OS X Server
operating system, other versions may be also affected.
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
DETAILS
III. AFFECTED PRODUCTS
---------------------------
Apple Safari version 4.0.5 and prior
(Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server
v10.6.2 and later, Windows 7, Vista, XP SP2 and later, iPhone)
============
DragonFlyBSD 1.12.0 is the first BSD operating system to roll out a
solution to the IPv4 issue as part of the official version.
Apple MacOS X 10.5.2, MacOS X Server 10.5.2, Darwin 9.2
(all sharing the same kernel: xnu-1228.3.13)
=======================================================
Apple did NOT fix the predictable IP ID issue in its products
(in Leopard 10.5.2).
Hijacking Safari 4 Top Sites with Phish Bombs
II. VULNERABLE
-------------------------
Safari 4 all versions < 4.0.3
Platforms affected - Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
v10.5.7, Mac OS X Server v10.5.7, Windows XP and Vista
III. BACKGROUND
-------------------------
Safari is a web browser developed by Apple Inc. It is the default browser in
Vendor: Apple Inc., http://www.apple.com
Affected Products: CoreServices Framework’s CarbonCore Framework
(Used by: i.e. Safari, Mail)
Affected Platforms:
Mac OS X v10.4.11
Mac OS X Server v10.4.11
Mac OS X v10.5.4
Mac OS X Server v10.5.4
Vulnerability: Arbitrary Code Execution (remote)
Risk: CRITICAL
________________________________________________________________________
data injection.
But it gets more interesting. Several other BSD operating systems
copied the OpenBSD code for their own IP ID PRNG, so they're
vulnerable too. This is particularly so with Apple's Mac OS X,
Mac OS X Server and Darwin, but also with NetBSD, FreeBSD and
DragonFlyBSD (the 3 latter O/S however only use this PRNG when
the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
default, resulting in a sequential counter to be used instead...).
OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
fragmentation ID normalization feature (e.g. "scrub out random-
CVE Name: CVE-2008-1000
*Vulnerability Description*
MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.
Dominic Chell of NGS Secure has discovered a High risk vulnerability in Mac OS X ImageIO. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Versions affected include:
Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7
Apple has released a patch that addresses the issue. The announcement of the patch can be found here:
http://support.apple.com/kb/HT4723
for this particular vulnerability would not work anymore.
( search for "CVE-2010-1752" here: http://support.apple.com/kb/ht4225 )
But, thanks to our proof of concepts (client-side attacks), it was not
only possible to abuse the iPhone devices, but also any current Mac OS X
( Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through
v10.6.4, Mac OS X Server v10.6 through v10.6.4 ).
Hopefully, this week, Apple released many interesting security patches
for Mac OS X, and one of them will allow Mac end users to avoid those
kind of client-side attacks and stack overflows against the CFNetwork
Dominic Chell of NGS Secure has discovered a high risk memory corruption vulnerability affecting the ImageIO rendering framework. Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution. This issue can be remotely (client-side) exploited through any application using the framework including Mail, Safari and QuickLook.
Versions affected include:
Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Apple has released a patch that addresses these issues. The announcement of
this patch can be found here:
http://support.apple.com/kb/HT1222
Paul Harrington of NGS Secure has discovered a High risk vulnerability in Mac OS X Image RAW. Multiple buffer overflow issues existed in Image RAW's handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may result in an unexpected application termination or arbitrary code execution.
Versions affected include:
Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6 with RawCamera.bundle < 3.6
Apple has released a patches that addresses the issue. The announcement of the patches can be found here:
http://support.apple.com/kb/DL1357
http://support.apple.com/kb/HT4581
Release Date: 28 June 2011
Reference: NGS00057
Discoverer: Dominic Chell <dominic.chell@ngssecure.com>
Vendor: Apple
Vendor Reference: 142522746
Systems Affected: Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6
Risk: High
Status: Published
========
TimeLine
Date Reported: 2007/03/19
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Mac OS X xnu kernel <= version
8.10.1 (xnu-792.22.5~1)
Mac OS X v10.4 through v10.4.10,
Mac OS X Server v10.4 through v10.4.10
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.apple.com
Vendor Status: Vendor has released an updated version
CVE-ID: CVE-2007-4686
iDefense has confirmed the existence of this vulnerability in
OfficeFramework running on the following devices:
iPod Touch, IOS 3.1.3 iPad, IOS 3.2.1
Apple has confirmed Mac OS X and Mac OS X Server v10.6 through v10.6.4
to be vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue. There
Dominic Chell of NGS Secure has discovered a High risk vulnerability in Mac OS X ImageIO. An integer overflow issue exists in ImageIO's handling of JPEG-encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution
Versions affected include:
Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6
Apple has released a patch that addresses the issue. The announcement of this patch can be found here:
http://support.apple.com/kb/HT4581
forks, and they're quite broken - extended attribute support introduces
a serious memory leak.
If that doesn't quite hit home, you can get a further idea of how their
software is written by taking a look at the man page for sharing(1), on
OS X Server (for those of you without access to OS X Server, take a
look at
http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html
). Pay particular attention to the description for the -s, -g, and -i
options - do their developers (or tech writers) know the difference
between AND and OR? :)
iDefense has confirmed the existence of this vulnerability in
OfficeFramework running on the following devices:
iPod Touch, IOS 3.1.3 iPad, IOS 3.2.2
Apple has reported Mac OS X and OS X Server 10.6 through 10.6.6
vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workaround for this issue.
|
