CVE-2005-2757
CVSS7.5
发布时间 :2005-11-30 21:07:00
修订时间 :2011-03-07 21:24:59
NMCOPS    

[原文]Heap-based buffer overflow in CoreFoundation in Mac OS X and OS X Server 10.4 through 10.4.3 allows remote attackers to execute arbitrary code via unknown attack vectors involving "validation of URLs."


[CNNVD]Mac OS X 和 OS X Server CoreFoundation 堆缓冲区溢出漏洞(CNNVD-200511-484)

        Apple Mac OS X和OS X Server都是苹果家族电脑所使用的操作系统。
        Mac OS X 和 OS X Server 10.4 直到 10.4.3版本的CoreFoundation 中存在堆缓冲区溢出漏洞,这允许远程攻击者通过"URLS的验证"的未知的攻击来执行任意的代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.3.9Apple Mac OS X 10.3.9
cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x:10.4.2Apple Mac OS X 10.4.2
cpe:/o:apple:mac_os_x_server:10.3.5Apple Mac OS X Server 10.3.5
cpe:/o:apple:mac_os_x:10.4.1Apple Mac OS X 10.4.1
cpe:/o:apple:mac_os_x_server:10.4.1Apple Mac OS X Server 10.4.1
cpe:/o:apple:mac_os_x_server:10.4.3Apple Mac OS X Server 10.4.3
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3
cpe:/o:apple:mac_os_x_server:10.4.2Apple Mac OS X Server 10.4.2
cpe:/o:apple:mac_os_x:10.4Apple Mac OS X 10.4
cpe:/o:apple:mac_os_x_server:10.3.3Apple Mac OS X Server 10.3.3
cpe:/o:apple:mac_os_x_server:10.3.4Apple Mac OS X Server 10.3.4
cpe:/o:apple:mac_os_x_server:10.4Apple Mac OS X Server 10.4
cpe:/o:apple:mac_os_x:10.3.6Apple Mac OS X 10.3.6
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x:10.3.8Apple Mac OS X 10.3.8
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1
cpe:/o:apple:mac_os_x:10.3.4Apple Mac OS X 10.3.4
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x:10.3.7Apple Mac OS X 10.3.7
cpe:/o:apple:mac_os_x:10.3.5Apple Mac OS X 10.3.5
cpe:/o:apple:mac_os_x_server:10.3.8Apple Mac OS X Server 10.3.8
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x_server:10.3.7Apple Mac OS X Server 10.3.7
cpe:/o:apple:mac_os_x:10.4.3Apple Mac OS X 10.4.3
cpe:/o:apple:mac_os_x_server:10.3.6Apple Mac OS X Server 10.3.6
cpe:/o:apple:mac_os_x_server:10.3.9Apple Mac OS X Server 10.3.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2757
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2757
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-484
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15647
(PATCH)  BID  15647
http://secunia.com/advisories/17813
(VENDOR_ADVISORY)  SECUNIA  17813
http://www.vupen.com/english/advisories/2005/2659
(UNKNOWN)  VUPEN  ADV-2005-2659
http://docs.info.apple.com/article.html?artnum=302847
(VENDOR_ADVISORY)  APPLE  APPLE-SA-2005-11-29
http://xforce.iss.net/xforce/xfdb/23329
(UNKNOWN)  XF  macos-corefoundation-url-bo(23329)
http://www.osvdb.org/21271
(UNKNOWN)  OSVDB  21271
http://securitytracker.com/id?1015285
(UNKNOWN)  SECTRACK  1015285

- 漏洞信息

Mac OS X 和 OS X Server CoreFoundation 堆缓冲区溢出漏洞
高危 缓冲区溢出
2005-11-30 00:00:00 2005-12-01 00:00:00
远程  
        Apple Mac OS X和OS X Server都是苹果家族电脑所使用的操作系统。
        Mac OS X 和 OS X Server 10.4 直到 10.4.3版本的CoreFoundation 中存在堆缓冲区溢出漏洞,这允许远程攻击者通过"URLS的验证"的未知的攻击来执行任意的代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (F42016)

Apple Security Advisory 2005-11-29 (PacketStormID:F42016)
2005-12-02 00:00:00
Apple  apple.com
advisory,vulnerability
apple
CVE-2005-2088,CVE-2005-2700,CVE-2005-2757,CVE-2005-3185,CVE-2005-3700,CVE-2005-2969,CVE-2005-3701,CVE-2005-2491,CVE-2005-3702,CVE-2005-3703,CVE-2005-3705,CVE-2005-1993,CVE-2005-3704
[点击下载]

Apple Security Advisory - Apple has released a security update which addresses over a dozen vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-11-29 Security Update 2005-009

Security Update 2005-009 is now available and delivers the following
security enhancements:

Apache2
CVE-ID:  CVE-2005-2088
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.3
Impact:  Cross-site scripting may be possible in certain
configurations
Description:  The Apache 2 web server may allow an attacker to bypass
protections using specially-crafted HTTP headers.  This behavior is
only present when Apache is used in conjunction with certain proxy
servers, caching servers, or web application firewalls.  This update
addresses the issue by incorporating Apache version 2.0.55.

apache_mod_ssl
CVE-ID:  CVE-2005-2700
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  SSL client authentication may be bypassed in certain
configurations
Description:  The Apache web server's mod_ssl module may allow an
attacker unauthorized access to a resource that is configured to
require SSL client authentication.  Only Apache configurations that
include the "SSLVerifyClient require" directive may be affected.
This update address the issue by incorporating mod_ssl 2.8.24 and
Apache version 2.0.55 (Mac OS X Server).

CoreFoundation
CVE-ID:  CVE-2005-2757
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  Resolving a maliciously-crafted URL may result in crashes or
arbitrary code execution
Description:  By carefully crafting a URL, an attacker can trigger a
heap buffer overflow in CoreFoundation which may result in a crash or
arbitrary code execution.  CoreFoundation is used by Safari and other
applications.  This update addresses the issue by performing
additional validation of URLs.  This issue does not affect systems
prior to Mac OS X v10.4.

curl
CVE-ID:  CVE-2005-3185
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  Visiting a malicious HTTP server and using NTLM
authentication may result in arbitrary code execution
Description:  Using curl with NTLM authentication enabled to download
an HTTP resource may allow an attacker to supply an overlong user or
domain name.  This may cause a stack buffer overflow and lead to
arbitrary code execution.  This update addresses the issue by
performing additional validation when using NTLM authentication.
This issue does not affect systems prior to Mac OS X v10.4.

iodbcadmintool
CVE-ID:  CVE-2005-3700
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Local users may gain elevated privileges
Description:  The ODBC Administrator utility includes a helper tool
called iodbcadmintool that executes with raised privileges.  This
helper tool contains a vulnerability that may allow local users to
execute arbitrary commands with raised privileges.  This update
addresses the issue by providing an updated iodbcadmintool that is
not susceptible.

OpenSSL
CVE-ID:  CVE-2005-2969
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Applications using OpenSSL may be forced to use the weaker
SSLv2 protocol
Description:  Applications that do not disable SSLv2 or that enable
certain compatibility options when using OpenSSL may be vulnerable to
a protocol downgrade attack.  Such attacks may cause an SSL
connection to use the SSLv2 protocol which provides less protection
than SSLv3 or TLS.  Further information on this issue is available at
http://www.openssl.org/news/secadv_20051011.txt.  This update
addresses the issue by incorporating OpenSSL version 0.9.7i.

passwordserver
CVE-ID:  CVE-2005-3701
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.3
Impact:  Local users on Open Directory master servers may gain
elevated privileges
Description:  When creating an Open Directory master server,
credentials may be compromised.  This could lead to unprivileged
local users gaining elevated privileges on the server.  This update
addresses the issue by ensuring the credentials are protected.

Safari
CVE-ID:  CVE-2005-2491
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Processing a regular expressions may result in arbitrary
code execution
Description:  The JavaScript engine in Safari uses a version of the
PCRE library that is vulnerable to a potentially exploitable heap
overflow.  This may lead to the execution of arbitrary code.  This
update addresses the issue by providing a new version of the
JavaScript engine that incorporates more robust input validation.

Safari
CVE-ID:  CVE-2005-3702
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Safari may download files outside of the designated download
directory
Description:  When files are downloaded in Safari they are normally
placed in the location specified as the download directory.  However,
if a web site suggests an overlong filename for a download, it is
possible for Safari to create this file in other locations.  Although
the filename and location of the downloaded file content cannot be
directly specified by remote servers, this may still lead to
downloading content into locations accessible to other users.  This
update addresses the issue by rejecting overlong filenames.

Safari
CVE-ID:  CVE-2005-3703
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  JavaScript dialog boxes in Safari may be misleading
Description:  In Safari, JavaScript dialog boxes do not indicate the
web site that created them.  This could mislead users into
unintentionally disclosing information to a web site.  This update
addresses the issue by displaying the originating site name in
JavaScript dialog boxes.  Credit to Jakob Balle of Secunia Research
for reporting this issue.

Safari
CVE-ID:  CVE-2005-3705
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Visiting malicious web sites with WebKit-based applications
may lead to arbitrary code execution
Description:  WebKit contains a heap overflow that may lead to the
execution of arbitrary code.  This may be triggered by content
downloaded from malicious web sites in applications that use WebKit
such as Safari.  This update addresses the issue by removing the heap
overflow from WebKit.  Credit to Neil Archibald of Suresec LTD and
Marco Mella for reporting this issue.

sudo
CVE-ID:  CVE-2005-1993
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Local users may be able to gain elevated privileges in
certain sudo configurations
Description:  Sudo allows system administrators to grant users the
ability to run specific commands with elevated privileges.  Although
the default configuration is not vulnerable to this issue, custom
sudo configurations may not properly restrict users.  Further
information on this issue is available from:
http://www.sudo.ws/sudo/alerts/path_race.html
This update addresses the issue by incorporating sudo version
1.6.8p9.

syslog
CVE-ID:  CVE-2005-3704
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  System log entries may be forged
Description:  The system log server records syslog messages verbatim.
By supplying control characters such as the newline character, a
local attacker could forge entries with the intention to mislead the
system administrator.  This update addresses the issue by specially
handling control characters and other non-printable characters.  This
issue does not affect systems prior to Mac OS X v10.4.  Credit to
HELIOS Software GmbH for reporting this issue.

Additional Information

Also included in this update are enhancements to Safari to improve
handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X
v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X
v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac
OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X
v10.4.3), and ServerMigration to remove unneeded privileges.

Security Update 2005-009 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.3
The download file is named:  "SecUpd2005-009Ti.dmg"
Its SHA-1 digest is:  544f51a7bc73a57dbca95e05693904aadb2f94b1

For Mac OS X Server v10.4.3
The download file is named:  "SecUpdSrvr2005-009Ti.dmg"
Its SHA-1 digest is:  b7620426151b8f1073c9ff73b2adf43b3086cc60

For Mac OS X v10.3.9
The download file is named:  "SecUpd2005-009Pan.dmg"
Its SHA-1 digest is:  ea17ad7852b3e6277f53c2863e51695ac7018650

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2005-009Pan.dmg"
Its SHA-1 digest is:  b03711729697ea8e6b683eb983343f2f3de3af13

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK
vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp
FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9
Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf
g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4
YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ==
=jnz9
-----END PGP SIGNATURE-----
   
    

- 漏洞信息

21271
Apple Mac OS X CoreFoundation Crafted URL Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in Mac OS X. The CoreFoundation library fails to validate URLs resulting in a heap overflow. With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-11-29 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apple Mac OS X CoreFoundation Remote Buffer Overflow Vulnerability
Boundary Condition Error 16882
Yes No
2005-11-29 12:00:00 2008-05-06 02:55:00
Discovered by an unknown researcher.

- 受影响的程序版本

Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4

- 漏洞讨论

CoreFoundation is prone to a buffer-overflow vulnerability.

The issue presents itself when specially crafted URIs are handled.

A successful attack may result in a denial-of-service condition or remote unauthorized access because of arbitrary code execution in the context of the affected application.

NOTE: This issue was previously discussed in BID 15647 (Apple Mac OS X Security Update 2005-009 Multiple Vulnerabilities), but has been assigned its own record to better document the vulnerability.

- 漏洞利用

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Apple has released advisory APPLE-SA-2005-11-29, which includes fixes to address this issue. Please see the referenced advisory for more information.


Apple Mac OS X Server 10.4

Apple Mac OS X 10.4

Apple Mac OS X Server 10.4.1

Apple Mac OS X 10.4.1

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.2

Apple Mac OS X 10.4.3

Apple Mac OS X Server 10.4.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站