VARIoT IoT vulnerabilities database

Apple QuickTime Player 7.0 on Mac OS X 10.4 allows remote attackers to obtain sensitive information via a .mov file with a Quartz Composer composition (.qtz) file that uses certain patches to read local information, then other patches to send the information to the attacker. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Quartz Composer Disclosure of System Information SECUNIA ADVISORY ID: SA15307 VERIFY ADVISORY: http://secunia.com/advisories/15307/ CRITICAL: Not critical IMPACT: Exposure of system information WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: David Remahl has reported a weakness in Apple QuickTime, which can be exploited by malicious people to disclose some system information. The problem is that Quartz Composer compositions embedded in ".mov" files can access certain system information, which can be disclosed to web sites via JavaScript. This can e.g. be exploited to disclose the local username and directory information by tricking a user into visiting a malicious web site. SOLUTION: Disable the QuickTime browser plugin and do not open ".mov" and Quartz Composer files from untrusted sources. PROVIDED AND/OR DISCOVERED BY: David Remahl ORIGINAL ADVISORY: http://remahl.se/david/vuln/018/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in Cisco Firewall Services Module (FWSM) 2.3.1 and earlier, when using URL, FTP, or HTTPS filtering exceptions, allows certain TCP packets to bypass access control lists (ACLs). FWSM for Cisco Catalyst 6500/7600 Series is prone to a remote security vulnerability

The new account wizard in Mail.app 2.0 in Mac OS 10.4, when configuring an IMAP mail account and checking the credentials, does not prompt the user to use SSL until after the password has already been sent, which causes the password to be sent in plaintext

zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ GNU zip (gzip) Is a utility that compresses and decompresses files. grep Run zgrep Or unzip the compressed file gunzip Each tool is packaged. Gzip 1.2.4 Previously, there were several security issues: 1) gzip 1.2.4 Included before zgrep There is a problem that does not properly sanitize arguments. (CAN-2005-0758) Details are currently unknown, but local attackers who exploit this issue zgrep An arbitrary command may be executed by passing an intentional file name to. 2) gzip 1.2.4 Previously, when decompressing a compressed file, there was a problem that caused a race condition between writing the decompressed file and changing permissions. (CAN-2005-0988) A local attacker who exploits this issue could alter the permissions of an arbitrary file by replacing the decompressed file with a hard link to the arbitrary file at a specific time. 3) gzip 1.2.4 Included before gunzip Is -N When decompressing a compressed file with a flag, there is a problem that the validity of the file name is not properly checked. (CAN-2005-1228) A remote attacker who exploits this issue ".." Send a compressed file that is a compressed file containing an intentional character string to the target user gzip Inducing a directory traversal attack by inducing unpacking with.Please refer to the “Overview” for the impact of this vulnerability. The 'zgrep' utility is reportedly affected by an arbitrary command-execution vulnerability. An attacker may execute arbitrary commands through zgrep command arguments to potentially gain unauthorized access to the affected computer. Note that this issue poses a security threat only if the arguments originate from a malicious source. This issue affects zgrep 1.2.4; other versions may be affected as well. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: gzip Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA15047 VERIFY ADVISORY: http://secunia.com/advisories/15047/ CRITICAL: Less critical IMPACT: System access WHERE: >From remote SOFTWARE: gzip 1.x http://secunia.com/product/4220/ DESCRIPTION: Ulf H\xe4rnhammar has reported a vulnerability in gzip, which potentially can be exploited by malicious people to compromise a user's system. This makes it possible to have a file extracted to an arbitrary location outside the current directory via directory traversal attacks. The vulnerability has been reported in version 1.2.4, 1.2.4a, 1.3.3, 1.3.4 and 1.3.5. SOLUTION: Do not extract untrusted ".gz" files with the "-N" flag. PROVIDED AND/OR DISCOVERED BY: Ulf H\xe4rnhammar ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gzip: Multiple vulnerabilities Date: May 09, 2005 Bugs: #89946, #90626 ID: 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== gzip contains multiple vulnerabilities potentially allowing an attacker to execute arbitrary commands. The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact ====== These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround ========== There is no known workaround at this time. Resolution ========== All gzip users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r6" References ========== [ 1 ] CAN-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758 [ 2 ] CAN-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988 [ 3 ] CAN-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________ Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.002 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.002 Advisory Published: 2007-01-05 21:58 UTC Issue Id (internal): OpenPKG-SI-20070105.01 Issue First Created: 2007-01-05 Issue Last Modified: 2007-01-05 Issue Revision: 04 ____________________________________________________________________________ Subject Name: bzip2 Subject Summary: Compression Tool Subject Home: http://www.bzip.org/ Subject Versions: * <= 1.0.3 Vulnerability Id: CVE-2005-0953, CVE-2005-0758 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: local system Attack Impact: manipulation of data, arbitrary code execution Description: Together with two portability and stability issues, two older security issues were fixed in the compression tool BZip2 [0], versions up to and including 1.0.3. References: [0] http://www.bzip.org/ ____________________________________________________________________________ Primary Package Name: bzip2 Primary Package Home: http://openpkg.org/go/package/bzip2 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID bzip2-1.0.3-E1.0.1 OpenPKG Enterprise E1.0-SOLID openpkg-E1.0.2-E1.0.2 OpenPKG Community 2-STABLE-20061018 bzip2-1.0.4-2.20070105 OpenPKG Community 2-STABLE-20061018 openpkg-2.20070105-2.20070105 OpenPKG Community 2-STABLE bzip2-1.0.4-2.20070105 OpenPKG Community 2-STABLE openpkg-2.20070105-2.20070105 OpenPKG Community CURRENT bzip2-1.0.4-20070105 OpenPKG Community CURRENT openpkg-20070105-20070105 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD8DBQFFnrwRZwQuyWG3rjQRAgkdAJ9YBx7auj7ursOTj5M/78Kq3SlGlACfc0aV 2IRFnTk4CCJwa9FPgv1z7c0= =Iq2w -----END PGP SIGNATURE-----

Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address. IPSec Confidentiality when communicating (Confidentiality) Protection only, integrity (Integrity) A vulnerability has been discovered that occurs when protection is not set. ESP Keys used (AES , DES , Triple-DES) Occurs regardless of the version or key size. The vulnerability was encrypted IPSec For communication bit-flipping By using the technique IP header ( Source address, header length, protocol field ) It is abused by tampering with the data inside. After data has been tampered with, it is sent to the sender ICMP There is a possibility that the communication contents will be acquired by receiving the error message.IPSec As a result, it is possible that important information is acquired. A vulnerability affects certain configurations of IPSec. Reports indicate that these attacks may also potentially be possible against IPSec when AH is in use, but only under certain unspecified configurations. The reported attacks take advantage of the fact that no ESP packet payload integrity checks exist when ESP is configured in the vulnerable aforementioned manner. This issue may be leveraged by an attacker to reveal plaintext IP datagrams and potentially sensitive information. Information harvested in this manner may be used to aid in further attacks. This BID will be updated as further information is made available. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: HP Tru64 UNIX IPsec Tunnel ESP Mode Encrypted Data Disclosure SECUNIA ADVISORY ID: SA16401 VERIFY ADVISORY: http://secunia.com/advisories/16401/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: HP Tru64 UNIX 5.x http://secunia.com/product/2/ DESCRIPTION: HP has acknowledged a vulnerability in HP Tru64 UNIX, which can be exploited by malicious people to disclose certain sensitive information. The vulnerability affects the following supported versions: * HP Tru64 UNIX 5.1B-3 * HP Tru64 UNIX 5.1B-2/PK4 SOLUTION: Apply ERP kits. PROVIDED AND/OR DISCOVERED BY: NISCC ORIGINAL ADVISORY: HP SSRT5957: http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01217 NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Some configurations using AH to provide integrity protection are also vulnerable. Some configurations using AH to provide integrity protection are also vulnerable. Impact - - ------ If exploited, it is possible for an active attacker to obtain the plaintext version of the IPsec- protected communications using only moderate effort. Severity - - -------- This is rated as high. Summary - - ------- IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer; IPsec has been deployed widely to implement Virtual Private Networks (VPNs). Some configurations using AH to provide integrity protection are also vulnerable. In these configurations, an attacker can modify sections of the IPsec packet, causing either the cleartext inner packet to be redirected or a network host to generate an error message. In the latter case, these errors are relayed via the Internet Control Message Protocol (ICMP); because of the design of ICMP, these messages directly reveal segments of the header and payload of the inner datagram in cleartext. An attacker who can intercept the ICMP messages can then retrieve plaintext data. The attacks have been implemented and demonstrated to work under realistic conditions. [Please note that revisions to this advisory will not be notified by email. All subscribers are advised to regularly check the UNIRAS website for updates to this notice.] Details - - ------- CVE number: CAN-2005-0039 IPsec consists of several separate protocols; these include: * Authentication Header (AH): provides authenticity guarantees for packets, by attaching strong cryptographic checksum to packets. * Encapsulating Security Payload (ESP): provides confidentiality guarantees for packets, by encrypting packets with encryption algorithms. ESP also provides optional authentication services for packets. * Internet Key Exchange (IKE): provide ways to securely negotiate shared keys. AH and ESP has two modes of use: transport mode and tunnel mode. However, without some form of integrity protection, CBC-mode encrypted data is vulnerable to modification by an active attacker. By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet. The modified inner packet is subsequently processed by the IP software on the receiving security gateway or the endpoint host; the inner packet, in cleartext form, may be redirected or certain error messages may be produced and communicated by ICMP. Because of the design of ICMP, these messages directly reveal cleartext segments of the header and payload of the inner packet. If these messages can be intercepted by an attacker, then plaintext data is revealed. Attacks exploiting these vulnerabilities rely on the following: * Exploitation of the well-known bit flipping weakness of CBC mode encryption. * Lack of integrity protection for inner packets. * Interaction between IPsec processing and IP processing on security gateways and end hosts. These attacks can be fully automated so as to recover the entire contents of multiple IPsec-protected inner packets. Destination Address Rewriting * An attacker modifies the destination IP address of the encrypted (inner) packet by bit- flipping in the payload of the outer packet. * The security gateway decrypts the outer payload to recover the (modified) inner packet. * The gateway then routes the inner packet according to its (modified) destination IP address. * If successful, the "plaintext" inner datagram arrives at a host of the attacker's choice. 2. IP Options * An attacker modifies the header length of the encrypted (inner) packet by bit-flipping in the payload of the outer packet. * The security gateway decrypts the outer payload to recover the (modified) inner packet. * The gateway then performs IP options processing on the inner packet because of the modified header length, with the first part of the inner payload being interpreted as options bytes. * With some probability, options processing will result in the generation of an ICMP "parameter problem" message. * The ICMP message is routed to the now modified source address of the inner packet. * An attacker intercepts the ICMP message and retrieves the "plaintext" payload of the inner packet. 3. Protocol Field * An attacker modifies the protocol field and source address field of the encrypted (inner) packet by bit-flipping in the payload of the outer packet. * The security gateway decrypts the outer payload to recover the (modified) inner packet. * The gateway forwards the inner packet to the intended recipient. * The intended recipient inspects the protocol field of the inner packet and generates an ICMP "protocol unreachable" message. * The ICMP message is routed to the now modified source address of the inner packet. * An attacker intercepts the ICMP message and retrieves the "plaintext" payload of the inner packet. The attacks are probabilistic in nature and may need to be iterated many times in a first phase in order to be successful. Once this first phase is complete, the results can be reused to efficiently recover the contents of further inner packets. Naturally, the attacker must be able to intercept traffic passing between the security gateways in order to mount the attacks. For the second and third attacks to be successful, the attacker must be able intercept the relevant ICMP messages. Variants of these attacks in which the destination of the ICMP messages can be controlled by the attacker are also possible. Solution - - -------- Any of the following methods can be used to rectify this issue: 1. This is the recommended solution. 2. Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully: for example, the configuration where AH in transport mode is applied end-to-end and tunnelled inside ESP is still vulnerable. 3. Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway. Vendor Information - - ------------------ A list of vendors affected by this vulnerability is not currently available. Please visit the web site in order to check for updates. Credits - - ------- The NISCC Vulnerability Team would like to thank all vendors for their co-operation with the handling of this vulnerability. Contact Information - - ------------------- The NISCC Vulnerability Management Team can be contacted as follows: Email vulteam@niscc.gov.uk Please quote the advisory reference in the subject line Telephone +44 (0)870 487 0748 Ext 4511 Monday - Friday 08:30 - 17:00 Fax +44 (0)870 487 0749 Post Vulnerability Management Team NISCC PO Box 832 London SW1P 1BG We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop. Please note that UK government protectively marked material should not be sent to the email address above. If you wish to be added to our email distribution list please email your request to uniras@niscc.gov.uk. What is NISCC? - - -------------- For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk/. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. C 2005 Crown Copyright <End of NISCC Vulnerability Advisory> Acknowledgements UNIRAS wishes to acknowledge the contributions of NISCC Vulnerability Team for the information contained in this Briefing. Updates This advisory contains the information released by the original author. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Legal Disclaimer Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. FIRST UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. SOLUTION: The vendor recommends configuring ESP to use both encryption and authentication (see vendor's advisory for more information)

Buffer overflow in Apple iTunes before 4.8 allows remote attackers to execute arbitrary code via a crafted MPEG4 file. This vulnerability was addressed in iTunes 4.8; all earlier versions are likely affected. Apple iTunes is a media player program. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: iTunes MPEG-4 File Parsing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA15310 VERIFY ADVISORY: http://secunia.com/advisories/15310/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: iTunes 4.x http://secunia.com/product/2916/ DESCRIPTION: A vulnerability has been reported in iTunes, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the MPEG-4 file parsing and can be exploited to cause a buffer overflow via a specially crafted MPEG-4 file. Successful exploitation may allow execution of arbitrary code. SOLUTION: Update to version 4.8. http://www.apple.com/support/downloads/itunes48.html PROVIDED AND/OR DISCOVERED BY: The vendor credits Mark Litchfield of NGS Software. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301596 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Keychain Access in Mac OS X 10.4.2 and earlier keeps a password visible even if a keychain times out while the password is being viewed, which could allow attackers with physical access to obtain the password. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

An unspecified kernel interface in Mac OS X 10.4.2 and earlier does not properly clear memory before reusing it, which could allow attackers to obtain sensitive information, a different vulnerability than CVE-2005-1126 and CVE-2005-1406. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

memberd in Mac OS X 10.4 up to 10.4.2, in certain situations, does not quickly synchronize access control checks with changes in group membership, which could allow users to access files and other resources after they have been removed from a group. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Software Update in Mac OS X 10.4.2, when the user marks all updates to be ignored, exits without asking the user to reset the status of the updates, which could prevent important, security-relevant updates from being installed. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Finder Get Info window for Mac OS X 10.4 up to 10.4.2 causes Finder to misrepresent file and group ownership information. NOTE: it is not clear whether this issue satisfies the CVE definition of a vulnerability. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The HTTP proxy service in Server Admin for Mac OS X 10.3.9 does not restrict access when it is enabled, which allows remote attackers to use the proxy. Mac OS X is prone to a remote security vulnerability

lukemftpd in Mac OS X 10.3.9 allows remote authenticated users to escape the chroot environment by logging in with their full name

Mac OS X 10.3.9, when using an LDAP server that does not use ldap_extended_operation, may store initial LDAP passwords for new accounts in plaintext. Mac OS X is prone to a local security vulnerability

Directory traversal vulnerability in the Bluetooth file and object exchange (OBEX) services in Mac OS X 10.3.9 allows remote attackers to read arbitrary files. Apple Mac OS X is prone to a directory-traversal vulnerability. This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID. Apple has supported Bluetooth devices since Mac OSX 10.2

AppKit in Mac OS X 10.3.9 allows attackers to cause a denial of service (Cocoa application crash) via a malformed TIFF image that causes the NXSeek to use an incorrect offset, leading to an unhandled exception

PHP-Nuke 7.6 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) ipban.php, (2) db.php, (3) lang-norwegian.php, (4) lang-indonesian.php, (5) lang-greek.php, (6) a request to Web_Links with the portuguese language (lang-portuguese.php), (7) a request to Web_Links with the indonesian language (lang-indonesian.php), (8) a request to the survey module with the indonesian language (lang-indonesian.php), (9) a request to the Reviews module with the portuguese language, or (10) a request to the Journal module with the portuguese language, which reveal the path in an error message. PHP-Nuke is prone to a information disclosure vulnerability

Mac OS X 10.3.x and earlier uses insecure permissions for a pseudo terminal tty (pty) that is managed by a non-setuid program, which allows local users to read or modify sessions of other users. Mac OS X is prone to a local security vulnerability

Apple Help Viewer 2.0.7 and 3.0.0 in Mac OS X 10.3.9 allows remote attackers to read and execute arbitrary scrpts with less restrictive privileges via a help:// URI. Apple Mac OS X is prone to a JavaScript execution vulnerability. This issue exists in the Help Viewer URI handler. A maliciously crafted JavaScript file loaded by the Help Viewer would be executed with local privileges. This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have published advisories for 4 security vulnerabilities in Mac OS X that were addressed by Apple Security Update 2005-005, released today. <http://docs.info.apple.com/article.html?artnum=301528>. This email contains brief summaries of the problems. Full details can be found on my web site <http://remahl.se/david/vuln/>. Description: help: URI handler execution of JavaScripts with known paths vulnerability My name: DR004 <http://remahl.se/david/vuln/004/> CVE: CAN-2005-1337 [yes, cool, isn't it ;-)] Summary: The Help Viewer application allows JavaScript and is thus vulnerable to having scripts with arbitrary paths run with the privileges granted to file: protocol URIs. The files can be started with a URI on the form of help:///path/to/file.html. Combined with XMLHttpRequest's ability to disclose arbitrary files, this security bug becomes critcal. Description: Invisible characters in applescript: URL protocol messaging vulnerability My name: DR010 <http://remahl.se/david/vuln/010/> CVE: CAN-2005-1331 Summary: URL Protocol Messaging is a technique used by Script Editor to facilitate sharing of AppleScripts between users. By clicking a link (for example in a web forum), a user can create a new Script Editor document automatically, with text from the query string of the URI. This avoids problems with copying text from the web or manually typing code snippets. However, the technique can be used to trick users into running dangerous code (with embedded control characters), since insufficient input validation is performed. Description: Apple Terminal insufficient input sanitation of x-man- path: URIs vulnerability My name: DR011 <http://remahl.se/david/vuln/011/> CVE: CAN-2005-1342 Summary: Apple Terminal fails to properly sanitize the contents of x- man-path: URIs passed to it. This can lead to execution of arbitrary commands, aided by some of the escape sequences that Terminal supports. Description: Mac OS X terminal emulators allow reading and writing of window title through escape sequences My name: DR012 <http://remahl.se/david/vuln/012/> CVE: CAN-2005-1341 Summary: Apple Terminal (often referred to as Terminal.app) and xterm which both ship with current versions of Mac OS X are vulnerable to a well-known type of attack when displaying untrusted content. Using escape sequences and social engineering attacks it is in some cases possible to trick the user into performing arbitrary commands. I would like to acknowledge the willingness of Apple's Product Security team to cooperate with me in resolving these issues. CERT's assistance has also been helpful. / Regards, David Remahl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCd9mHFlFiDoclYIURAjgqAJ9mLbjrfJr17eenCK6qp5S6HXKzgACeIH+a PJwheHWkjnBAG4kNnAa/6QE= =iJNj -----END PGP SIGNATURE-----

Safari 1.3 allows remote attackers to cause a denial of service (application crash) via a long https URL that triggers a NULL pointer dereference. Safari is prone to a denial-of-service vulnerability