CVE-2004-0486
CVSS7.6
发布时间 :2004-07-07 00:00:00
修订时间 :2008-09-05 16:38:32
NMCOES    

[原文]HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler.


[CNNVD]Apple Mac OS X Help协议远程代码执行漏洞(CNNVD-200407-027)

        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Mac OS X help应用程序的'help:'协议实现存在问题,远程攻击者可以利用这个漏洞以目前进程权限在系统上执行任意命令。
        'help:'协议能够远程通过Safari web浏览器调用,由于Mac OS X对'help:'协议处理实现存在问题,允许攻击者构建恶意链接,诱使用户访问,并通过help应用程序执行脚本代码。不过根据报告此执行任意代码需要用户比较少的交互。成功利用此漏洞可以未授权访问受此漏洞影响的系统。
        

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x_server:10.3.3Apple Mac OS X Server 10.3.3
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0486
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0486
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-027
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/578798
(VENDOR_ADVISORY)  CERT-VN  VU#578798
http://www.securityfocus.com/bid/10356
(VENDOR_ADVISORY)  BID  10356
http://secunia.com/advisories/11622/
(VENDOR_ADVISORY)  SECUNIA  11622
http://xforce.iss.net/xforce/xfdb/16166
(VENDOR_ADVISORY)  XF  macos-runscript-code-execution(16166)
http://www.fundisom.com/owned/warning
(VENDOR_ADVISORY)  MISC  http://www.fundisom.com/owned/warning
http://lists.apple.com/mhonarc/security-announce/msg00053.html
(UNKNOWN)  APPLE  APPLE-SA-2004-05-21
http://www.osvdb.org/6184
(UNKNOWN)  OSVDB  6184
http://securitytracker.com/id?1010167
(UNKNOWN)  SECTRACK  1010167
http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0837.html
(UNKNOWN)  FULLDISC  20040516 Vuln. MacOSX/Safari: Remote help-call, execute scripts

- 漏洞信息

Apple Mac OS X Help协议远程代码执行漏洞
高危 访问验证错误
2004-07-07 00:00:00 2005-10-20 00:00:00
远程  
        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Mac OS X help应用程序的'help:'协议实现存在问题,远程攻击者可以利用这个漏洞以目前进程权限在系统上执行任意命令。
        'help:'协议能够远程通过Safari web浏览器调用,由于Mac OS X对'help:'协议处理实现存在问题,允许攻击者构建恶意链接,诱使用户访问,并通过help应用程序执行脚本代码。不过根据报告此执行任意代码需要用户比较少的交互。成功利用此漏洞可以未授权访问受此漏洞影响的系统。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.apple.com

- 漏洞信息 (24121)

Apple Mac OS X 10.3.x Help Protocol Remote Code Execution Vulnerability (EDBID:24121)
osX remote
2004-05-17 Verified
0 Troels Bay
N/A [点击下载]
source: http://www.securityfocus.com/bid/10356/info

It has been reported that Mac OS X may be prone to a vulnerability that could allow a remote attacker to execute arbitrary script code on a vulnerable system. 

The issue presents itself due to the 'help:' protocol implemented by the Mac OS X help application. It has been reported that the 'help:' protocol can be invoked remotely by the Safari web browser. This could allow an attacker to craft a malicious link and entice a user to follow the link in order to execute script code via the help application. It has been reported that this issue can be exploited to execute arbitrary code with minimal user interaction. Reportedly, an attacker can exploit this issue by simply enticing a user to visit a malicious site.

An attacker can also use HTML email as an attack vector to exploit this vulnerability. For example, an attacker can embed HTML into Apple Mail and send it as a link to a vulnerable user. If the user follows the link, script code will be executed.

Successful exploitation of this issue may allow a remote attacker to gain unauthorized access to a vulnerable system in the context of an affected user.

Mac OS X 10.3 is reported to be prone to this issue, however, it is possible that prior versions are affected as well. Other web browsers that support the 'help:' protocol may also present an attack vector for this issue.

help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

The following proof of concept is available as well:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
? ? <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
? ? <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<a
? href="help:runscript=MacHelp.help/Contents/Resourc
es/English.lproj/shrd/OpnApp.scpt%20string=%27usr: bin:du%27">Click to
go to your next message</a><br>
</body>
</html>		

- 漏洞信息

6184
Apple Mac OS X Help URI Script Execution
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Apple Mac OSX contains a flaw that may allow a malicious website to execute arbitrary commands on the vulnerable host. The issue is triggered when a user clicks a specially formed URI. It is possible that the flaw may allow arbitrary commands to be executed resulting in a loss of integrity, and/or availability.

- 时间线

2004-05-14 2004-02-23
2004-05-15 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch/update (2004-06-07) to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X Help Protocol Remote Code Execution Vulnerability
Access Validation Error 10356
Yes No
2004-05-17 12:00:00 2009-07-12 04:07:00
Discovery is credited to Troels Bay <troelsbay@troelsbay.dk>. Email attack vector information was provided by Jose Commins <axora@myrealbox.com>.

- 受影响的程序版本

Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3

- 漏洞讨论

It has been reported that Mac OS X may be prone to a vulnerability that could allow a remote attacker to execute arbitrary script code on a vulnerable system.

The issue presents itself due to the 'help:' protocol implemented by the Mac OS X help application. It has been reported that the 'help:' protocol can be invoked remotely by the Safari web browser. This could allow an attacker to craft a malicious link and entice a user to follow the link in order to execute script code via the help application. It has been reported that this issue can be exploited to execute arbitrary code with minimal user interaction. Reportedly, an attacker can exploit this issue by simply enticing a user to visit a malicious site.

An attacker can also use HTML email as an attack vector to exploit this vulnerability. For example, an attacker can embed HTML into Apple Mail and send it as a link to a vulnerable user. If the user follows the link, script code will be executed.

Successful exploitation of this issue may allow a remote attacker to gain unauthorized access to a vulnerable system in the context of an affected user.

Mac OS X 10.3 is reported to be prone to this issue, however, it is possible that prior versions are affected as well. Other web browsers that support the 'help:' protocol may also present an attack vector for this issue.

- 漏洞利用

The following proof of concept has been provided:

help:runscript=../../Scripts/Info Scripts/Current Date &amp; Time.scpt

The following proof of concept is available as well:
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"&gt;
&lt;html&gt;
&lt;head&gt;
? ? &lt;meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type"&gt;
? ? &lt;title&gt;&lt;/title&gt;
&lt;/head&gt;
&lt;body bgcolor="#ffffff" text="#000000"&gt;
&lt;a
? href="help:runscript=MacHelp.help/Contents/Resourc
es/English.lproj/shrd/OpnApp.scpt%20string=%27usr: bin:du%27"&gt;Click to
go to your next message&lt;/a&gt;&lt;br&gt;
&lt;/body&gt;
&lt;/html&gt;

- 解决方案

Apple has included a fix for this vulnerability in security update 2004-05-24. See referenced advisory for more information.


Apple Mac OS X Server 10.3.3

Apple Mac OS X 10.3.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站