J-Security Center

Title: Apple Mac OS X 2007-004 Multiple Security Vulnerabilities

Severity: CRITICAL

Description:

Apple Mac OS X is prone to multiple security vulnerabilities.

These issues affect Mac OS X and various applications, including AFP Client, AirPortDriver module, CoreServices, Libinfo, Login Window, Natd, SMB, System Configuration, URLMount, VideoConference framework, WebDAV, and WebFoundation.

Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, overwrite files, and access potentially sensitive information. Both local and remote vulnerabilities are present.

Apple Mac OS X 10.4.9 and prior versions are vulnerable to these issues.

The following specific issues were reported:

- CVE-2007-0729: AFP Client is prone to a privilege-escalation vulnerability because it fails to properly sanitize environment variables prior to execute shell commands. This may allow an local attacker to create files or execute commands with superuser privileges.

- CVE-2007-0725: AirPortDriver module is prone to a buffer-overflow vulnerability when processing certain control commands for AirPort. A local attacker may exploit this issue by sending a maliciously crafted control command to the affected module. This issue allows attackers to execute arbitrary machine code with superuser privileges.

- CVE-2007-0732: The CoreServices daemon is prone to a privilege-escalation vulnerability when handling interprocess communication. An attacker may exploit this issue to execute arbitrary code with superuser privileges.

- CVE-2007-0734: The 'fsck' application is prone to a memory-corruption vulnerability when opening certain maliciously crafted UFS disk images. It is possible to automatically run 'fsck' when opening disk images.

- CVE-2007-0735: The Libinfo library is prone to an arbitrary code-execution vulnerability because it improperly reports errors to applications that use the library. An attacker may exploit this issue by enticing a victim into opening a maliciously crafted document with an application that relies on the vulnerable library. This will cause a previously deallocated object to be accessed, allowing the attacker to crash the application or execute arbitrary code with the privileges of the affected library.

- CVE-2007-0736: The Libinfo library is prone to an integer-overflow vulnerability when the portmap service is enabled. An attacker may exploit this issue by sending maliciously crafted requests to the portmap service. Successful exploits will allow the attacker to execute arbitrary code with the privileges of the 'daemon' user.

- CVE-2007-0737: The Login Window is prone to a privilege-escalation vulnerability because it doesn't properly check environment variables. A local attacker may exploit this issue to execute arbitrary code with superuser privileges.

- CVE-2007-0738: The Login Window is prone to an authentication-bypass vulnerability when resuming from sleep mode. Under certain unspecified conditions, the user password setting is ignored, allowing open access to the computer.

- CVE-2007-0739: The Login Window is prone to an authentication-bypass vulnerability when scheduled tasks are performed prior to authentication. This may cause the update window to appear beneath the Login Window, allowing an attacker with physical access to the machine to bypass the authentication mechanism. This issue does not affect versions prior to Mac OS X 10.4.

- CVE-2007-0741: Natd is prone to a buffer-overflow vulnerability when handling RTSP packets. An attacker may exploit this issue by submitting maliciously crafted packets to victims who have Internet Sharing enabled.

- CVE-2007-0744: SMB is prone to a privilege-escalation vulnerability because it fails to properly sanitize environment variables. This may allow a local attacker to create files or execute commands with superuser privileges.

- CVE-2007-0743: URLMount, which is used to mount remote filesystems, is prone to a vulnerability that may allow an attacker to obtain another user's authentication credentials. The vulnerability occurs because the username and password used to mount remote filesystems through connections to SMB servers are insecurely passed to the 'mount_smb' command as command-line arguments.

- CVE-2007-0746: The VideoConference framework, used in applications such as IChat, is prone to a heap-based buffer-overflow vulnerability. An attacker may exploit this issue by sending a maliciously crafted SIP packet when initializing an audio/video conference.

- CVE-2007-0747: The WebDAV filesystem is prone to a privilege-escalation vulnerability. The vulnerability occurs when mounting the affected filesystem. This causes the 'load_webdav' program to be launched without properly sanitizing environment variables. An attacker may exploit this issue to create files or execute commands with superuser privileges.

- CVE-2007-0742: The WebFoundation implementation is prone to an information-disclosure vulnerability because of a design error that allows cookie set by subdomains to be accessible to the parent domain. An attacker may exploit this issue to retrieve sensitive information. This issue does not affect systems running Mac OS X v10.4.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.03
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X 10.2.1
  • Apple Mac OS X 10.2.2
  • Apple Mac OS X 10.2.3
  • Apple Mac OS X 10.2.4
  • Apple Mac OS X 10.2.5
  • Apple Mac OS X 10.2.6
  • Apple Mac OS X 10.2.7
  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.0
  • Apple Mac OS X 10.3.1
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X 10.3.3
  • Apple Mac OS X 10.3.4
  • Apple Mac OS X 10.3.5
  • Apple Mac OS X 10.3.6
  • Apple Mac OS X 10.3.7
  • Apple Mac OS X 10.3.8
  • Apple Mac OS X 10.3.9
  • Apple Mac OS X 10.4.0
  • Apple Mac OS X 10.4.1
  • Apple Mac OS X 10.4.2
  • Apple Mac OS X 10.4.3
  • Apple Mac OS X 10.4.4
  • Apple Mac OS X 10.4.5
  • Apple Mac OS X 10.4.6
  • Apple Mac OS X 10.4.7
  • Apple Mac OS X 10.4.8
  • Apple Mac OS X 10.4.9
  • Apple Mac OS X Preview.app 3.0.8
  • Apple Mac OS X Server 10.0.0
  • Apple Mac OS X Server 10.1.0
  • Apple Mac OS X Server 10.1.1
  • Apple Mac OS X Server 10.1.2
  • Apple Mac OS X Server 10.1.3
  • Apple Mac OS X Server 10.1.4
  • Apple Mac OS X Server 10.1.5
  • Apple Mac OS X Server 10.2.0
  • Apple Mac OS X Server 10.2.1
  • Apple Mac OS X Server 10.2.2
  • Apple Mac OS X Server 10.2.3
  • Apple Mac OS X Server 10.2.4
  • Apple Mac OS X Server 10.2.5
  • Apple Mac OS X Server 10.2.6
  • Apple Mac OS X Server 10.2.7
  • Apple Mac OS X Server 10.2.8
  • Apple Mac OS X Server 10.3.0
  • Apple Mac OS X Server 10.3.1
  • Apple Mac OS X Server 10.3.2
  • Apple Mac OS X Server 10.3.3
  • Apple Mac OS X Server 10.3.4
  • Apple Mac OS X Server 10.3.5
  • Apple Mac OS X Server 10.3.6
  • Apple Mac OS X Server 10.3.7
  • Apple Mac OS X Server 10.3.8
  • Apple Mac OS X Server 10.3.9
  • Apple Mac OS X Server 10.4.0
  • Apple Mac OS X Server 10.4.1
  • Apple Mac OS X Server 10.4.2
  • Apple Mac OS X Server 10.4.3
  • Apple Mac OS X Server 10.4.4
  • Apple Mac OS X Server 10.4.5
  • Apple Mac OS X Server 10.4.6
  • Apple Mac OS X Server 10.4.7
  • Apple Mac OS X Server 10.4.8
  • Apple Mac OS X Server 10.4.9

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.