Vulnerabilities > CVE-2002-1347 - Incorrect Calculation of Buffer Size vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
cyrusimap
apple
CWE-131
critical
nessus

Summary

Multiple buffer overflows in Cyrus SASL library 2.1.9 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) long inputs during user name canonicalization, (2) characters that need to be escaped during LDAP authentication using saslauthd, or (3) an off-by-one error in the log writer, which does not allocate space for the null character that terminates a string.

Vulnerable Configurations

Part Description Count
Application
Cyrusimap
1
OS
Apple
70

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_SECUPD2005-003.NASL
descriptionThe remote host is missing Security Update 2005-003. This security update contains security fixes for the following applications : - AFP Server - Bluetooth Setup Assistant - Core Foundation - Cyrus IMAP - Cyrus SASL - Folder Permissions - Mailman - Safari These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id17587
published2005-03-21
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17587
titleMac OS X Multiple Vulnerabilities (Security Update 2005-003)
code
#
# (C) Tenable Network Security, Inc.
#

if ( ! defined_func("bn_random") ) exit(0);

include("compat.inc");

if(description)
{
 script_id(17587);
 script_version ("1.23");

 if (NASL_LEVEL >= 3000)
 {
  script_cve_id("CVE-2002-1347", "CVE-2004-0884", "CVE-2004-1011", "CVE-2004-1012", "CVE-2004-1013",
                "CVE-2004-1015", "CVE-2004-1067", "CVE-2005-0202", "CVE-2005-0235", "CVE-2005-0340", 
                "CVE-2005-0712", "CVE-2005-0713", "CVE-2005-0715", "CVE-2005-0716");
 }
 script_bugtraq_id(6347, 12478, 12863, 13224, 13220, 13226, 13237);

 script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2005-003)");
 script_summary(english:"Check for Security Update 2005-003");
 
 script_set_attribute( attribute:"synopsis", value:
"The remote host is missing a Mac OS X update that fixes a security
issue." );
 script_set_attribute( attribute:"description",  value:
"The remote host is missing Security Update 2005-003. This security
update contains security fixes for the following applications :

  - AFP Server
  - Bluetooth Setup Assistant
  - Core Foundation
  - Cyrus IMAP
  - Cyrus SASL
  - Folder Permissions
  - Mailman
  - Safari

These programs have multiple vulnerabilities which may allow a remote
attacker to execute arbitrary code." );
 script_set_attribute(
   attribute:"see_also",
   value:"http://support.apple.com/kb/TA22971"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Install Security Update 2005-003."
 );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/08");
 script_cvs_date("Date: 2018/07/14  1:59:35");
 script_set_attribute(attribute:"patch_publication_date", value: "2005/03/28");
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"MacOS X Local Security Checks");

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


packages = get_kb_item("Host/MacOSX/packages");
if ( ! packages ) exit(0);

uname = get_kb_item("Host/uname");
# MacOS X 10.2.8, 10.3.7 only
if ( egrep(pattern:"Darwin.* (6\.8\.|7\.[78]\.)", string:uname) )
{
  if (!egrep(pattern:"^SecUpd(Srvr)?2005-003", string:packages) ) security_hole(0);
	else non_vuln = 1;
}
else if ( egrep(pattern:"Darwin.* (6\.9|[0-9][0-9]\.|7\.(9\.|[0-9][0-9]\.))", string:uname) ) non_vuln = 1;

if ( non_vuln )
{
 foreach cve (make_list("CVE-2005-0340", "CVE-2005-0715", "CVE-2005-0716", "CVE-2005-0713", "CVE-2004-1011", "CVE-2004-1012", "CVE-2004-1013", "CVE-2004-1015", "CVE-2004-1067", "CVE-2002-1347", "CVE-2004-0884", "CVE-2005-0712", "CVE-2005-0202", "CVE-2005-0235" ))
	{
	set_kb_item(name:cve, value:TRUE);
	}
}

Redhat

advisories
rhsa
idRHSA-2002:283