SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X Bugs Let Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1017942
SecurityTracker URL:  http://securitytracker.com/id/1017942
CVE Reference:   CVE-2007-0724, CVE-2007-0732, CVE-2007-0734, CVE-2007-0735, CVE-2007-0736, CVE-2007-0741, CVE-2007-0742, CVE-2007-0743, CVE-2007-0746, CVE-2007-0747   (Links to External Site)
Date:  Apr 20 2007
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.3.9, 10.4.9
Description:   Several vulnerabilities were reported in Mac OS X. A remote user can execute arbitrary code on the target system. A local user can execute arbitrary code with elevated privileges. A local user can capture console keystrokes.

The IOKit HID interface allows a local user to capture console keystrokes, including passwords and other potentially sensitive information [CVE-2007-0724]. Apple credits Andrew Garber of University of Victoria, Alex Harper, and Michael Evans with reporting this vulnerability.

Apple indicates that a fix for this HID vulnerability was including in the Mac OS X v10.4.9 update but was not delivered to all systems.

The CoreServices daemon allows a local user to send interprocess communications to its Mach task port [CVE-2007-0732]. This may allow a local user to execute arbitrary code with elevated privileges. Systems prior to Mac OS X v10.4 are not affected.

A remote user can create a specially crafted UFS disk image that, when processed by fsck, will trigger a memory corruption error and potentially execute arbitrary code [CVE-2007-0734].

Libinfo may not properly report errors to applications that use libinfo [CVE-2007-0735]. A remote user can create specially crafted HTML that, when loaded by the target user, will cause arbitrary code to be executed on the target user's system. Apple credits Landon Fuller of Three Rings Design with reporting this vulnerability.

If the portmap service is enabled, a remote user can trigger an integer overflow in the RPC library [CVE-2007-0736]. Apple credits the Mu Security Research Team with reporting this vulnerability.

If Internet Sharing is enabled, a remote user can send specially crafted RTSP packets to trigger a buffer overflow in 'natd' [CVE-2007-0741].

WebFoundation allows a cookie set by a subdomain to be accessed by the parent domain [CVE-2007-0742]. A remote user may be able to access potentially sensitive information. Systems prior to Mac OS X v10.4 are not affected. Apple credits Bradley Schwoerer of University of Wisconsin-Madison with reporting this vulnerability.

URLMount passes the username and password information required to mount remote filesystems via SMB servers as command line arguments [CVE-2007-0743]. A local user may be able to obtain this information. Apple credits Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos Plc with reporting this vulnerability.

A remote user can send a specially crafted SIP packet when initializing an audio/video conference to trigger a heap overflow in the VideoConference framework and execute arbitrary code on the target system [CVE-2007-0746].

When a WebDAV filesystem is mounted, the load_webdav program may not properly clean the environment [CVE-2007-0747]. A local user can create files or execute arbitrary commands with system privileges.

Impact:   A local user can execute arbitrary code with elevated privileges.

A local user can capture console keystrokes.

A remote user can execute arbitrary code on the target system.

A remote user can obtain potentially sensitive information.

Solution:   Apple has released a fix for Mac OS X as part of Security Update 2007-004, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) and Mac OS X Server v10.4.9 (PowerPC)
The download file is named: "SecUpd2007-004Ti.dmg"
Its SHA-1 digest is: 710afb28b12113a6b6570c36d4a87302cc5b4d8c

For Mac OS X v10.4.9 (Universal) and
Mac OS X Server v10.4.9 (Universal)
The download file is named: "SecUpd2007-004Univ.dmg"
Its SHA-1 digest is: 6d6c39a7068bfbf403da493f49ed23a5b10bc6bb

For Mac OS X v10.3.9
The download file is named: "SecUpd2007-004Pan.dmg"
Its SHA-1 digest is: 0ae26e2a2e9dfc68636993344bf33db13a28ea25

For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-004Pan.dmg"
Its SHA-1 digest is: 1c7eb4f36bdd3cd3dc037a16f3cf63e977a7162e

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=305391

Vendor URL:  docs.info.apple.com/article.html?artnum=305391 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 19 Apr 2007 10:18:17 -0700
Subject:  APPLE-SA-2007-04-19 Security Update 2007-004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-04-19 Security Update 2007-004

Security Update 2007-004 is now available and addresses the following
issues:

AFP Client
CVE-ID:  CVE-2007-0729
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local user may obtain system privileges
Description:  Under certain circumstances, AFP Client may execute
commands without properly cleaning the environment. This may allow a
local user to create files or execute commands with system
privileges. This update addresses the issue by cleaning the
environment prior to executing commands.

AirPort
CVE-ID:  CVE-2007-0725
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local user may be able to execute arbitrary code with
elevated privileges
Description:  A buffer overflow vulnerability exists in the
AirPortDriver module which processes control commands for AirPort. By
sending malformed control commands, a local user could trigger the
overflow which may lead to arbitrary code execution with elevated
privileges. This issue affects eMac, iBook, iMac, PowerBook G3,
PowerBook G4, and Power Mac G4 systems equipped with an original
AirPort card. This issue does not affect systems with the AirPort
Extreme card. This update addresses the issue by performing proper
bounds checking.

CarbonCore
CVE-ID:  CVE-2007-0732
Available for:  Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local user may be able to execute arbitrary code with
elevated privileges
Description:  The CoreServices daemon could allow a local user to
obtain a send right to its Mach task port, which may lead to
arbitrary code execution with elevated privileges. This update
addresses the issue by through improved checks in the CoreServices
interprocess communication. This issue does not affect systems prior
to Mac OS X v10.4.

diskdev_cmds
CVE-ID:  CVE-2007-0734
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Opening a maliciously-crafted UFS disk image may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption vulnerability exists in fsck. It is
possible to cause fsck to be run automatically on a disk image when
it is opened. By enticing a user to open a maliciously-crafted disk
image, or to run fsck on any maliciously-crafted UFS filesystem, an
attacker could trigger the issue which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of UFS
filesystems.

fetchmail
CVE-ID:  CVE-2006-5867
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  fetchmail may send passwords in plain text, even when
configured to use TLS
Description:  fetchmail is updated to version 6.3.6 to fix a
vulnerability that could allow authentication credentials to be sent
in plain text, despite being configured to use TLS. This issue is
described on the fetchmail web site at
http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt

ftpd
CVE-ID:  CVE-2006-6652
Available for:  Mac OS X v10.3.9, Mac OS X v10.4.9
Impact:  FTP operations by authenticated FTP users may lead to
arbitrary code execution
Description:  lukemftpd has been updated to version tnftpd 20061217
to address a buffer overflow vulnerability in the handling of
commands with globbing characters that could lead to arbitrary code
execution. This issue does not affect Mac OS X Server v10.3.9 or
Mac OS X Server v10.4.9. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.

GNU Tar
CVE-ID:  CVE-2006-0300
Available for:  Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Listing or extracting a maliciously-crafted tar archive
may lead to an unexpected application termination or arbitrary
code execution
Description:  A buffer overflow vulnerability exists in the handling
of PAX extended headers in GNU tar archives. By enticing a local user
to list or extract a maliciously-crafted tar archive, an attacker can
trigger the overflow which may lead to an unexpected application
termination or arbitrary code execution. This issue has been
addressed by performing additional validation of tar files. This
issue does not affect systems prior to Mac OS X 10.4.

Help Viewer
CVE-ID:  CVE-2007-0646
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Opening a help file with a maliciously-crafted name may
lead to an unexpected application termination or arbitrary code
execution
Description:  A format string vulnerability exists in the Help Viewer
application. By enticing a user to download and open a help file with
a maliciously-crafted name, an attacker can trigger the vulnerability
which may lead to an unexpected application termination or arbitrary
code execution. This has been described on the Month of Apple Bugs
web site (MOAB-30-01-2007). This update addresses the issue by
eliminating any format string processing of file names.

HID Family
CVE-ID:  CVE-2007-0724
Available for:  Mac OS X v10.4 through Mac OS X v10.4.9,
Mac OS X Server v10.4 through Mac OS X Server v10.4.9
Impact:  Console keyboard events are exposed to other users on the
local system
Description:  Insufficient controls in the IOKit HID interface allow
any logged in user to capture console keystrokes, including passwords
and other sensitive information. This update addresses the issue by
limiting HID device events to processes belonging to the current
console user. Credit to Andrew Garber of University of Victoria, Alex
Harper, and Michael Evans for reporting this issue. This fix was
originally distributed via the Mac OS X v10.4.9 update. Due to a
packaging issue, it may not have been delivered to all systems. This
update redistributes the fix in order to reach all affected systems.

Installer
CVE-ID:  CVE-2007-0465
Available for:  Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Opening an installer package with a maliciously-crafted
name may lead to an unexpected application termination or
arbitrary code execution
Description:  A format string vulnerability exists in the Installer
application. By enticing a user to download and install an installer
package with a maliciously-crafted file name, an attacker can trigger
the vulnerability which may lead to an unexpected application
termination or arbitrary code execution. This issue has been
described on the Month of Apple Bugs web site (MOAB-26-01-2007).
This update addresses the issue by eliminating any format string
processing of file names. This issue does not affect systems prior
to Mac OS X v10.4.

Kerberos
CVE-ID:  CVE-2006-6143
Available for:  Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Running the Kerberos administration daemon may lead to
an unexpected application termination or arbitrary code
execution with system privileges
Description:  An uninitialized function pointer vulnerability exists
in the MIT Kerberos administration daemon (kadmind), which may lead
to an unexpected application termination or arbitrary code execution
with system privileges. Further information on the issue and the
patch applied is available via the MIT Kerberos website at
http://web.mit.edu/kerberos/ advisories/MITKRB5-SA-2006-002-rpc.txt
This issue does not affect systems prior to Mac OS X v10.4. Credit to
the MIT Kerberos Team and an anonymous researcher working with
iDefense for reporting this issue.

Kerberos
CVE-ID:  CVE-2007-0957
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Running the Kerberos administration daemon or the KDC may
lead to an unexpected application termination or arbitrary code
execution with system privileges
Description:  A stack buffer overflow vulnerability exists in the MIT
Kerberos administration daemon (kadmind), as well as the KDC, which
may lead to an unexpected application termination or arbitrary code
execution with system privileges. Further information on the issue
and the patch applied is available via the MIT Kerberos website at
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
Credit to the MIT Kerberos Team for reporting this issue.

Kerberos
CVE-ID:  CVE-2007-1216
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Running the Kerberos administration daemon may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description:  A double-free vulnerability exists in the GSS-API
library used by the MIT Kerberos administration daemon
(kadmind), which may lead to an unexpected application
termination or arbitrary code execution with system privileges.
Further information on the issue and the patch applied is
available via the MIT Kerberos website at
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
Credit to the MIT Kerberos Team for reporting this issue.

Libinfo
CVE-ID:  CVE-2007-0735
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Visiting malicious websites may lead to an unexpected
application termination or arbitrary code execution
Description:  In some cases, Libinfo does not correctly report errors
to applications that use it. By enticing a user to visit a
maliciously-crafted web page, an attacker can cause a previously
deallocated object to be accessed, which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing appropriate error reporting in
Libinfo. Credit to Landon Fuller of Three Rings Design for reporting
this issue.

Libinfo
CVE-ID:  CVE-2007-0736
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Remote attackers may be able to cause a denial of service or
arbitrary code execution if the portmap service is enabled
Description:  An integer overflow vulnerability exists in the RPC
library. By sending maliciously-crafted requests to the portmap
service, a remote attacker can trigger the overflow which may lead to
a denial of service or arbitrary code execution as the 'daemon' user.
This update addresses the issue by performing additional validation
of portmap requests. Credit to the Mu Security Research Team for
reporting this issue.

Login Window
CVE-ID:  CVE-2007-0737
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local user may obtain system privileges
Description:  Login Window does not sufficiently check its
environment variables. This could allow a local user to execute
arbitrary code with system privileges. This update addresses the
issue by through improved validation of Login Window environment
variables.

Login Window
CVE-ID:  CVE-2007-0738
Available for:  Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  The screen saver authentication dialog may be bypassed
Description:  Under certain conditions, the user's preference to
"require a password to wake the computer from sleep" is ignored, and
a password is not required to wake from sleep. This update addresses
the issue by through improved handling of this preference.

Login Window
CVE-ID:  CVE-2007-0739
Available for:  Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  The loginwindow authentication dialog may be bypassed
Description:  Under certain conditions, the software update window
may appear beneath the Login Window. This could allow a person with
physical access to the system to log in without authentication. This
update addresses the issue by only running scheduled tasks after the
user login. This issue does not affect systems prior to
Mac OS X v10.4.

network_cmds
CVE-ID:  CVE-2007-0741
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Remote attackers may be able to cause a denial of service or
arbitrary code execution if Internet Sharing is enabled
Description:  A buffer overflow vulnerability exists in the handling
of RTSP packets in natd. By sending malformed RTSP packets, a remote
attacker may be able to trigger the overflow which may lead to
arbitrary code execution. This issue only affects users who have
Internet Sharing enabled. This update addresses the issue by
performing additional validation of rtsp packets.

SMB
CVE-ID:  CVE-2007-0744
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local user may obtain system privileges
Description:  Under certain circumstances, SMB may execute commands
without properly cleaning the environment. This may allow a local
user to create files or execute commands with system privileges. This
update addresses the issue by cleaning the environment prior to
executing commands.

System Configuration
CVE-ID:  CVE-2007-0022
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Local admin users may execute arbitrary code with system
privileges without authentication
Description:  Admin users have the ability to alter system
preferences through the writeconfig utility. When the writeconfig
utility launches the launchctl utility, it does not clean the
environment inherited from the user. This could allow arbitrary code
execution with system privileges without authentication. This issue
has been described on the Month of Apple Bugs web site
(MOAB-21-01-2007). This update addresses the issue by cleaning the
environment before calling the launchctl utility.

URLMount
CVE-ID:  CVE-2007-0743
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local users may obtain other user's authentication
credentials
Description:  The username and password used to mount remote
filesystems through connections to SMB servers are passed to the
mount_smb command as command line arguments, which may expose them to
other local users. This update addresses the issue by securely
passing the authentication credentials to the mount_smb command.
Credit to Daniel Ball of Pittsburgh Technical Institute, Geoff Franks
of Hauptman Woodward Medical Research Institute, and Jamie Cox of
Sophos Plc for reporting this issue.

VideoConference
CVE-ID:  CVE-2007-0746
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  Remote attackers may be able to cause an unexpected
application termination or arbitrary code execution if iChat is
running.
Description:  A heap buffer overflow vulnerability exists in the
VideoConference framework. By sending a maliciously-crafted SIP
packet when initializing an audio/video conference, an attacker can
trigger the overflow which may lead to arbitrary code execution. This
update addresses the issue by performing additional validation of SIP
packets.

WebDAV
CVE-ID:  CVE-2007-0747
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact:  A local user may obtain system privileges
Description:  When mounting a WebDAV filesystem, the load_webdav
program may be launched without properly cleaning the environment.
This may allow a local user to create files or execute commands with
system privileges. This update addresses the issue by cleaning the
environment prior to executing commands.

WebFoundation
CVE-ID:  CVE-2007-0742
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Cookies set by subdomains may be accessible to the parent
domain
Description:  An implementation issue allows cookies set by
subdomains to be accessible to the parent domain, which may lead to
the disclosure of sensitive information. This update addresses the
issue by performing additional validation of the domain to which a
cookie is being sent. This issue does not affect systems running
Mac OS X v10.4. Credit to Bradley Schwoerer of University of
Wisconsin-Madison for reporting this issue.

Security Update 2007-004 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) and Mac OS X Server v10.4.9 (PowerPC)
The download file is named:  "SecUpd2007-004Ti.dmg"
Its SHA-1 digest is:  710afb28b12113a6b6570c36d4a87302cc5b4d8c

For Mac OS X v10.4.9 (Universal) and
Mac OS X Server v10.4.9 (Universal)
The download file is named:  "SecUpd2007-004Univ.dmg"
Its SHA-1 digest is:  6d6c39a7068bfbf403da493f49ed23a5b10bc6bb

For Mac OS X v10.3.9
The download file is named:  "SecUpd2007-004Pan.dmg"
Its SHA-1 digest is:  0ae26e2a2e9dfc68636993344bf33db13a28ea25

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2007-004Pan.dmg"
Its SHA-1 digest is:  1c7eb4f36bdd3cd3dc037a16f3cf63e977a7162e

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQEVAwUBRieZComzP5/bU5rtAQjNfwgA2y9xjLvnXUSXUhF+q6HyNltAtwFng+R3
0JELa0mF9DGrVe/h/cxFfjA22KZdGXg/2VoBVuuLjg9xr3O+ZHQXyXw8Yy8/lY1A
GXYs7LVgTuXhr6XqPNIR0Be0ambugZXQBe2ZlpgrBVzYPYLOypEejTOsx/3LAY9N
qt5hVJgZ2zR4j1vHV2w7tOERCk/oVBuTp7XIvrJ/xopoxBXlUmKPXDHDnff4dTIL
MofXfzZv53Z5l8eRePVpkZRV7d6NCjQWb7zQCt3JUzioArxFPPhGJ/WgTRgU19j1
OHof/M6M/iF324JTI/ZbvXJNGsLj1YpyY8ftPtSzSKjG+H9Ev7bq+w==
=Wg1M
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC