Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, disclose sensitive information, or bypass security restrictions.
The first issue is due to a buffer overflow error in the AirPort wireless driver's handling of probe response frames, which could be exploited by remote attackers to compromise a vulnerable system. For additional information, see : FrSIRT/ADV-2006-4313
The second flaw is due to an error in the Apple Type Services server that creates error log files insecurely, which could allow malicious local users to overwrite or create arbitrary files with system privileges.
The third vulnerability is due to buffer overflow errors in the Apple Type Services server when processing malformed requests, which could allow malicious local users to cause a denial of service or execute arbitrary commands with system privileges.
The fourth issue is due to a stack overflow error in the Apple Type Services server when processing malformed fonts, which could allow malicious local users to cause a denial of service or execute arbitrary commands with system privileges when a malicious font is opened or previewed in Finder.
The fifth flaw is due to an error in CFNetwork when processing certain URIs, which could be exploited by attackers to entice users to access a specially crafted FTP URI and issue arbitrary FTP commands using their credentials.
The sixth flaw is due to a heap overflow error in Finder when browsing a directory containing a malformed ".DS_Store" file, which could be exploited by attackers to execute arbitrary commands with the privileges of the user running Finder.
The seventh vulnerability is due to an error in the ftpd server when authenticating a valid user, which could be exploited by remote attackers to determine the existence of a particular account.
The eighth flaw is due to an error in the Installer that allows system privileges to be used when installing certain packages as an Admin user without requiring authentication, which could be exploited by attackers to bypass security restrictions or potentially gain elevated privileges.
The ninth issue is due to a buffer overflow error in PPP when handling malformed PPPoE traffic, which could be exploited by an attacker on the local network to execute arbitrary commands with system privileges.
The tenth vulnerability is due to an error in the Security Framework when negotiating the best mutually-supported cipher, which could cause the Secure Transport to use a cipher that provides no encryption or authentication.
The eleventh flaw is due to an error in the Security Framework when processing X.509 certificates containing a malformed public key, which could be exploited by attackers to cause a denial of service.
The twelfth issue is due to an error in the Online Certificate Status Protocol (OCSP) service that does not properly retrieve certificate revocation lists on systems configured to use an HTTP proxy, which could be exploited by attackers to bypass security restrictions.
The thirteenth issue is due to an error when handling the certificate revocation list, which could cause revoked certificates to be erroneously honored.
The fourteenth vulnerability is due to an error in the VPN server that does not properly clean the environment, which could be exploited by malicious users to create malicious files or execute arbitrary commands with system privileges.
The fifteenth flaw is due to a memory corruption error in WebKit when processing malformed HTML documents, which could be exploited by attackers to execute arbitrary commands.
Other vulnerabilities have been reported in gzip, ClamAV, OpenSSL, Perl, PHP, and Samba. For additional information, see : FrSIRT/ADV-2006-3695 - FrSIRT/ADV-2006-4034 - FrSIRT/ADV-2006-3820 - FrSIRT/ADV-2006-3453 - FrSIRT/ADV-2005-2688 - FrSIRT/ADV-2006-1149 - FrSIRT/ADV-2006-1500 - FrSIRT/ADV-2006-4317 - FrSIRT/ADV-2006-2745
Credits
Vulnerabilities reported by H.D Moore (Metasploit), Benjamin Williams (University of Canterbury), Mu Security research team, Eric Cronin (gizmolabs), Dr. Stephen N. Henson (Open Network Security), Timothy J. Miller (MITRE Corporation), Jose Nazario (Arbor Networks), and Tom Ferris (Security-Protocols).
ChangeLog
2006-11-28 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
