Anti-Virus Gateway for Linux Local privilege escalation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
suid.cgi scripts in F-Secure (1) Internet Gatekeeper for Linux before 2.15.484 and (2) Anti-Virus Linux Gateway before 2.16 are installed SUID with world-executable permissions, which allows local users to gain privilege. F-Secure Anti-Virus products are prone to a local privilege-escalation vulnerability because of insecure setuid-superuser binary permissions.
Exploiting this vulnerability allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer.
The vulnerability is caused due to several scripts being installed
with the SUID bit set and are world executable. e.g.
"/opt/f-secure/fsigk/cgi/*suid.cgi" and
"/home/virusgw/cgi/*suid.cgi". These scripts can be exploited by
malicious users to gain root privileges.
* F-Secure Anti-Virus Linux Gateway versions prior to 2.16.
SOLUTION:
Update to the fixed version or remove SUID bit from affected
scripts.
-- Updating to fixed version --
F-Secure Internet Gatekeeper for Linux:
Update to version 2.15.484.
ftp://ftp.f-secure.com/support/hotfix/
http://www.f-secure.com/webclub/
F-Secure Anti-Virus Linux Gateway:
Update to version 2.16.
ORIGINAL ADVISORY:
http://www.f-secure.com/security/fsc-2005-3.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200605-0593 | CVE-2006-2238 | Apple QuickTime BMP Graphics Stack overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted BMP file that triggers the overflow in the ReadBMP function. NOTE: this issue was originally included as item 3 in CVE-2006-1983, but it has been given a separate identifier because it is a distinct issue. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Apple QuickTime exists based on a stack buffer overflow.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-132B
Apple QuickTime Vulnerabilities
Original release date: May 12, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows
Overview
Apple QuickTime contains multiple vulnerabilities.
I. Description
Apple QuickTime 7.1 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities could allow an remote,
unauthenticated attacker to execute arbitrary code or commands, and
cause a denial-of-service condition. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. References
* Vulnerability Notes for QuickTime 7.1 -
<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_7.1>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* About the security content of the QuickTime 7.1 Update -
<http://docs.info.apple.com/article.html?artnum=303752>
* Apple QuickTime 7.1 -
<http://www.apple.com/support/downloads/quicktime71.html>
* Standalone Apple QuickTime Player -
<http://www.apple.com/quicktime/download/standalone.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132B.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
4) An integer overflow and boundary error within the processing of
H.264 movies can be exploited via a specially crafted H.264 movie to
crash the application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data. This can be
exploited to crash the application and potentially execute arbitrary
code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200605-0222 | CVE-2006-1463 | Apple QuickTime H.264 Parsing Buffer Overflow Vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a H.264 (M4V) video format file with a certain modified size value. The implicit trust of a user-supplied size value during a memory copy loop allows an attacker to create an exploitable memory corruption condition. Exploitation requires that an attacker either coerce the target to open a malformed media file or visit a website embedding the malicious file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-132B
Apple QuickTime Vulnerabilities
Original release date: May 12, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows
Overview
Apple QuickTime contains multiple vulnerabilities.
I. Description
Apple QuickTime 7.1 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities could allow an remote,
unauthenticated attacker to execute arbitrary code or commands, and
cause a denial-of-service condition. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. References
* Vulnerability Notes for QuickTime 7.1 -
<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_7.1>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* About the security content of the QuickTime 7.1 Update -
<http://docs.info.apple.com/article.html?artnum=303752>
* Apple QuickTime 7.1 -
<http://www.apple.com/support/downloads/quicktime71.html>
* Standalone Apple QuickTime Player -
<http://www.apple.com/quicktime/download/standalone.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-132B.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ZDI-06-015: Apple QuickTime H.264 Parsing Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
May 11, 2006
-- CVE ID:
CVE-2006-1463
-- Affected Vendor:
Apple
-- Affected Products:
Apple QuickTime versions prior to 7.1
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since March 20, 2006 by Digital Vaccine protection
filter ID 4183.
-- Vendor Response:
Apple has identified and corrected this issue in QuickTime 7.1.
Customers can obtain the fix from Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For further details see:
http://docs.info.apple.com/article.html?artnum=61798
-- Disclosure Timeline:
2006.03.20 - Vulnerability reported to vendor
2006.03.20 - Digital Vaccine released to TippingPoint customers
2006.05.11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by ATmaCA.
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An integer overflow error within the processing of JPEG images can
be exploited via a specially crafted JPEG image to crash the
application and potentially execute arbitrary code.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
7) A boundary error within the processing of AVI movies can be
exploited via a specially crafted AVI movie to crash the application
and potentially execute arbitrary code.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data. This can be
exploited to crash the application and potentially execute arbitrary
code.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200605-0224 | CVE-2006-1465 | Apple QuickTime Vulnerable to buffer overflow |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Buffer overflow in Apple QuickTime before 7.1 allows remote attackers to execute arbitrary code via a crafted QuickTime AVI video format file. Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.
Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.
For more information, please refer to the Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities could allow an remote,
unauthenticated attacker to execute arbitrary code or commands, and
cause a denial-of-service condition. For further information,
please see the Vulnerability Notes.
III.
Disable QuickTime in your web browser
An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.
Appendix A. Please send
email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo
9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME
yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11
uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg
oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2
eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg==
=LsFu
-----END PGP SIGNATURE-----
. ____________________________________________________________________
McAfee, Inc.
McAfee Avert\x99 Labs Security Advisory
Public Release Date: 2006-05-11
Apple QuickDraw/QuickTime Multiple Vulnerabilities
CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465
______________________________________________________________________
* Synopsis
Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data.
Two code execution vulnerabilities are present in QuickDraw PICT image format support.
Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium.
CVE-2006-1461
Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support.
______________________________________________________________________
* Legal Notice
Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes.
McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
______________________________________________________________________
.
TITLE:
QuickTime Multiple Code Execution Vulnerabilities
SECUNIA ADVISORY ID:
SA20069
VERIFY ADVISORY:
http://secunia.com/advisories/20069/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple Quicktime 4.x
http://secunia.com/product/7923/
Apple Quicktime 5.x
http://secunia.com/product/215/
Apple Quicktime 6.x
http://secunia.com/product/810/
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
3) A boundary error within the processing of Flash movies can be
exploited via a specially crafted Flash movie to crash the
application and potentially execute arbitrary code.
5) A boundary error within the processing of MPEG4 movies can be
exploited via a specially crafted MPEG4 movie to crash the
application and potentially execute arbitrary code.
6) An integer overflow error within the processing of FlashPix images
(".fpx") can be exploited via a specially crafted FlashPix image with
an overly large value in the field specifying the number of data
blocks in the file.
8) Two boundary errors within the processing of PICT images can be
exploited to either cause a stack-based via a PICT image with
specially crafted font information or a heap-based buffer overflow
via a PICT image with specially crafted image data.
9) A boundary error within the processing of BMP images can be
exploited via a specially crafted BMP image to crash the application
and potentially execute arbitrary code.
SOLUTION:
Update to version 7.1.
http://www.apple.com/support/downloads/quicktime71.html
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs.
3) Mike Price, McAfee AVERT Labs.
4) Mike Price of McAfee AVERT Labs and ATmaCA.
5) Mike Price, McAfee AVERT Labs.
6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT
Labs.
7) Mike Price, McAfee AVERT Labs.
8) Mike Price, McAfee AVERT Labs.
9) Tom Ferris
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=303752
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060511.html
Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
Sowhat:
http://secway.org/advisory/AD20060512.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------