• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Apple Mac OS X Multiple Vulnerabilities

Severity: CRITICAL

Description:

Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory.

Apache htdigest is prone to a buffer overflow that could be leveraged through a CGI application. Successful exploitation would result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-1344 is assigned to this issue.

Appkit is prone to an integer overflow when handling TIFF files. A malformed TIFF file could overwrite heap memory resulting in arbitrary code execution. The CVE Mitre candidate ID's CAN-2004-1308 and CAN-2004-1307 are assigned to this issue.

Appkit is also prone to a denial of service due to an unhandled exception in NXSeek(). This will cause a Cocoa application to exit unexpectedly. The CVE Mitre candidate ID CAN-2005-1330 is assigned to this issue.

AppleScript is prone to a code obfuscation issue. Scripts created using the applescript: URI mechanism could display code differently than the actual code that will execute if it is downloaded, compiled, and run. The CVE Mitre candidate ID CAN-2005-1331 is assigned to this issue.

The Bluetooth file exchange service may allow downloaded files to be disclosed. The service saves files in a shared folder by default that may be accessed by other applications and users. The CVE Mitre candidate ID CAN-2005-1332 is assigned to this issue.

Bluetooth is also prone to a directory traversal vulnerability. Due to insufficient sanitization of input, the Bluetooth file and object exchange services could be used by a remote attacker to access files outside the default file exchange directory. The CVE Mitre candidate ID CAN-2005-1333 is assigned to this issue.

chfn/chpass/chsh programs could allow privilege escalation. These programs are SUID and use external helper programs in an insecure manner. An attacker could leverage this issue to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-1335 is assigned to this issue.

Finder handles .DS_Store files in an insecure manner that could allow local attackers to overwrite files and allow privilege escalation. This issue could be leveraged through a symbolic link attack to have arbitrary code executed with elevated privileges or overwrite arbitrary files. The CVE Mitre candidate ID CAN-2005-0342 is assigned to this issue.

The Foundation framework is prone to a buffer overflow in environmental variables. This issue could be exploited to execute arbitrary code. The CVE Mitre candidate ID CAN-2005-1336 is assigned to this issue.

The Help Viewer is prone to a cross-zone scripting vulnerability. This issue could be leveraged to have script code from a remote Web site executed in the local security context. The CVE Mitre candidate ID CAN-2005-1337 is assigned to this issue.

LDAP allows passwords to initially be stored in plain text when using an LDAP server not running on OS X. This could allow an attacker to read the plain text password before it is removed or encrypted. The CVE Mitre candidate ID CAN-2005-1338 is assigned to this issue.

The XFree86 libXpm library is prone to a stack overflow when parsing malformed image files. This is because xpmParseColors() does not perform adequate bounds checking. Successful exploitation could result in arbitrary code execution or a denial of service. The libXpm library is not installed by default; it is an optional component installed from the X11 package. The CVE Mitre candidate ID CAN-2004-0687 is assigned to this issue.

The XFree86 libXpm library also contains multiple routines that are prone to integer overflows. This could allow an attacker to cause the application to fail or execute arbitrary code. The CVE Mitre candidate ID CAN-2004-0688 is assigned to this issue.

lukemftpd could allow authenticated users to escape chroot. This issue can be leveraged when a user logs into the ftp server using their full name rather than their short name. Successful exploitation could allow an attacker to access files outside their chroot restrictions. The CVE Mitre candidate ID CAN-2005-1339 is assigned to this issue.

The NetInfo Setup Tool (NeST) is prone to a buffer overflow. Successful exploitation of this SUID utility could allow arbitrary code execution with elevated privileges. The CVE Mitre candidate ID CAN-2005-0594 is assigned to this issue.

When the HTTP proxy service is enabled through Server Admin, it is also available for users outside the local network. This could allow unauthorized users to proxy traffic through the server. The CVE Mitre candidate ID CAN-2005-1340 is assigned to this issue.

Sudo versions prior to 1.6.8p2 do not adequately sanitize their environments. A local attacker could exploit this vulnerability to execute arbitrary commands if they have permission to run a bash shell script. The CVE Mitre candidate ID CAN-2004-1051 is assigned to this issue.

Terminal allows malicious content to inject data when it is displayed. The utility allows window titles to be read as input when it receives a malicious escape sequence. The CVE Mitre candidate ID CAN-2005-1341 is assigned to this issue.

Terminal also allows escape characters embedded in x-man-path URI's to insert commands into a Terminal session. This is caused by insufficient sanitization of x-man-path URI's. The CVE Mitre candidate ID CAN-2005-1342 is assigned to this issue.

vpnd is prone to a buffer overflow that could allow a local user to obtain root privileges. This issue could only be exploited if the computer is configured to be a VPN server. The CVE Mitre candidate ID CAN-2005-1343 is assigned to this issue.

Affected Products:

• Apple Mac OS X 10.3.0
• Apple Mac OS X 10.3.1
• Apple Mac OS X 10.3.2
• Apple Mac OS X 10.3.3
• Apple Mac OS X 10.3.4
• Apple Mac OS X 10.3.5
• Apple Mac OS X 10.3.6
• Apple Mac OS X 10.3.7
• Apple Mac OS X 10.3.8
• Apple Mac OS X 10.3.9
• Apple Mac OS X Server 10.3.0
• Apple Mac OS X Server 10.3.1
• Apple Mac OS X Server 10.3.2
• Apple Mac OS X Server 10.3.3
• Apple Mac OS X Server 10.3.4
• Apple Mac OS X Server 10.3.5
• Apple Mac OS X Server 10.3.6
• Apple Mac OS X Server 10.3.7
• Apple Mac OS X Server 10.3.8
• Apple Mac OS X Server 10.3.9

References:

• Apple: Vendor Home Page
• CVE: CAN-2004-0687
• CVE: CAN-2004-0688
• CVE: CAN-2004-1051
• CVE: CAN-2004-1307
• CVE: CAN-2004-1308
• CVE: CAN-2005-0342
• CVE: CAN-2005-0594
• CVE: CAN-2005-1330
• CVE: CAN-2005-1331
• CVE: CAN-2005-1332
• CVE: CAN-2005-1333
• CVE: CAN-2005-1335
• CVE: CAN-2005-1336
• CVE: CAN-2005-1337
• CVE: CAN-2005-1338
• CVE: CAN-2005-1339
• CVE: CAN-2005-1340
• CVE: CAN-2005-1341
• CVE: CAN-2005-1342
• CVE: CAN-2005-1343
• CVE: CAN-2005-1344

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.