SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X CFNetwork Bugs Let Remote Users Execute Arbitrary FTP Commands and Conduct HTTP Response Splitting Attacks
SecurityTracker Alert ID:  1018491
SecurityTracker URL:  http://securitytracker.com/id/1018491
CVE Reference:   CVE-2007-2403, CVE-2007-2404   (Links to External Site)
Date:  Aug 1 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.3.9, 10.4.10
Description:   A vulnerability was reported in Mac OS X. A remote user can cause arbitrary FTP commands to be executed on the target system. A remote user can conduct HTTP response splitting attacks.

A remote user can create a specially crafted FTP URI that, when loaded by the target user, will trigger a flaw in the CFNetwork component and execute arbitrary FTP commands on the target FTP server [CVE-2007-2403].

An application that uses CFNetwork can send a specially crafted response to a target user's HTTP request [CVE-2007-2404]. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

Apple credits Steven Kramer of sprintteam.nl with reporting the HTTP response splitting vulnerability.

Impact:   A remote user can create an FTP URI that, when loaded by the target user, will execute arbitrary FTP commands on the target FTP system.

A remote user may be able to cause arbitrary content to be displayed, poison any intermediate web caches with arbitrary content, or conduct cross-site scripting attacks.

Solution:   Apple has issued a fix as part of Security Update 2007-007, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.10 (Universal)
The download file is named: "SecUpd2007-007Univ.dmg"
Its SHA-1 digest is: 8ef20aa2fbeb81716a20565e7b0b5116f79f4ab5

For Mac OS X v10.4.10 (PowerPC)
The download file is named: "SecUpd2007-007Ti.dmg"
Its SHA-1 digest is: 43e774881f314ed0feb1302da30a14a72fdfa740

For Mac OS X v10.3.9
The download file is named: "SecUpd2007-007Pan.dmg"
Its SHA-1 digest is: 8576955e1a4574d5cb2eb0721b130a22919e6b62

For Mac OS X Server v10.4.10 (Universal)
The download file is named: "SecUpdSrvr2007-007Universal.dmg"
Its SHA-1 digest is: 6a07dd5c4af3e7c371600e1759a98f5bb8b76b33

For Mac OS X Server v10.4.10 (PowerPC)
The download file is named: "SecUpdSrvr2007-007Ti.dmg"
Its SHA-1 digest is: 9bc897a174f2aeddfa21603bb15366c883162d48

For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2007-007Pan.dmg"
Its SHA-1 digest is: e27cdd6b78309cffdbf6f88ad2c0ff4ad0cfaf21

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=306172

Vendor URL:  docs.info.apple.com/article.html?artnum=306172 (Links to External Site)
Cause:   Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Tue, 31 Jul 2007 17:24:38 -0700
Subject:  APPLE-SA-2007-07-31 Security Update 2007-007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-07-31 Security Update 2007-007

Security Update 2007-007 is now available and addresses the following
issues:

bzip2
CVE-ID: CVE-2005-0758
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Running bzgrep on a file with a maliciously crafted name may
lead to arbitrary code execution
Description: A file name handling issue exists in bzgrep. By enticing
a user into running bzgrep on a file with a maliciously crafted name,
an attacker may trigger the issue which may lead to arbitrary code
execution. This update addresses the issue through improved handling
of file names.

CFNetwork
CVE-ID: CVE-2007-2403
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Clicking on an FTP URI may cause arbitrary FTP commands to be
issued
Description: By enticing a user to follow a maliciously crafted FTP
URI, an attacker can cause the user's FTP client to issue arbitrary
FTP commands to any accessible FTP server, using the credentials of
the user. This update addresses the issue by performing additional
validation of FTP URIs.

CFNetwork
CVE-ID: CVE-2007-2404
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Applications using CFNetwork to make HTTP requests may be
vulnerable to a response splitting attack
Description: An HTTP response splitting vulnerability exists in
CFNetwork. By sending a maliciously crafted HTTP response to a user's
HTTP request, an attacker may alter the user's consecutive responses,
which could lead to cross-site scripting. This update addresses the
issue through improved parsing of HTTP responses. Credit to Steven
Kramer of sprintteam.nl for reporting this issue.

CoreAudio
CVE-ID: CVE-2007-3745
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: A design issue exists in the Java interface to
CoreAudio. JDirect exposes an interface that may allow freeing
arbitrary memory. By enticing a user to visit a web page containing a
maliciously crafted Java applet, an attacker can trigger the issue
which may lead to arbitrary code execution. This update addresses the
issue by performing additional security checks in the Java interface
to CoreAudio.

CoreAudio
CVE-ID: CVE-2007-3746
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An issue exists in the Java interface to CoreAudio,
which may allow reading or writing out of the bounds of the allocated
heap. By enticing a user to visit a web page containing a maliciously
crafted Java applet, anattacker can trigger the issue which may lead
to arbitrary code execution. This update addresses the issue by
performing additional bounds checking.

CoreAudio
CVE-ID: CVE-2007-3747
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An issue exists in the Java interface to CoreAudio,
which may allow instantiation or manipulation of objects outside the
bounds of the allocated heap. By enticing a user to visit a web page
containing a maliciously crafted Java applet, an attacker can trigger
the issue which may lead to arbitrary code execution. This update
addresses the issue by performing additional security checks in the
Java interface to CoreAudio.

cscope
CVE-ID: CVE-2004-0996, CVE-2004-2541
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Multiple vulnerabilities in Cscope
Description: Cscope is updated to version 15.6 to address several
vulnerabilities, the most serious of which are buffer overflow and
insecure temporary file creation vulnerabilities. Further information
is available via the Cscope web site at
http://cscope.sourceforge.net/

gnuzip
CVE-ID: CVE-2005-0758
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Running zgrep on a file with a maliciously crafted name may
lead to arbitrary code execution Description: A file name handling
issue exists in zgrep. By enticing a user into running zgrep on a
file with a maliciously crafted name, an attacker may trigger the
issue which may lead to arbitrary code execution. This update
addresses the issue by through improved file names handling.

iChat
CVE-ID: CVE-2007-3748
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: An attacker on the local network may be able to cause a
denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD
(Internet Gateway Device Standardized Device Control Protocol) code
used to create Port Mappings on home NAT gateways in iChat. By
sending a maliciously crafted packet, an attacker on the local
network can trigger the overflow which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation when
processing UPnP protocol packets in iChat.

Kerberos
CVE-ID: CVE-2007-2442, CVE-2007-2443, CVE-2007-2798
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Multiple vulnerabilities in the MIT krb5 Kerberos
administration daemon
Description: Multiple vulnerabilities exists in the MIT Kerberos
administration daemon (kadmind), which may lead to an unexpected
application termination or arbitrary code execution with system
privileges. Further information on the issue and the patch applied is
available via the MIT Kerberos website at
http://web.mit.edu/Kerberos/
Credit to the MIT Kerberos Team for reporting these issues, which
were originally discovered by Wei Wang of McAfee Avert Labs.

mDNSResponder
CVE-ID: CVE-2007-3744
Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: An attacker on the local network may be able to cause a
denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD
(Internet Gateway Device Standardized Device Control Protocol) code
used to create Port Mappings on home NAT gateways in the Mac OS X
implementation of mDNSResponder. By sending a maliciously crafted
packet, an attacker on the local network can trigger the overflow
which may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by removing UPnP IGD
support. This issue does not affect systems prior to Mac OS X v10.4.

PDFKit
CVE-ID: CVE-2007-2405
Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow exists in Preview's handling of PDF
files. By enticing a user to open a maliciously crafted PDF file, an
attacker may trigger the issue which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of PDF files.
This issue does not affect systems prior to Mac OS X v10.4.

PHP
CVE-ID: CVE-2007-1001, CVE-2007-1287, CVE-2007-1460, CVE-2007-1461,
CVE-2007-1484, CVE-2007-1521, CVE-2007-1583, CVE-2007-1711,
CVE-2007-1717
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Multiple vulnerabilities in PHP 4.4.4
Description: PHP is updated to version 4.4.7 to address several
vulnerabilities. Further information is available via the PHP web
site at http://www.php.net/

Quartz Composer
CVE-ID: CVE-2007-2406
Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Viewing a maliciously crafted Quartz Composer file may lead
to an unexpected application termination or arbitrary code execution
Description: An uninitialized object pointer vulnerability exists in
the handling of Quartz Composer files. By enticing a user to view a
maliciously crafted Quartz Composer file, an attacker may trigger the
issue which may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing proper initialization of object pointers. This issue does
not affect systems prior to Mac OS X v10.4.

Samba
CVE-ID: CVE-2007-2446
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: When Windows file sharing is enabled, an unauthenticated
remote attacker may cause an unexpected application termination or
arbitrary code execution
Description: Multiple heap buffer overflows exist in the Samba
daemon. By sending maliciously crafted MS-RPC requests, a remote
attacker can trigger the overflow which may lead to arbitrary code
execution. This update addresses the issue by performing additional
validation of MS-RPC requests.

Samba
CVE-ID: CVE-2007-2447
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: When Windows file sharing is enabled, an unauthenticated
remote attacker may be able to execute arbitrary shell commands
Description: A command injection vulnerability exists in the Samba
daemon. By sending maliciously crafted MS-RPC requests, a remote
attacker can trigger the command injection. This update addresses the
issue by performing additional validation of MS-RPC requests. This
issue does not affect the default Samba configuration.

Samba
CVE-ID: CVE-2007-2407
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: When Windows file sharing is enabled, users may bypass file
system quotas
Description: An issue exists in Samba when a server process drops its
privileges. This could allow the quota enforcement to be bypassed,
and the file system quota to be exceeded. This update addresses the
issue by properly dropping privileges. Credit to Mike Matz of
Wyomissing Area School District for reporting this issue.

SquirrelMail
CVE-ID: CVE-2005-3128, CVE-2006-2842, CVE-2006-3174, CVE-2006-4019,
CVE-2006-6142, CVE-2007-1262, CVE-2007-2589
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.10
Impact: Multiple vulnerabilities in SquirrelMail 1.4.5
Description: SquirrelMail is updated to version 1.4.10 to address
several vulnerabilities, the most serious of which is cross-site
scripting triggered by viewing HTML mail. Further information is
available via the SquirrelMail web site at
http://www.SquirrelMail.org/

Tomcat
CVE-ID: CVE-2005-2090, CVE-2007-0450, CVE-2007-1358, CVE-2007-1860
Available for: Mac OS X Server v10.4.10
Impact: Multiple vulnerabilities in Tomcat
Description: Tomcat is updated to version 4.1.36 to address several
vulnerabilities, the most serious of which are cross-site scripting
and information disclosure. Further information is available via the
Tomcat site at http://tomcat.apache.org/
These issues do not affect systems prior to Mac OS X v10.4.

WebCore
CVE-ID: CVE-2007-2408
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Visiting a malicious website may allow Java applets to load
and run even when Java is disabled
Description: Safari provides an "Enable Java" preference, which when
unchecked should prevent the loading of Java applets. By default,
Java applets are allowed to be loaded. Navigating to a maliciously
crafted web page may allow a Java applet to be loaded without
checking the preference. This update addresses the issue through a
stricter check of the "Enable Java" preference. Credit to Rhys Kidd
and Scott Wilde for reporting this issue.

WebCore
CVE-ID: CVE-2007-0478
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Content may be injected into HTML comments leading to
cross-site scripting attacks
Description: An issue exists in WebCore when parsing comments inside
an HTML title element. This can allow an attacker to insert scripts
into a web page on sites which allow the page owner to enter HTML,
but not scripts. This update addresses the issue by correctly parsing
comments in title elements.

WebCore
CVE-ID: CVE-2007-2409
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Visiting a malicious website may lead to the disclosure of
URL contents
Description: A design issue in WebCore allows a popup window to read
the URL that is currently being viewed in the parent window. By
enticing a user to visit a maliciously crafted web page, an attacker
can trigger the issue, which may lead to the disclosure of
information via the URL contents. This update addresses the issue
through an improved cross-domain security check. Credit to
Secunia Research for reporting this issue.

WebCore
CVE-ID: CVE-2007-2410
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Visiting a malicious website may allow cross-site scripting
Description: In Safari, properties of certain global objects are not
cleared when navigating to a new URL within the same window. By
enticing a user to visit a maliciously crafted web page, an attacker
may trigger the issue which may lead to cross-site scripting. This
update addresses the issue by properly clearing global objects.

WebKit
CVE-ID: CVE-2007-3742
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious web site to
direct the user to a spoofed site that visually appears to be a
legitimate domain. This update addresses the issue by through an
improved domain name validity check. Credit to Tomohito Yoshino
of Business Architects Inc. for reporting this issue.

WebKit
CVE-ID: CVE-2007-3944
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.10, Mac OS X Server v10.4.10
Impact: Viewing a maliciously crafted web page may lead to arbitrary
code execution
Description: Heap buffer overflows exist in the Perl Compatible
Regular Expressions (PCRE) library used by the JavaScript engine in
Safari. By enticing a user to visit a maliciously crafted web page,
an attacker may trigger the issues, which may lead to arbitrary code
execution. This update addresses the issues by performing additional
validation of JavaScript regular expressions. Credit to Charlie
Miller and Jake Honoroff of Independent Security Evaluators for
reporting these issues.

Security Update 2007-007 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.10 (Universal)
The download file is named:  "SecUpd2007-007Univ.dmg"
Its SHA-1 digest is:  8ef20aa2fbeb81716a20565e7b0b5116f79f4ab5

For Mac OS X v10.4.10 (PowerPC)
The download file is named:  "SecUpd2007-007Ti.dmg"
Its SHA-1 digest is:  43e774881f314ed0feb1302da30a14a72fdfa740

For Mac OS X v10.3.9
The download file is named:  "SecUpd2007-007Pan.dmg"
Its SHA-1 digest is:  8576955e1a4574d5cb2eb0721b130a22919e6b62

For Mac OS X Server v10.4.10 (Universal)
The download file is named:  "SecUpdSrvr2007-007Universal.dmg"
Its SHA-1 digest is:  6a07dd5c4af3e7c371600e1759a98f5bb8b76b33

For Mac OS X Server v10.4.10 (PowerPC)
The download file is named:  "SecUpdSrvr2007-007Ti.dmg"
Its SHA-1 digest is:  9bc897a174f2aeddfa21603bb15366c883162d48

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2007-007Pan.dmg"
Its SHA-1 digest is:  e27cdd6b78309cffdbf6f88ad2c0ff4ad0cfaf21

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRq+7gcgAoqu4Rp5tAQhq1Af/Q4SkLMs6qSutEZZn+2oGrW/iBwHhU+ZL
1Zh57Q1+9l3VZrROmxdJ0/JkhmO9zpQ4rdZGWtVY08SV/v0kIFqTu8I31GnfBCq7
mvobg7z3ej680vtBCvmTgSfitlVa0+2KhnaNAsGGo0lOiCZuV9KQd6lPhSVor/Gq
mqZ3a8y9D6RhfREbMzG7GOJ/BwmBeRTrnNVaI5mJP0KXUygsn3Gf5O++SwuOJzG2
qK11KGIx/dxCbR7Dbz9KEmoF8PQbeuyUBb9ZrYAfvSwa4riveCbvvLLWo9Aszl5U
BEW09G3aIYWe4HXogCtz9XIksqswajmudS707j6tNw0oa4JoYcYNjA==
=odx6
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC