Twenty-five vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, disclose sensitive information, or bypass security restrictions.
The first issue is caused by an error in the AFP Client that executes commands without properly cleaning the environment, which could be exploited by local attackers to create malicious files or execute arbitrary commands with system privileges.
The second vulnerability is caused by a buffer overflow error in the AirPortDriver module when processing malformed control commands, which could be exploited by malicious users to execute arbitrary code with elevated privileges on eMac, iBook, iMac, PowerBook G3, PowerBook G4, or Power Mac G4 systems equipped with an original AirPort card.
The third issue is caused by an error in the CoreServices interprocess communication, which could allow a local user to obtain a send right to the Mach task port and execute arbitrary code with elevated privileges.
The fourth vulnerability is caused by a memory corruption error in fsck when processing a specially crafted UFS disk image, which could be exploited by attackers to compromise a vulnerable system by tricking a user into opening a malicious UFS filesystem.
The fifth issue is caused by a format string error in the Help Viewer when processing a help file with a specially crafted name, which could be exploited by attackers to compromise a vulnerable system by tricking a user into opening a malicious help file.
The sixth issue is caused by insufficient controls in the IOKit HID interface, which could be exploited by a logged in user to capture console keystrokes, including passwords and other sensitive information.
The seventh vulnerability is caused by a format string error in the Installer when processing a package with a specially crafted name, which could be exploited by attackers to compromise a vulnerable system by tricking a user into downloading and installing a malicious installer package.
The eighth issue is caused by an error in Libinfo that does not properly report errors to applications, which could be exploited by malicious web sites to cause a previously deallocated object to be accessed, leading to arbitrary code execution.
The ninth vulnerability is caused by an integer overflow error in the RPC library when processing malformed requests sent to the portmap service, which could be exploited by remote attackers to cause a denial of service or execute arbitrary code with "daemon" privileges.
The tenth issue is caused by an error in the Login Window that does not sufficiently check its environment variables, which could be exploited by local attackers to execute arbitrary commands with system privileges.
The eleventh vulnerability exists in the Login Window when handling the "require a password to wake the computer from sleep" preference, which could be exploited by malicious users to bypass the screen saver authentication dialog.
The twelfth issue is caused by an error in the software update window that may appear beneath the Login Window when a scheduled task is run under certain conditions, which could allow an attacker with physical access to the system to log in without authentication.
The thirteenth vulnerability is caused by a buffer overflow error in natd when handling malformed RTSP packets, which could be exploited by remote attackers to compromise a vulnerable system with Internet Sharing enabled.
The fourteenth issue is caused by an error in SMB that executes commands without properly cleaning the environment, which could be exploited by malicious users to create malicious files or execute arbitrary commands with system privileges.
The fifteenth vulnerability is caused by an error in the writeconfig utility that does not properly clean the environment, which could be exploited by malicious users to execute arbitrary code with system privileges without authentication.
The sixteenth issue is caused by a design error where the username and password used to mount remote filesystems through connections to SMB servers are passed to the "mount_smb" command as command line arguments, which could be exploited by a local attacker to obtain other user's authentication credentials.
The seventeenth vulnerability is caused by a heap overflow error in the VideoConference framework that does not properly handle malformed SIP packets when initializing an iChat audio/video conference, which could be exploited by remote attackers to compromise a vulnerable system.
The eighteenth issue is caused by an error when mounting a WebDAV filesystem, which could cause the "load_webdav" program to be launched without properly cleaning the environment, allowing a local user to create files or execute commands with system privileges.
The nineteenth vulnerability is caused by an implementation error in WebFoundation, which could allow cookies set by subdomains to be accessible to the parent domain.
Six other vulnerabilities have been identified in fetchmail, ftpd, GNU Tar and Kerberos. For additional information, see : FrSIRT/ADV-2007-0087 - FrSIRT/ADV-2006-5018 - FrSIRT/ADV-2006-0684 - FrSIRT/ADV-2007-0111 - FrSIRT/ADV-2007-1218
Note : Security Update 2007-004 applied an incorrect ftp configuration file for Mac OS X Server v10.4.9 systems. Users with ftp access, who would normally be restricted to certain directories, may be able to access directories outside the normal scope.
Credits
Vulnerabilities reported by Kevin Finisterre (DigitalMunition), Landon Fuller (Three Rings Design), Mu Security Research Team, Daniel Ball (Pittsburgh Technical Institute), Geoff Franks (Hauptman Woodward Medical Research Institute), Jamie Cox (Sophos) and Bradley Schwoerer (University of Wisconsin-Madison).
ChangeLog
2007-04-19 : Initial release
2007-05-01 : Updated Solution
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
