CVE-2004-0873
CVSS7.5
发布时间 :2004-12-23 00:00:00
修订时间 :2008-09-05 16:39:38
NMCOS    

[原文]Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program.


[CNNVD]Apple iChat远程连接应用程序执行漏洞(CNNVD-200412-103)

        
        Apple iChat是一款视频聊天程序。
        Apple iChat的在处理'link'时存在问题,远程攻击者可以利用这个漏洞以进程权限执行任意本地系统命令。
        远程iChat用户可以发送恶意"link"连接,如果连接应用本地应用程序,那么指定的程序可能以进程权限执行任意本地系统命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apple:ichat_av:2.0
cpe:/a:apple:ichat:1.0.1
cpe:/a:apple:ichat_av:2.1Apple iChat AV 2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0873
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0873
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-103
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17420
(VENDOR_ADVISORY)  XF  ichatav-link-app-execute(17420)
http://lists.apple.com/archives/security-announce/2004/Sep/msg00001.html
(VENDOR_ADVISORY)  APPLE  APPLE-SA-2004-09-16

- 漏洞信息

Apple iChat远程连接应用程序执行漏洞
高危 设计错误
2004-12-23 00:00:00 2005-10-20 00:00:00
远程  
        
        Apple iChat是一款视频聊天程序。
        Apple iChat的在处理'link'时存在问题,远程攻击者可以利用这个漏洞以进程权限执行任意本地系统命令。
        远程iChat用户可以发送恶意"link"连接,如果连接应用本地应用程序,那么指定的程序可能以进程权限执行任意本地系统命令。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        For iChat AV v2.1
        =====================================
        下载文件名: "SecUpd2004-09-16Pan.dmg"
        SHA-1签字: 0ef503c5f8a655de740e50f324d7311a1be6fe70
        For iChat AV v2.0
        =====================================
        下载文件名: "SecUpd2004-09-16JagAV.dmg"
        SHA-1签字: 9175d92b2036d86be324de8fa386a781aabbe932
        For iChat v1.0.1
        =====================================
        下载文件名: "SecUpd2004-09-16Jag.dmg"
        SHA-1签字: 4b637f08b22b70bcb65a3767814c9b3826e2edb1

- 漏洞信息

10007
Apple iChat Link Handling Arbitrary Command Execution
Remote / Network Access Other
Loss of Integrity
Exploit Unknown

- 漏洞描述

Apple iChat contains a flaw that may allow a malicious user to execute arbitrary commands. The issue is triggered when a remote attacker sends a 'link' to an iChat particiant, which will run the application on the system with the user's privileges if the link is clicked. This flaw leads to a loss of integrity.

- 时间线

2004-09-16 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple iChat Remote Link Application Execution Vulnerability
Design Error 11207
Yes No
2004-09-17 12:00:00 2009-07-12 07:06:00
Discovery of this issue is credited to <aaron@vtty.com>.

- 受影响的程序版本

Apple iChat AV 2.1
+ Apple Mac OS X 10.3.5
+ Apple Mac OS X 10.3.4
+ Apple Mac OS X 10.3.3
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3
Apple iChat AV 2.0
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X 10.2.6
+ Apple Mac OS X 10.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
Apple iChat 1.0.1
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X 10.2.6
+ Apple Mac OS X 10.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2

- 漏洞讨论

Reportedly Apple iChat is vulnerable to a remote link application execution vulnerability. This issue is due to a design error that allows attacker to execute arbitrary commands through a vulnerable application.

An attacker can leverage this issue to execute arbitrary application on an unsuspecting user's computer. The impact of this issue may be increased when an attacker entices a victim to first download an application or has another means of placing an application on the victim's computer, and then exploits this issue to execute it.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Apple has released Security Update 2004-09-16 dealing with this issue. Please see the referenced advisory for more information.


Apple iChat 1.0.1

Apple iChat AV 2.0

Apple iChat AV 2.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站