SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X Buffer Overflow in Directory Services Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019359
SecurityTracker URL:  http://securitytracker.com/id/1019359
CVE Reference:   CVE-2007-0355   (Links to External Site)
Date:  Feb 11 2008
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.4.x
Description:   A vulnerability was reported in Mac OS X. A local user can obtain elevated privileges on the target system.

A local user can trigger a buffer overflow in the Service Location Protocol (SLP) daemon to execute arbitrary code on the target system with System privileges.

Mac OS X v10.5 or later is not affected.

Kevin Finisterre of Netragard reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix (Mac OS X v10.5.2 and Security Update 2008-001), available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.5.2 or Security Update 2008-001.

For Mac OS X v10.5 - v10.5.1
The download file is named: "MacOSXUpdCombo10.5.2.dmg"
Its SHA-1 digest is: 524e0a707afbdeff798cdd9464d62f672136ab5a

For Mac OS X Server v10.5 - v10.5.1
The download file is named: "MacOSXServerUpdCombo10.5.2.dmg"
Its SHA-1 digest is: 1a98a5ce84795c1352e04e4ff4ef448b563a35db

For Mac OS X v10.4.11 (Universal)
The download file is named: "SecUpd2008-001Univ.dmg"
Its SHA-1 digest is: f572a0e29df4b44e124a92d5601ba45772818e02

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-001PPC.dmg"
Its SHA-1 digest is: bf3ebc69e094000d48d94e997a4d51f25c4824e0

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=307430

Vendor URL:  docs.info.apple.com/article.html?artnum=307430 (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 11 Feb 2008 13:38:47 -0800
Subject:  APPLE-SA-2008-02-11 Mac OS X v10.5.2 and Security Update 2008-001

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2008-02-11 Mac OS X v10.5.2 and Security Update 2008-001

Mac OS X v10.5.2 and Security Update 2008-001 are now available and
address the following issues:

Directory Services
CVE-ID:  CVE-2007-0355
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A stack buffer overflow exists in the Service Location
Protocol (SLP) daemon, which may allow a local user to execute
arbitrary code with system privileges. This update addresses the
issue through improved bounds checking. This has been described on
the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does
not affect systems running Mac OS X v10.5 or later. Credit to Kevin
Finisterre of Netragard for reporting this issue.

Foundation
CVE-ID:  CVE-2008-0035
Available for:  Mac OS X v10.5 - v10.5.1,
Mac OS X Server v10.5 - v10.5.1
Impact:  Accessing a maliciously crafted URL may lead to an
application termination or arbitrary code execution
Description:  A memory corruption issue exists in Safari's handling
of URLs. By enticing a user to access a maliciously crafted URL, an
attacker may cause an unexpected application termination or arbitrary
code execution. This update addresses the issue by performing
additional validation of URLs. This issue does not affect systems
prior to Mac OS X v10.5.

Launch Services
CVE-ID:  CVE-2008-0038
Available for:  Mac OS X v10.5 - v10.5.1,
Mac OS X Server v10.5 - v10.5.1
Impact:  An application removed from the system may still be launched
via the Time Machine backup
Description:  Launch Services is an API to open applications or their
document files or URLs in a way similar to the Finder or the Dock.
Users expect that uninstalling an application from their system will
prevent it from being launched. However, when an application has been
uninstalled from the system, Launch Services may allow it to be
launched if it is present in a Time Machine backup. This update
addresses the issue by not allowing applications to be launched
directly from a Time Machine backup. This issue does not affect
systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery
Software Ltd. and Ian Coutier for reporting this issue.

Mail
CVE-ID:  CVE-2008-0039
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact:  Accessing a URL in a message may lead to arbitrary code
execution
Description:  An implementation issue exists in Mail's handling of
file:// URLs, which may allow arbitrary applications to be launched
without warning when a user clicks a URL in a message. This update
addresses the issue by displaying the location of the file in Finder
rather than launching it. This issue does not affect systems running
Mac OS X v10.5 or later.

NFS
CVE-ID:  CVE-2008-0040
Available for:  Mac OS X v10.5 - v10.5.1,
Mac OS X Server v10.5 - v10.5.1
Impact:  If the system is being used as an NFS client or server, a
remote attacker may cause an unexpected system shutdown or arbitrary
code execution
Description:  A memory corruption issue exists in NFS's handling of
mbuf chains. If the system is being used as an NFS client or server,
a malicious NFS server or client may be able to cause an unexpected
system shutdown or arbitrary code execution. This update addresses
the issue through improved handling of mbuf chains. This issue does
not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of
Sun Microsystems for reporting this issue.

Open Directory
Available for:  Mac OS X v10.4.11, Mac OS X v10.4.11 Server
Impact:  NTLM authentication requests may always fail
Description:  This update addresses a non-security issue introduced
in Mac OS X v10.4.11. An race condition in Open Directory's Active
Directory plug-in may terminate the operation of winbindd, causing
NTLM authentications to fail. This update addresses the issue by
correcting the race condition that could terminate winbindd. This
issue only affects Mac OS X v10.4.11 systems configured for use with
Active Directory.

Parental Controls
CVE-ID:  CVE-2008-0041
Available for:  Mac OS X v10.5 - v10.5.1,
Mac OS X Server v10.5 - v10.5.1
Impact:  Requesting to unblock a website leads to information
disclosure
Description:  When set to manage web content, Parental Controls will
inadvertently contact www.apple.com when a website is unblocked. This
allows a remote user to detect the machines running Parental
Controls. This update addresses the issue by removing the outgoing
network traffic when a website is unblocked. This issue does not
affect systems prior to Mac OS X v10.5. Credit to Jesse Pearson for
reporting this issue.

Samba
CVE-ID:  CVE-2007-6015
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 - v10.5.1, Mac OS X Server v10.5 - v10.5.1
Impact:  A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description:  A stack buffer overflow may occur in Samba when
processing certain NetBIOS Name Service requests. If a system is
explicitly configured to allow "domain logons", an unexpected
application termination or arbitrary code execution could occur when
processing a request. Mac OS X Server systems configured as domain
controllers are also affected. This update addresses the issue by
applying the Samba patch. Further information is available via the
Samba web site at http://www.samba.org/samba/history/security.html
Credit to Alin Rad Pop of Secunia Research for reporting this issue.

Terminal
CVE-ID:  CVE-2008-0042
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5 - v10.5.1, Mac OS X Server v10.5 - v10.5.1
Impact:  Viewing a maliciously crafted web page may lead to arbitrary
code execution
Description:  An input validation issue exists in the processing of
URL schemes handled by Terminal.app. By enticing a user to visit a
maliciously crafted web page, an attacker may cause an application to
be launched with controlled command line arguments, which may lead to
arbitrary code execution. This update addresses the issue through
improved validation of URLs. Credit to Olli Leppanen of Digital Film
Finland and Brian Mastenbrook for reporting this issue.

X11
CVE-ID:  CVE-2007-4568
Available for:  Mac OS X v10.5 - v10.5.1,
Mac OS X Server v10.5 - v10.5.1
Impact:  Multiple Vulnerabilities in X11 X Font Server (XFS) 1.0.4
Description:  Multiple vulnerabilities exist in X11 X Font Server
(XFS), the most serious of which may lead to arbitrary code
execution. This update addresses the issues by updating to version
1.0.5. Further information is available via the X.Org website at
http://www.x.org/wiki/Development/Security

X11
CVE-ID:  CVE-2008-0037
Available for:  Mac OS X v10.5 - v10.5.1,
Mac OS X Server v10.5 - v10.5.1
Impact:  Changing the settings in the Security Preferences Panel has
no effect
Description:  The X11 server is not correctly reading its "Allow
connections from network client" preference.  This can cause the X11
server to allow connections from network clients, even when the
preference is turned off. This update addresses the issue by ensuring
that the X11 server correctly reads this preference. This issue does
not affect systems prior to Mac OS X v10.5.

Mac OS X v10.5.2 and Security Update 2008-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Mac OS X v10.5.2 or Security Update 2008-001.

For Mac OS X v10.5 - v10.5.1
The download file is named:  "MacOSXUpdCombo10.5.2.dmg"
Its SHA-1 digest is:  524e0a707afbdeff798cdd9464d62f672136ab5a

For Mac OS X Server v10.5 - v10.5.1
The download file is named:  "MacOSXServerUpdCombo10.5.2.dmg"
Its SHA-1 digest is:  1a98a5ce84795c1352e04e4ff4ef448b563a35db

For Mac OS X v10.4.11 (Universal)
The download file is named:  "SecUpd2008-001Univ.dmg"
Its SHA-1 digest is:  f572a0e29df4b44e124a92d5601ba45772818e02

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named:  "SecUpd2008-001PPC.dmg"
Its SHA-1 digest is:  bf3ebc69e094000d48d94e997a4d51f25c4824e0

Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.1012

wsBVAwUBR7DAH8gAoqu4Rp5tAQhpdAgAsY04gUhxrs0GypbuyGnwIjc8lte++kJm
sOsdIUuXQz3Jg3CoHl3aVaPhslTcaa3I535W1HAj5XXkJR4OhZD+xQjZCPt+mGHM
pLHr+SOT24hShkcFPUsxpdA1qO1zuTntCyQMVeRBPpF0EzmHdf2lkOpKC3Ki55u7
qArgHueo/hE95BVKuzhllcMU6fdZtWSAg01ktcrsYXtHM2kOieUoWbIBRT1OXps2
XPafJ0GqwXSF1CIJOt/fsX1z8TIJtTaAE62ZgmLFI24qqm4hjpROMPz2hN9VUoP5
6Knudzhvg0pQUdlvTOTBHejR2liUCxugybsQwv1WAM3lO5OdAB4k2Q==
=/Cut
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC