Ravens PHP Scripts - Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA24966

VERIFY ADVISORY: http://secunia.com/advisories/24966/

CRITICAL: Highly critical

IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access

WHERE: >From remote

OPERATING SYSTEM: Apple Macintosh OS X - http://secunia.com/product/96/

DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

1) An error in the AFP Client can be exploited by malicious, local users to create files or execute commands with system privileges.

2) A boundary error exists in the AirPortDriver module, which can be exploited by malicious, local users to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code with escalated privileges.

NOTE: This does not affect systems with the AirPort Extreme card.

3) An error in the CoreServices daemon can be exploited by malicious, local users to obtain a send right to its Mach task port.

Successful exploitation may allow execution of arbitrary code with escalated privileges.

4) An error in fsck can be exploited to cause memory corruption via a specially crafted UFS file system.

Successful exploitation may allow execution of arbitrary code, when a malicious UFS file system is opened.

5) An error in fetchmail can be exploited by malicious people to gain knowledge of sensitive information.

For more information: SA23631

6) An error in lukemftpd within the handling of commands with globbing characters can be exploited by malicious users to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

7) A boundary error in GNU Tar can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system.

For more information: SA18973

8) A format string error in the Help Viewer application can be exploited by malicious people to execute arbitrary code.

Successful exploitation requires that a user is tricked into downloading and opening a help file with a specially crafted name.

9) An error in the IOKit HID interface can be exploited by malicious, local users to capture console keystrokes from other users.

NOTE: This fix was originally distributed via the Mac OS X v10.4.9 update. However, due to a packaging issue it may not have been delivered to all systems.

10) A format string error in the Installer application can be exploited by malicious people to execute arbitrary code.

Successful exploitation requires that a user is tricked into downloading and opening an installer package with a specially crafted name.

11) An error in Kerberos can be exploited by malicious people to cause an DoS (Denial of Service) or to compromise a vulnerable system.

For more information: SA23696

12) Some errors in Kerberos can be exploited by malicious users to cause a DoS or to compromise a vulnerable system.

For more information see vulnerabilities #2 and #3 in: SA24740

13) An error in Libinfo can cause a previously deallocated object to be accessed when a specially crafted web page is viewed.

Successful exploitation may allow execution of arbitrary code.

14) An integer overflow exists in the RPC library. This can be exploited by malicious people to cause a DoS or to execute arbitrary code as the user "daemon" by sending a specially crafted packet to the portmap service.

15) An error in Login Window in the processing of environment variables can be exploited by malicious, local users to execute arbitrary code with system privileges.

16) Under certain conditions it is possible to bypass the screen saver authentication dialog.

17) Under certain conditions it is possible for a person with physical access to the system to log in without authentication when the software update window appears beneath the Login Window.

18) An error in natd within the handling of RTSP packets can be exploited by malicious people to cause a buffer overflow by sending a specially crafted packet to an affected system.

Successful exploitation may allow execution of arbitrary code, but requires that Internet Sharing is enabled.

19) An error in SMB can be exploited by malicious, local users to create files or execute commands with system privileges.

20) A weakness in the System Configuration can be exploited by malicious, local users to gain escalated privileges.

For more information: SA23793

21) The username and password used to mount remote file systems via SMB are passed to the mount_smb command as command line arguments. This can be exploited by malicious, local users to gain knowledge of other users' credentials.

22) An error in the VideoConference framework can be exploited by malicious people to cause a heap-based buffer overflow by sending a specially crafted SIP packet when initialising a conference.

Successful exploitation may allow execution of arbitrary code.

23) An error in the load_webdav program when mounting a WebDAV filesystem can be exploited by malicious, local users to create files or to execute commands with system privileges.

24) An error in WebFoundation allows cookies set by subdomains to be accessible to the parent domain.

NOTE: This does not affect systems running Mac OS X v10.4.

SOLUTION: Apply Security Update 2007-004.

Security Update 2007-004 (Universal): http://www.apple.com/support/downloads/securityupdate2007004universal.html

Security Update 2007-004 (PPC): http://www.apple.com/support/downloads/securityupdate2007004ppc.html

Security Update 2007-004 (10.3.9 Client): http://www.apple.com/support/downloads/securityupdate20070041039client.html

Security Update 2007-004 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070041039server.html

PROVIDED AND/OR DISCOVERED BY: The vendor credits:

6) Kevin Finisterre, DigitalMunition
8) KF and LMH
9) Andrew Garber of University of Victoria, Alex Harper, and Michael Evans
10) LMH
13) Landon Fuller of Three Rings Design
14) Mu Security Research Team
21) Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos Plc
24) Bradley Schwoerer of University of Wisconsin-Madison

ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305391

MoAB:
8) http://projects.info-pull.com/moab/MOAB-30-01-2007.html
10) http://projects.info-pull.com/moab/MOAB-26-01-2007.html

OTHER REFERENCES: SA18973: http://secunia.com/advisories/18973/

SA23631: http://secunia.com/advisories/23631/

SA23696: http://secunia.com/advisories/23696/

SA23793: http://secunia.com/advisories/23793/

SA24740: http://secunia.com/advisories/24740/

US-CERT VU#312424: http://www.kb.cert.org/vuls/id/312424