Apple has released security updates to address thirteen vulnerabilities identified in Mac OS X. These flaws could be exploited by remote or local attackers to execute arbitrary commands, bypass security restrictions and conduct cross site scripting attacks.
The first issue is due to an error in the Apache 2 web server when processing HTTP requests containing both "Transfer-Encoding: chunked" and "Content-Length" headers, which could be exploited by malicious people to conduct cross site scripting attacks. For additional information, see : FrSIRT/ADV-2005-2140
The second vulnerability is due to an error in the "SSLVerifyClient" directive of "apache_mod_ssl" that does not properly validate client certificates, which could be exploited by remote attackers to bypass security restrictions and gain access, without a valid client certificate, to protected contents. For additional information, see : FrSIRT/ADV-2005-1625
The third flaw is due to a heap overflow error in CoreFoundation when resolving specially crafted URLs, which could be exploited by remote attackers to execute arbitrary commands via a specially crafted webpage.
The fourth issue is due to a buffer overflow error in the "ntlm_output()" function of cURL that does not properly handle an overly long user or domain name parameters, which could be exploited by remote attackers to execute arbitrary commands and compromise a vulnerable system by convincing a user to open a specially crafted webpage. For additional information, see : FrSIRT/ADV-2005-2088
The fifth flaw is due to a design error where the "iodbcadmintool" helper tool is executed with elevated privileges, which could be exploited by malicious local users to execute arbitrary commands with elevated privileges
The sixth vulnerability is due to an error in the "SSL_OP_MSIE_SSLV2_RSA_PADDING" option of OpenSSL that does not properly reject SSL 2.0 sessions when a client supports SSL 3.0 or TLS 1.0, which could be exploited to conduct MITM (Man in the Middle) attacks and force a client and a server to negotiate the SSL 2.0 protocol instead of SSL 3.0 or TLS 1.0. For additional information, see : FrSIRT/ADV-2005-2036
The seventh flaw is due to an error when creating an Open Directory master server, which could be exploited by unprivileged local users to gain elevated privileges on the server.
The eighth vulnerability is due to a buffer overflow error in the PCRE library used by the JavaScript engine of Safari, which could be exploited by remote attackers to execute arbitrary commands. For additional information, see : FrSIRT/ADV-2005-1511
The ninth issue is due to an error in Safari that does not properly handle overly long filenames when downloading files, which could cause downloaded files to be placed in other locations than the location specified as the download directory.
The tenth flaw is due to an error where JavaScript dialog boxes do not indicate the website that created them, which could mislead users into unintentionally disclosing information to a malicious web site.
The eleventh vulnerability is due to a heap overflow error in WebKit when processing content downloaded from malicious web sites, which could be exploited by remote attackers to execute arbitrary commands via an application linked with WebKit (e.g. Safari).
The twelfth problem is due to a race condition in Sudo's command pathname handling when "sudoers" entry containing the pseudo-command "ALL" follows the user's sudoers entry, which could be exploited by a user with sudo privileges to run arbitrary commands. For additional information, see : FrSIRT/ADV-2005-0821
The thirteenth flaw is due to an error in the system log server that records syslog messages insecurely, which could be exploited by local attackers to forge entries with the intention to mislead the system administrator by supplying control characters such as the newline character.
Credits
Vulnerabilities reported by Jakob Balle, Neil Archibald, Marco Mella and HELIOS Software.
ChangeLog
2005-11-29 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
