发布时间 :2005-06-13 00:00:00
修订时间 :2008-09-05 16:49:16

[原文]Dashboard in Apple Mac OS X 10.4.1 allows remote attackers to install widgets via Safari without prompting the user, a different vulnerability than CVE-2005-1933.

[CNNVD]Apple Mac OS X Safari Dashboard Widget绕过下载验证漏洞(CNNVD-200506-115)

        Apple Mac OS X 10.4.1中的Dashboard软件允许远程攻击者不提示用户名借助Safari安装widgets。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.4Apple Mac OS X 10.4
cpe:/o:apple:mac_os_x_server:10.4Apple Mac OS X Server 10.4
cpe:/o:apple:mac_os_x:10.4.1Apple Mac OS X 10.4.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  13694
(PATCH)  APPLE  APPLE-SA-2005-05-19

- 漏洞信息

Apple Mac OS X Safari Dashboard Widget绕过下载验证漏洞
高危 设计错误
2005-06-13 00:00:00 2005-10-25 00:00:00
        Apple Mac OS X 10.4.1中的Dashboard软件允许远程攻击者不提示用户名借助Safari安装widgets。

- 公告与补丁

        Apple Mac OS X Server 10.4
        Apple MacOSXSvrUpdate10.4.1.dmg form=osx&method=sa/MacOSXSvrUpdate10.4.1.dmg
        Apple Mac OS X 10.4
        Apple MacOSXUpdate10.4.1.dmg form=osx&method=sa/MacOSXUpdate10.4.1.dmg

- 漏洞信息

Apple Mac OS X Dashboard Arbitrary Widget Injection
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Dashboard in combination with Safari in Mac OS X contains a flaw that may allow a remote attacker to inject arbitrary widgets. The issue is triggered when the 'Open "safe" files after downloading' option in Safari is enabled. It is possible that the flaw may allow a remote attacker to create a malicious web page that contains an embedded META tag to trigger Safari to download a malicious widget, which would be automatically installed under the /Library/Widgets or ~/Library/Widgets directory without any user intervention resulting in a loss of integrity.

- 时间线

2005-05-09 Unknow
2005-05-09 Unknow

- 解决方案

Upgrade to version 10.4.1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the 'Open "safe" files after downloading' option in Safari.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X Safari Dashboard Widget Download Validation Bypass Vulnerability
Design Error 13694
Yes No
2005-05-20 12:00:00 2009-07-12 02:56:00
Stephan Meyers is credited with the discovery of this issue.

- 受影响的程序版本

Apple Mac OS X Server 10.4
Apple Mac OS X 10.4
Apple Mac OS X Server 10.4.1
Apple Mac OS X 10.4.1

- 不受影响的程序版本

Apple Mac OS X Server 10.4.1
Apple Mac OS X 10.4.1

- 漏洞讨论

Apple Mac OS X is susceptible to a Safari download validation bypass vulnerability when downloading Dashboard widgets. This issue is due to Safari improperly considering Dashboard widgets to be "safe" content.

It is demonstrated that an attacker can cause Safari to automatically download, and then install widgets into the users '~/Library/Widgets' directory. This happens without user intervention or notification.

Reportedly, once widgets have been automatically installed via Safari, the normal validation required for widgets to gain access to system resources is skipped, allowing complete system access to the malicious widgets, however, this has not been confirmed by Symantec.

This issue allows remote attackers to install malicious code into the dashboard without user intervention or knowledge. This will likely result in malicious script, or machine code being executed in the context of the targeted user.

Mac OS X version 10.4 is vulnerable to this issue.

- 漏洞利用

The following Web sites contain proof of concept examples exploiting this vulnerability. Symantec cannot guarantee the safety, or contents of these Web sites:

- 解决方案

Apple has released advisory APPLE-SA-2005-05-19, along with fixes to address this and other issues. Please see the referenced advisory for more information.

Apple Mac OS X Server 10.4

Apple Mac OS X 10.4

- 相关参考