Vulnerabilities > CVE-2006-0393 - Multiple Security vulnerability in Apple Mac OS X

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
PARTIAL
network
high complexity
apple
nessus

Summary

OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang.

Vulnerable Configurations

Part Description Count
OS
Apple
2

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2006-004.NASL
    descriptionThe remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit
    last seen2020-06-01
    modified2020-06-02
    plugin id22125
    published2006-08-01
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22125
    titleMac OS X Multiple Vulnerabilities (Security Update 2006-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22125);
      script_version("1.23");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2005-0488", "CVE-2005-0988", "CVE-2005-1228", "CVE-2005-2335", "CVE-2005-3088",
                    "CVE-2005-4348", "CVE-2006-0321", "CVE-2006-0392", "CVE-2006-0393", "CVE-2006-1472",
                    "CVE-2006-1473", "CVE-2006-3459", "CVE-2006-3461", "CVE-2006-3462", "CVE-2006-3465",
                    "CVE-2006-3495", "CVE-2006-3496", "CVE-2006-3497", "CVE-2006-3498", "CVE-2006-3499",
                    "CVE-2006-3500", "CVE-2006-3501", "CVE-2006-3502", "CVE-2006-3503", "CVE-2006-3504",
                    "CVE-2006-3505");
      script_bugtraq_id(19289);
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2006-004)");
      script_summary(english:"Check for Security Update 2006-004");
    
      script_set_attribute(attribute:"synopsis", value:"The remote operating system is missing a vendor-supplied patch.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running Apple Mac OS X, but lacks
    Security Update 2006-004.
    
    This security update contains fixes for the following
    applications :
    
    AFP Server
    Bluetooth
    Bom
    DHCP
    dyld
    fetchmail
    gnuzip
    ImageIO
    LaunchServices
    OpenSSH
    telnet
    WebKit");
     # http://web.archive.org/web/20070728033955/http://docs.info.apple.com/article.html?artnum=304063
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e97e41a");
      script_set_attribute(attribute:"solution", value:
    "Mac OS X 10.4 :
    
    http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientintel.html
    http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientppc.html
    
    Mac OS X 10.3 :
    
    http://www.apple.com/support/downloads/securityupdate20060041039client.html
    http://www.apple.com/support/downloads/securityupdate20060041039server.html");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_family(english:"MacOS X Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages");
      exit(0);
    }
    
    packages = get_kb_item("Host/MacOSX/packages");
    if ( ! packages ) exit(0);
    
    
    uname = get_kb_item("Host/uname");
    if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-7]\.)", string:uname) )
    {
      if (!egrep(pattern:"^SecUpd(Srvr)?(2006-00[467]|2007-00[38])", string:packages)) security_hole(0);
    }
    
  • NASL familyMisc.
    NASL idOPENSSH_42.NASL
    descriptionAccording to its banner, the version of OpenSSH installed on the remote host has the following vulnerabilities : - X11 forwarding may be enabled unintentionally when multiple forwarding requests are made on the same session, or when an X11 listener is orphaned after a session goes away. (CVE-2005-2797) - GSSAPI credentials may be delegated to users who log in using something other than GSSAPI authentication if
    last seen2020-06-01
    modified2020-06-02
    plugin id19592
    published2005-09-07
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19592
    titleOpenSSH < 4.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19592);
      script_version("1.20");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0393");
      script_bugtraq_id(14727, 14729, 19289);
    
      script_name(english:"OpenSSH < 4.2 Multiple Vulnerabilities");
      script_summary(english:"Checks for GSSAPI credential disclosure vulnerability in OpenSSH");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote SSH server has multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of OpenSSH installed on the
    remote host has the following vulnerabilities :
    
      - X11 forwarding may be enabled unintentionally when
        multiple forwarding requests are made on the same session,
        or when an X11 listener is orphaned after a session goes
        away. (CVE-2005-2797)
    
      - GSSAPI credentials may be delegated to users who
        log in using something other than GSSAPI authentication
        if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798)
    
      - Attempting to log in as a nonexistent user causes
        the authentication process to hang, which could
        be exploited to enumerate valid user accounts.
        Only OpenSSH on Mac OS X 10.4.x is affected.
        (CVE-2006-0393)
    
      - Repeatedly attempting to log in as a nonexistent
        user could result in a denial of service.
        Only OpenSSH on Mac OS X 10.4.x is affected.
        (CVE-2006-0393)");
      script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.2");
      script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2006/Aug/msg00000.html");
      script_set_attribute(attribute:"see_also",value:"https://support.apple.com/?artnum=304063");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to OpenSSH 4.2 or later.  For OpenSSH on Mac OS X 10.4.x,
    apply Mac OS X Security Update 2006-004." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/07");
      script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/01");
      script_set_attribute(attribute:"patch_publication_date", value: "2005/09/01");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh", 22);
    
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[01])")
      security_note(port);
    

Seebug

bulletinFamilyexploit
descriptionApple Mac OS X是苹果家族机器所使用的操作系统。 最新的Mac OS X更新修复了多个漏洞,具体如下: CVE-2006-1472 AFP Server中的漏洞允许在搜索结果中包含执行搜索用户无权访问的文件和文件夹。如果文件名本身就是敏感信息的话,就可能导致信息泄露;如果权限允许的话,攻击者还可以访问文件内容。 CVE-2006-1473 已认证用户可以触发AFP Server中的整数溢出漏洞,导致拒绝服务或以系统权限执行任意代码。AFP Server在Mac OS X中不是默认启用的。 CVE-2006-3495 在Mac OS X Server上,AFP Server支持在网络断开后重新连接文件共享会话。重新连接密钥的存储是完全可读的,因此通过认证的本地用户就可以读取该密钥,扮演为AFP上的其他用户,并以所扮演用户的权限访问文件或文件夹。 CVE-2006-3496 攻击者可以通过特制的无效AFP请求触发AFP Server中的拒绝服务。 CVE-2006-3497 Bom的压缩状态处理可能导致堆破坏。攻击者可以创建特制的Zip文档并诱骗用户打开来触发这个漏洞,导致应用程序崩溃或执行任意代码。 CVE-2006-3498 bootpd的请求处理中存在栈溢出。远程攻击者可以通过特制的BOOTP请求触发这个漏洞,导致以系统权限执行任意代码。bootpd在Mac OS X上不是默认启用的,必须手动配置。 CVE-2006-3499 恶意的本地用户可以指定动态连接器选项,导致标准错误输出。这种输出包含有敏感内容或用户指定的内容,因此解析或重新使用标准错误的特权应用程序可能受到不良的影响。 CVE-2006-3500 在搜索加载到特权应用程序的函数库时没有正确的处理动态连接器,可能导致包含危险的路径,这样恶意的本地用户就可以导致加载动态连接器,以提升的权限执行任意代码。 CVE-2006-0392 攻击者可以通过特制的Canon RAW图形触发溢出,导致应用程序崩溃或执行任意代码。 CVE-2006-3501 攻击者可以通过特制的Radiance图形触发整数溢出,导致应用程序崩溃或执行任意代码。 CVE-2006-3502 攻击者可以通过特制的GIF图形触发内存分配失败,导致应用程序崩溃或执行任意代码。 CVE-2006-3503 攻击者可以通过特制的GIF图形触发整数溢出,导致应用程序崩溃或执行任意代码。 CVE-2006-3504 下载验证可能将某些包含有HTML的文件错误的识别为“安全”。如果在Safari中下载了这样的文件且Safari的“下载后打开安全的文件”选项已启用,则就会从本地URI自动打开HTML文档,允许文档中嵌入的JavaScript代码绕过访问限制。 CVE-2006-0393 如果使用不存在的帐号试图登录到OpenSSH Server的话就会导致认证进程挂起。攻击者可以利用这种行为检测是否存在特定的帐号,大量的尝试还可以导致拒绝服务。 CVE-2006-3505 特制的HTML文档可能导致访问之前已解除分配的对象,造成应用程序崩溃或执行任意代码。 此外,这个更新还修复了其他一些第三方产品中的多个漏洞。 Apple Mac OS X 10.4.7 Apple Mac OS X 10.3.9 Apple MacOS X Server 10.4.7 Apple MacOS X Server 10.3.9 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: Apple Mac OS X Server 10.3.9 <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&amp;cat=1&amp;platform=osx&amp;method=sa/SecUpdSrvr2006-004Pan.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&amp;cat=1&amp;platform=osx&amp;method=sa/SecUpdSrvr2006-004Pan.dmg</a> Apple Mac OS X 10.3.9 <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&amp;cat=1&amp;platform=osx&amp;method=sa/SecUpd2006-004Pan.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&amp;cat=1&amp;platform=osx&amp;method=sa/SecUpd2006-004Pan.dmg</a> Apple Mac OS X 10.4.7 <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&amp;cat=1&amp;platform=osx&amp;method=sa/SecUpd2006-004Intel.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&amp;cat=1&amp;platform=osx&amp;method=sa/SecUpd2006-004Intel.dmg</a>
idSSV:396
last seen2017-11-19
modified2006-11-04
published2006-11-04
reporterRoot
titleApple Mac OS X多个安全漏洞