CVE-2005-2748
CVSS2.1
发布时间 :2005-10-25 18:06:00
修订时间 :2008-09-05 16:52:35
NMCOPS    

[原文]The malloc function in the libSystem library in Apple Mac OS X 10.3.9 and 10.4.2 allows local users to overwrite arbitrary files by setting the MallocLogFile environment variable to the target file before running a setuid application.


[CNNVD]Apple Mac OS X MallocStackLogging 本地任意文件修改漏洞(CNNVD-200510-208)

        Mac OS X是苹果家族计算机所使用的操作系统。
        Apple Mac OS X 10.3.9和10.4.2的libSystem library中的malloc函数可以使本地用户在运行setuid应用程序之前将MallocLogFile环境变量设为目标文件,从而改写任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.4.2Apple Mac OS X 10.4.2
cpe:/o:apple:mac_os_x:10.3.9Apple Mac OS X 10.3.9
cpe:/o:apple:mac_os_x_server:10.4.2Apple Mac OS X Server 10.4.2
cpe:/o:apple:mac_os_x_server:10.3.9Apple Mac OS X Server 10.3.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2748
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2748
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-208
(官方数据源) CNNVD

- 其它链接及资源

http://www.ciac.org/ciac/bulletins/p-312.shtml
(UNKNOWN)  CIAC  P-312
http://secunia.com/advisories/16920/
(VENDOR_ADVISORY)  SECUNIA  16920
http://www.auscert.org.au/5509
(VENDOR_ADVISORY)  AUSCERT  ESB-2005.0732
http://lists.apple.com/archives/security-announce/2005/Sep/msg00002.html
(VENDOR_ADVISORY)  APPLE  APPLE-SA-2005-09-22
http://www.suresec.org/advisories/adv7.pdf
(UNKNOWN)  MISC  http://www.suresec.org/advisories/adv7.pdf

- 漏洞信息

Apple Mac OS X MallocStackLogging 本地任意文件修改漏洞
低危 设计错误
2005-10-25 00:00:00 2005-10-28 00:00:00
本地  
        Mac OS X是苹果家族计算机所使用的操作系统。
        Apple Mac OS X 10.3.9和10.4.2的libSystem library中的malloc函数可以使本地用户在运行setuid应用程序之前将MallocLogFile环境变量设为目标文件,从而改写任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        Apple Mac OS X 10.3.9
        Apple SecUpd2005-008Pan.dmg
        http://www.apple.com/support/downloads/SecUpd2005-008Pan.dmg
        Apple Mac OS X Server 10.3.9
        Apple SecUpd2005-008Pan.dmg
        http://www.apple.com/support/downloads/SecUpd2005-008Pan.dmg
        Apple Mac OS X 10.4.2
        Apple SecUpd2005-008Ti.dmg
        http://www.apple.com/support/downloads/SecUpd2005-008Ti.dmg
        Apple Mac OS X Server 10.4.2
        Apple SecUpd2005-008Ti.dmg
        http://www.apple.com/support/downloads/SecUpd2005-008Ti.dmg

- 漏洞信息 (F40249)

adv7.pdf (PacketStormID:F40249)
2005-09-26 00:00:00
Ilja van Sprundel  suresec.org
advisory,arbitrary,root
apple,osx
CVE-2005-2748
[点击下载]

Suresec Security Advisory - The malloc() function on Mac OS X insecurely trusts a debug variable, regardless of the fact that the calling application may be suid root. This can result in an arbitrary file being overwritten, which can be used to escalate privileges.

- 漏洞信息

19706
Apple Mac OS X Application Memory Debugging MallocLogFile Variable Insecure File Creation
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

Mac OS X contains a flaw that may allow a malicious local user to create and/or manipulate arbitrary files on the system. The issue is due to malloc reading the MallocLogFile environment variable when running suid executables, modifying any file on the system. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

- 时间线

2005-09-20 Unknow
2005-09-20 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (Security Update 2005-008) to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X MallocStackLogging Local Arbitrary File Modification Vulnerability
Design Error 14939
No Yes
2005-09-22 12:00:00 2009-07-12 05:06:00
This issue was discovered by Ilja van Sprundel.

- 受影响的程序版本

Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3

- 漏洞讨论

Mac OS X is susceptible to a local arbitrary file modification vulnerability. This issue is due to insecure file handling in the 'malloc()' library for setuid applications.

This issue occurs due to insufficient checks in the memory allocation library, leading to local users being able to utilize the debugging features on setuid applications.

A local attacker could exploit this vulnerability to create, or append data to arbitrary files with superuser privileges. Depending on the purpose of the modified files, this may cause system crashes, or allow attackers to gain elevated privileges.

This issue was first described in BID 14914, but has been split into its own record due to further information availability.

- 漏洞利用

An exploit is not required.

- 解决方案

Apple has released advisory APPLE-SA-2005-09-22 and fixes to address these issues:


Apple Mac OS X 10.3.9

Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站