Multiple Vulnerabilities in Apple Mac OS X

Apple Mac OS X AppleTalk “AIOCREGLOCALZN” Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/4746


A vulnerability has been identified in Apple Mac OS X, which could be exploited by malicious users to cause a denial of service. This flaw is due to an error when calling “ioctl()” on certain AppleTalk sockets with an “AIOCREGLOCALZN” request, which could be exploited by local attackers to panic a vulnerable system, creating a denial of service condition.


Affected Products
Apple Mac OS X version 10.4.8 and prior 


Solution
The FrSIRT is not aware of any official supplied patch for this issue. 


 


Apple Mac OS X “shared_region_make_private_np()” Memory Corruption Vulnerability
http://www.frsirt.com/english/advisories/2006/4762


A vulnerability has been identified in Apple Mac OS X, which could be exploited by local attackers to execute arbitrary commands. This flaw is due to a memory corruption error within the “shared_region_make_private_np()” call when handling malformed arguments, which could be exploited by malicious users to cause a denial of service or obtain elevated privileges.


Affected Products
Apple Mac OS X version 10.3.9 and prior


Solution
The FrSIRT is not aware of any official supplied patch for this issue.


Apple Mac OS X Multiple Command Execution and Denial of Service Vulnerabilities
http://www.frsirt.com/english/advisories/2006/4750
http://docs.info.apple.com/article.html?artnum=304829


Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, disclose sensitive information, or bypass security restrictions.


The first issue is due to a buffer overflow error in the AirPort wireless driver’s handling of probe response frames, which could be exploited by remote attackers to compromise a vulnerable system. For additional information, see : FrSIRT/ADV-2006-4313


The second flaw is due to an error in the Apple Type Services server that creates error log files insecurely, which could allow malicious local users to overwrite or create arbitrary files with system privileges.


The third vulnerability is due to buffer overflow errors in the Apple Type Services server when processing malformed requests, which could allow malicious local users to cause a denial of service or execute arbitrary commands with system privileges.


The fourth issue is due to a stack overflow error in the Apple Type Services server when processing malformed fonts, which could allow malicious local users to cause a denial of service or execute arbitrary commands with system privileges when a malicious font is opened or previewed in Finder.


The fifth flaw is due to an error in CFNetwork when processing certain URIs, which could be exploited by attackers to entice users to access a specially crafted FTP URI and issue arbitrary FTP commands using their credentials.


The sixth flaw is due to a heap overflow error in Finder when browsing a directory containing a malformed “.DS_Store” file, which could be exploited by attackers to execute arbitrary commands with the privileges of the user running Finder.


The seventh vulnerability is due to an error in the ftpd server when authenticating a valid user, which could be exploited by remote attackers to determine the existence of a particular account.


The eighth flaw is due to an error in the Installer that allows system privileges to be used when installing certain packages as an Admin user without requiring authentication, which could be exploited by attackers to bypass security restrictions or potentially gain elevated privileges.


The ninth issue is due to a buffer overflow error in PPP when handling malformed PPPoE traffic, which could be exploited by an attacker on the local network to execute arbitrary commands with system privileges.


The tenth vulnerability is due to an error in the Security Framework when negotiating the best mutually-supported cipher, which could cause the Secure Transport to use a cipher that provides no encryption or authentication.


The eleventh flaw is due to an error in the Security Framework when processing X.509 certificates containing a malformed public key, which could be exploited by attackers to cause a denial of service.


The twelfth issue is due to an error in the Online Certificate Status Protocol (OCSP) service that does not properly retrieve certificate revocation lists on systems configured to use an HTTP proxy, which could be exploited by attackers to bypass security restrictions.


The thirteenth issue is due to an error when handling the certificate revocation list, which could cause revoked certificates to be erroneously honored.


The fourteenth vulnerability is due to an error in the VPN server that does not properly clean the environment, which could be exploited by malicious users to create malicious files or execute arbitrary commands with system privileges.


The fifteenth flaw is due to a memory corruption error in WebKit when processing malformed HTML documents, which could be exploited by attackers to execute arbitrary commands.


Affected Products
Apple Mac OS X version 10.3.9 and prior
Apple Mac OS X Server version 10.3.9 and prior
Apple Mac OS X version 10.4.8 and prior
Apple Mac OS X Server version 10.4.8 and prior


Solution


Security Update 2006-007 (10.3.9 Client) :
http://www.apple.com/support/downloads/securityupdate20060071039client.html
Security Update 2006-007 (10.3.9 Server) :
http://www.apple.com/support/downloads/securityupdate20060071039server.html
Security Update 2006-007 (10.4.8 Client Intel) :
http://www.apple.com/support/downloads/securityupdate20060071048clientintel.html
Security Update 2006-007 (10.4.8 Client PPC) :
http://www.apple.com/support/downloads/securityupdate20060071048clientppc.html
Security Update 2006-007 (10.4.8 Server PPC) :
http://www.apple.com/support/downloads/securityupdate20060071048serverppc.html
Security Update 2006-007 (10.4.8 Server Universal) :
http://www.apple.com/support/downloads/securityupdate20060071048serveruniversal.html

Leave a Reply