---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21253 VERIFY ADVISORY: http://secunia.com/advisories/21253/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. Successful exploitation requires that file sharing is enabled. 2) An integer overflow error in the AFP server may be exploited by an authenticated user to execute arbitrary code with system privileges. Successful exploitation requires that file sharing is enabled. 3) An error in the AFP server where the reconnect keys for file sharing sessions are stored world-readable can be exploited by local users to access files and folders with the privileges of another user. Successful exploitation requires that file sharing is enabled. 4) An error in the AFP server caused due to an unchecked error condition can be exploited to crash the AFP server by sending a specially crafted invalid AFP request. Successful exploitation requires that file sharing is enabled. 5) An error in Bom's compression state handling may be exploited to cause a heap corruption by tricking a user into opening a specially crafted corrupted ZIP archive. Successful exploitation may allow execution of arbitrary code. NOTE: This can be exploited automatically via the Safari browser if the "Open safe files after downloading" setting is enabled. 6) A boundary error in bootpd can be exploited to cause a stack-based buffer overflow by sending a specially crafted BOOTP request. Successful exploitation may allow execution of arbitrary code with system privileges, but requires that bootpd is enabled (not enabled by default). 7) An error in the processing of dynamic linker options in privileged applications may be exploited by local users to influence the behavior of privileged applications by specifying options which causes output to standard error. 8) An error in the dynamic linker may be exploited by local users to specify paths used when loading libraries into an privileged application. Successful exploitation may allow execution of arbitrary code with escalated privileges. 9) Various errors exists in the fetchmail utility. For more information: SA16176 SA17293 SA17891 SA18571 10) An input validation error when extracting a file with the "-N" flag using "gunzip" makes it possible to have a file extracted to an arbitrary location outside the current directory via directory traversal attacks. For more information: SA15047 A race condition when setting file permissions has also been reported. 11) An error in the processing of corrupted Canon RAW images can be exploited to cause a buffer overflow by tricking a user into viewing a specially crafted Canon RAW image. Successful exploitation may allow execution of arbitrary code. 12) An integer overflow error in the processing of corrupted Radiance images may be exploited to execute arbitrary code by tricking a user into viewing a specially crafted Radiance image. 13) An error in the processing of corrupted GIF images can be exploited to cause an undetected memory allocation failure by tricking a user into viewing a specially crafted GIF image. Successful exploitation may allow execution of arbitrary code. 14) An integer overflow error in the processing of corrupted GIF images may be exploited to execute arbitrary code by tricking a user into viewing a specially crafted GIF image. 15) An error exists in the download validation of safe files in the LaunchServices where certain files containing HTML may incorrectly be classified as safe. This may be exploited to execute arbitrary HTML and script code in a user's browser session in context of the local domain. NOTE: This can be exploited automatically via Safari if the "Open safe files after downloading" option is enabled. 16) An error exists in OpenSSH which is caused due to the authentication process hanging when processing login requests by non-existing users. This can be exploited to enumerate valid user accounts or cause a DoS (Denial of Service) via a large amount of login requests. Successful exploitation requires that remote login is enabled. 17) A design error in the Telnet client when handling the NEW-ENVIRON command can be exploited to gain knowledge of the session variables for a user, who has an open connection to a malicious Telnet server. For more information: SA15709 18) An error when processing HTML documents can be exploited to access a previously deallocated object. Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into visiting a malicious web site. 19) Some errors in the processing of corrupted TIFF images can be exploited to cause buffer overflows (TIFF tag handling, TIFF PixarLog decoder, and TIFF NeXT RLE decoder). Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into viewing a specially crafted TIFF image. SOLUTION: Apply Security Update 2006-004. Mac OS X 10.3.9 Client: http://www.apple.com/support/downloads/securityupdate20060041039client.html Mac OS X 10.3.9 Server: http://www.apple.com/support/downloads/securityupdate20060041039server.html Mac OS X 10.4.7 Client (Intel): http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientintel.html Mac OS X 10.4.7 Client (PPC): http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientppc.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Dino Dai Zovi, Matasano Security. 5) Tom Ferris. 7, 8) The vendor credits Neil Archibald, Suresec LTD. 14) Tom Ferris. 16) The vendor credits Rob Middleton, Centenary Institute. 18) The vendor credits Jesse Ruderman, Mozilla Corporation. 19) The vendor credits Tavis Ormandy, Google Security Team. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=304063 Tom Ferris: http://www.security-protocols.com/sp-x32-advisory.php http://www.security-protocols.com/sp-x33-advisory.php OTHER REFERENCES: SA15047: http://secunia.com/advisories/15047/ SA15709: http://secunia.com/advisories/15709/ SA16176: http://secunia.com/advisories/16176/ SA17293: http://secunia.com/advisories/17293/ SA17891: http://secunia.com/advisories/17891/ SA18571: http://secunia.com/advisories/18571/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------