Vulnerabilities > CVE-2004-1083 - Improper Handling of Case Sensitivity vulnerability in Apple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate capitalization.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2005-007.NASL description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib last seen 2020-06-01 modified 2020-06-02 plugin id 19463 published 2005-08-18 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19463 title Mac OS X Multiple Vulnerabilities (Security Update 2005-007) code # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") ) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if(description) { script_id(19463); script_version ("1.15"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2005-1344", "CVE-2004-0942", "CVE-2004-0885", "CVE-2004-1083", "CVE-2004-1084", "CVE-2005-2501", "CVE-2005-2502", "CVE-2005-2503", "CVE-2005-2504", "CVE-2005-2505", "CVE-2005-2506", "CVE-2005-2525", "CVE-2005-2526", "CVE-2005-2507", "CVE-2005-2508", "CVE-2005-2519", "CVE-2005-2513", "CVE-2004-1189", "CVE-2005-1174", "CVE-2005-1175", "CVE-2005-1689", "CVE-2005-2511", "CVE-2005-2509", "CVE-2005-2512", "CVE-2005-2745", "CVE-2005-0709", "CVE-2005-0710", "CVE-2005-0711", "CVE-2004-0079", "CVE-2004-0112", "CVE-2005-2514", "CVE-2005-2515", "CVE-2005-2516", "CVE-2005-2517", "CVE-2005-2524", "CVE-2005-2520", "CVE-2005-2518", "CVE-2005-2510", "CVE-2005-1769", "CVE-2005-2095", "CVE-2005-2521", "CVE-2005-2522", "CVE-2005-2523", "CVE-2005-0605", "CVE-2005-2096", "CVE-2005-1849"); script_bugtraq_id(14567, 14569); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2005-007)"); script_summary(english:"Check for Security Update 2005-007"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib" ); # http://web.archive.org/web/20060406190355/http://docs.info.apple.com/article.html?artnum=302163 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?74ffa359" ); script_set_attribute(attribute:"solution", value: "!Install Security Update 2005-007." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/12"); script_set_attribute(attribute:"patch_publication_date", value: "2005/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } # packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # MacOS X 10.4.2 if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.2\.)", string:uname) ) { if (!egrep(pattern:"^SecUpd(Srvr)?2005-007", string:packages)) security_hole(0); }
NASL family Web Servers NASL id HFS_FORK_SOURCE.NASL description The remote host seems to be running Mac OS X or Mac OS X Server. There is a flaw in the remote web server that allows an attacker to obtain the source code of any given file on the remote web server by reading it through its data fork directly. An attacker may exploit this flaw to obtain the source code of remote scripts. last seen 2020-06-01 modified 2020-06-02 plugin id 15927 published 2004-12-09 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15927 title Apache on Mac OS X HFS+ Arbitrary File Source Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15927); script_version("1.27"); script_cvs_date("Date: 2018/07/12 19:01:16"); script_cve_id("CVE-2004-1083", "CVE-2004-1084"); script_bugtraq_id(11802); script_name(english:"Apache on Mac OS X HFS+ Arbitrary File Source Disclosure"); script_summary(english:"downloads the source of a remote script"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The remote host seems to be running Mac OS X or Mac OS X Server. There is a flaw in the remote web server that allows an attacker to obtain the source code of any given file on the remote web server by reading it through its data fork directly. An attacker may exploit this flaw to obtain the source code of remote scripts."); script_set_attribute(attribute:"solution", value: "Install the latest Apple Security Patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/09"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_dependencie("http_version.nasl", "os_fingerprint.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); os = get_kb_item("Host/OS"); if (os && "Mac OS X" >!< os) exit(0, "The remote host was not fingerprinted as Mac OS X."); port = get_http_port(default:80); if ( get_kb_item("www/no404/" + port ) ) exit(0); function check(file, pattern) { local_var r, u, rep; u = strcat(file, "/..namedfork/data"); r = http_send_recv3(method: 'GET', port: port, item: u); if (isnull(r)) exit(1, "The web server on port "+port+" failed to respond."); if (r[0] =~ "^HTTP/[01]\.[01] +200 " && (pattern >< r[2] )) { # Avoid FP r = http_send_recv3(method: 'GET', port: port, item: strcat(file, "/..", rand())); if (isnull(r)) exit(1, "The web server on port "+port+" failed to respond."); if (r[0] =~ "^HTTP/[01]\.[01] +200 " && (pattern >< r[2])) return 0; rep = strcat('\nThe output from the following URLs should demonstrate the issue :\n\n - ', build_url(port:port, qs:file), '\n - ', build_url(port:port, qs:u), '\n'); security_warning (port:port, extra: rep ); return 1; } return 0 ; } check(file:"/index.php", pattern:"<?"); files = get_kb_list(string("www/", port, "/content/extensions/php")); if(!isnull(files)) { files = make_list(files); check(file:files[0], pattern:"<?"); } # all this does is check if requesting /index.html/..namedfork/data results in an HTTP 200 # which seems very unreliable #r = http_send_recv3(method: 'GET', item:"/index.html", port:port); #if (isnull(r)) exit(0); #check(file:"/index.html", pattern: r[2]);
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD20041202.NASL description The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 15898 published 2004-12-02 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15898 title Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02) code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3004) exit(0); # a large number of xrefs. if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(15898); script_version ("1.24"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2004-1082", "CVE-2003-0020", "CVE-2003-0987", "CVE-2004-0174", "CVE-2004-0488", "CVE-2004-0492", "CVE-2004-0885", "CVE-2004-0940", "CVE-2004-1083", "CVE-2004-1084", "CVE-2004-0747", "CVE-2004-0786", "CVE-2004-0751", "CVE-2004-0748", "CVE-2004-1081", "CVE-2004-0803", "CVE-2004-0804", "CVE-2004-0886", "CVE-2004-1089", "CVE-2004-1085", "CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644", "CVE-2004-0772", "CVE-2004-1088", "CVE-2004-1086", "CVE-2004-1123", "CVE-2004-1121", "CVE-2004-1122", "CVE-2004-1087"); script_bugtraq_id(9921, 9930, 9571, 11471, 11360, 11469, 10508, 11802); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)"); script_summary(english:"Check for Security Update 2004-12-02"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute( attribute:"description", value: "The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code." ); # http://web.archive.org/web/20080915104713/http://support.apple.com/kb/HT1646? script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?210abeb5" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2004-12-02." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/02/24"); script_set_attribute(attribute:"patch_publication_date", value: "2004/12/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # MacOS X 10.2.8, 10.3.6 only if ( egrep(pattern:"Darwin.* (6\.8\.|7\.6\.)", string:uname) ) { if ( ! egrep(pattern:"^SecUpd(Srvr)?2004-12-02", string:packages) ) security_hole(0); else non_vuln = 1; } else if ( egrep(pattern:"Darwin.* (6\.9|[0-9][0-9]\.|7\.([7-9]|[0-9][0-9]\.|[8-9]\.))", string:uname) ) non_vuln = 1; if ( non_vuln ) { set_kb_item(name:"CVE-2004-1082", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2003-0987", value:TRUE); set_kb_item(name:"CVE-2004-0174", value:TRUE); set_kb_item(name:"CVE-2004-0488", value:TRUE); set_kb_item(name:"CVE-2004-0492", value:TRUE); set_kb_item(name:"CVE-2004-0885", value:TRUE); set_kb_item(name:"CVE-2004-0940", value:TRUE); set_kb_item(name:"CVE-2004-1083", value:TRUE); set_kb_item(name:"CVE-2004-1084", value:TRUE); set_kb_item(name:"CVE-2004-0747", value:TRUE); set_kb_item(name:"CVE-2004-0786", value:TRUE); set_kb_item(name:"CVE-2004-0751", value:TRUE); set_kb_item(name:"CVE-2004-0748", value:TRUE); set_kb_item(name:"CVE-2004-1081", value:TRUE); set_kb_item(name:"CVE-2004-0803", value:TRUE); set_kb_item(name:"CVE-2004-0804", value:TRUE); set_kb_item(name:"CVE-2004-0886", value:TRUE); set_kb_item(name:"CVE-2004-1089", value:TRUE); set_kb_item(name:"CVE-2004-1085", value:TRUE); set_kb_item(name:"CVE-2004-0642", value:TRUE); set_kb_item(name:"CVE-2004-0643", value:TRUE); set_kb_item(name:"CVE-2004-0644", value:TRUE); set_kb_item(name:"CVE-2004-0772", value:TRUE); set_kb_item(name:"CVE-2004-1088", value:TRUE); set_kb_item(name:"CVE-2004-1086", value:TRUE); set_kb_item(name:"CVE-2004-1123", value:TRUE); set_kb_item(name:"CVE-2004-1121", value:TRUE); set_kb_item(name:"CVE-2004-1122", value:TRUE); set_kb_item(name:"CVE-2004-1087", value:TRUE); }
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-030.NASL description A number of vulnerabilities were discovered in tcpdump versions prior to 3.8.1 that, if fed a maliciously crafted packet, could be exploited to crash tcpdump. These vulnerabilities include : Remote attackers can cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI last seen 2020-06-01 modified 2020-06-02 plugin id 14129 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14129 title Mandrake Linux Security Advisory : tcpdump (MDKSA-2004:030) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:030. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14129); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0183", "CVE-2004-0184"); script_xref(name:"MDKSA", value:"2004:030"); script_name(english:"Mandrake Linux Security Advisory : tcpdump (MDKSA-2004:030)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A number of vulnerabilities were discovered in tcpdump versions prior to 3.8.1 that, if fed a maliciously crafted packet, could be exploited to crash tcpdump. These vulnerabilities include : Remote attackers can cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read. (CVE-2004-1083) Integer underflow in the isakmp_id_print allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read. (CVE-2004-0184) The updated packages are patched to correct these problems." ); script_set_attribute( attribute:"solution", value:"Update the affected tcpdump package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"tcpdump-3.8.1-1.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"tcpdump-3.7.2-2.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"tcpdump-3.7.2-2.2.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://lists.apple.com/archives/security-announce/2004/Dec/msg00000.html
- http://lists.apple.com/archives/security-announce/2004/Dec/msg00000.html
- http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
- http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
- http://secunia.com/advisories/13362/
- http://secunia.com/advisories/13362/
- http://www.ciac.org/ciac/bulletins/p-049.shtml
- http://www.ciac.org/ciac/bulletins/p-049.shtml
- http://www.securityfocus.com/bid/11802
- http://www.securityfocus.com/bid/11802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18348
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18348