CVE-2005-1331
CVSS5.1
发布时间 :2005-05-04 00:00:00
修订时间 :2011-03-07 21:21:38
NMCOPS    

[原文]The AppleScript Editor in Mac OS X 10.3.9 does not properly display script code for an applescript: URI, which can result in code that is different than the actual code that would be run, which could allow remote attackers to trick users into executing malicious code via certain URI characters such as NULL, control characters, and homographs.


[CNNVD]Apple Mac OS X AppleScript编辑器代码迷惑漏洞(CNNVD-200505-912)

        Apple Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X对AppleScript的链接处理存在漏洞,远程攻击者可能利用此漏洞诱使用户执行恶意代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x:10.3.9Apple Mac OS X 10.3.9
cpe:/o:apple:mac_os_x_server:10.3.3Apple Mac OS X Server 10.3.3
cpe:/o:apple:mac_os_x_server:10.3.4Apple Mac OS X Server 10.3.4
cpe:/o:apple:mac_os_x:10.3.6Apple Mac OS X 10.3.6
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x_server:10.3.5Apple Mac OS X Server 10.3.5
cpe:/o:apple:mac_os_x:10.3.8Apple Mac OS X 10.3.8
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1
cpe:/o:apple:mac_os_x:10.3.4Apple Mac OS X 10.3.4
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3
cpe:/a:apple:applescript:2.0.0
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x:10.3.7Apple Mac OS X 10.3.7
cpe:/o:apple:mac_os_x_server:10.3.8Apple Mac OS X Server 10.3.8
cpe:/o:apple:mac_os_x:10.3.5Apple Mac OS X 10.3.5
cpe:/o:apple:mac_os_x_server:10.3.7Apple Mac OS X Server 10.3.7
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x_server:10.3.6Apple Mac OS X Server 10.3.6
cpe:/o:apple:mac_os_x_server:10.3.9Apple Mac OS X Server 10.3.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1331
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1331
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-912
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/13480
(PATCH)  BID  13480
http://secunia.com/advisories/15227
(PATCH)  SECUNIA  15227
http://lists.apple.com/archives/security-announce/2005/May/msg00001.html
(PATCH)  APPLE  APPLE-SA-2005-05-03
http://www.vupen.com/english/advisories/2005/0455
(UNKNOWN)  VUPEN  ADV-2005-0455
http://remahl.se/david/vuln/010/
(UNKNOWN)  MISC  http://remahl.se/david/vuln/010/

- 漏洞信息

Apple Mac OS X AppleScript编辑器代码迷惑漏洞
中危 输入验证
2005-05-04 00:00:00 2005-10-20 00:00:00
远程  
        Apple Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X对AppleScript的链接处理存在漏洞,远程攻击者可能利用此漏洞诱使用户执行恶意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apple Mac OS X 10.3.9:
        http://www.apple.com/support/downloads/securityupdate2005005client.html
        Apple Mac OS X Server 10.3.9:
        http://www.apple.com/support/downloads/securityupdate2005005server.html

- 漏洞信息 (F38718)

appleBad.txt (PacketStormID:F38718)
2005-07-15 00:00:00
 
advisory,vulnerability
apple,osx
CVE-2005-1337,CVE-2005-1331,CVE-2005-1342,CVE-2005-1341
[点击下载]

4 security vulnerabilities surfaced for Mac OS X.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have published advisories for 4 security vulnerabilities in Mac OS  
X that were addressed by Apple Security Update 2005-005, released  
today. <http://docs.info.apple.com/article.html?artnum=301528>.

This email contains brief summaries of the problems. Full details can  
be found on my web site <http://remahl.se/david/vuln/>.

Description: help: URI handler execution of JavaScripts with known  
paths vulnerability
My name: DR004 <http://remahl.se/david/vuln/004/>
CVE: CAN-2005-1337 [yes, cool, isn't it ;-)]
Summary: The Help Viewer application allows JavaScript and is thus  
vulnerable to having scripts with arbitrary paths run with the  
privileges granted to file: protocol URIs. The files can be started  
with a URI on the form of help:///path/to/file.html. Combined with  
XMLHttpRequest's ability to disclose arbitrary files, this security  
bug becomes critcal.

Description: Invisible characters in applescript: URL protocol  
messaging vulnerability
My name: DR010 <http://remahl.se/david/vuln/010/>
CVE: CAN-2005-1331
Summary: URL Protocol Messaging is a technique used by Script Editor  
to facilitate sharing of AppleScripts between users. By clicking a  
link (for example in a web forum), a user can create a new Script  
Editor document automatically, with text from the query string of the  
URI. This avoids problems with copying text from the web or manually  
typing code snippets. However, the technique can be used to trick  
users into running dangerous code (with embedded control characters),  
since insufficient input validation is performed.

Description: Apple Terminal insufficient input sanitation of x-man- 
path: URIs vulnerability
My name: DR011 <http://remahl.se/david/vuln/011/>
CVE: CAN-2005-1342
Summary: Apple Terminal fails to properly sanitize the contents of x- 
man-path: URIs passed to it. This can lead to execution of arbitrary  
commands, aided by some of the escape sequences that Terminal supports.

Description: Mac OS X terminal emulators allow reading and writing of  
window title through escape sequences
My name: DR012 <http://remahl.se/david/vuln/012/>
CVE: CAN-2005-1341
Summary: Apple Terminal (often referred to as Terminal.app) and xterm  
which both ship with current versions of Mac OS X are vulnerable to a  
well-known type of attack when displaying untrusted content. Using  
escape sequences and social engineering attacks it is in some cases  
possible to trick the user into performing arbitrary commands.

I would like to acknowledge the willingness of Apple's Product  
Security team to cooperate with me in resolving these issues. CERT's  
assistance has also been helpful.

/ Regards, David Remahl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCd9mHFlFiDoclYIURAjgqAJ9mLbjrfJr17eenCK6qp5S6HXKzgACeIH+a
PJwheHWkjnBAG4kNnAa/6QE=
=iJNj
-----END PGP SIGNATURE-----
    

- 漏洞信息

16072
Apple Mac OS X AppleScript URI Spoofing Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Mac OS X contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is triggered when the Script Editor application fails to display invisible characters in code which has been downloaded via an 'applescript:' URI. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-05-03 2005-02-18
2005-05-03 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X AppleScript Editor Code Obfuscation Vulnerability
Input Validation Error 13500
Yes No
2005-05-03 12:00:00 2009-07-12 02:06:00
Discovered by David Remahl <vuln@remahl.se>.

- 受影响的程序版本

Dead Pirate Software SimpleCam 1.2
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Dead Pirate Software SimpleCam 1.3

- 不受影响的程序版本

Dead Pirate Software SimpleCam 1.3

- 漏洞讨论

Mac OS X AppleScript editor is prone to a code obfuscation vulnerability. Scripts created using the applescript: URI mechanism could display code differently than the actual code that will execute if it is downloaded, compiled, and run.

This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID.

- 漏洞利用

A proof of concept is available at the following location:

http://remahl.se/david/vuln/010/demo.html

- 解决方案

Apple has released advisory (APPLE-SA-2005-05-03) to address this issue. Please see the referenced advisory for more information.


Dead Pirate Software SimpleCam 1.2

Apple Mac OS X 10.3.9

Apple Mac OS X Server 10.3.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站