Vulnerabilities > CVE-2007-4688 - Information Exposure vulnerability in Apple mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The Networking component in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to obtain all addresses for a host, including link-local addresses, via a Node Information Query.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
| NASL family | MacOS X Local Security Checks |
| NASL id | MACOSX_10_4_11.NASL |
| description | The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.11 or a version of Mac OS X 10.3 which does not have Security Update 2007-008 applied. This update contains several security fixes for the following programs : - Flash Player Plugin - AppleRAID - BIND - bzip2 - CFFTP - CFNetwork - CoreFoundation - CoreText - Kerberos - Kernel - remote_cmds - Networking - NFS - NSURL - Safari - SecurityAgent - WebCore - WebKit |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 28212 |
| published | 2007-11-14 |
| reporter | This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/28212 |
| title | Mac OS X < 10.4.11 Multiple Vulnerabilities (Security Update 2007-008) |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 26444 CVE(CAN) ID: CVE-2007-4678,CVE-2007-4679,CVE-2007-4680,CVE-2007-4681,CVE-2007-4682,CVE-2007-3749,CVE-2007-4683,CVE-2007-4684,CVE-2007-4685,CVE-2007-4686,CVE-2007-4687,CVE-2007-4688,CVE-2007-4689,CVE-2007-4269,CVE-2007-4268,CVE-2007-4690,CVE-2007-4691,CVE-2007-4692,CVE-2007-4693,CVE-2007-4694,CVE-2007-4695,CVE-2007-4696,CVE-2007-4697,CVE-2007-4698,CVE-2007-4699,CVE-2007-4700,CVE-2007-4701 Apple Mac OS X是苹果家族机器所使用的操作系统。 Apple Mac OS X的10.4.11之前版本中存在多个安全漏洞: CVE-2007-4678 在加载剥离的磁盘镜像时AppleRAID中存在空指针引用,可能导致系统意外关闭。如果启用了“下载后打开安全文件”选项的话,Safari会自动加载磁盘镜像。 CVE-2007-4679 CFNetwork的FTP部分实现中存在漏洞,如果发送了特制的FTP PASV命令的话,FTP服务器就会导致客户端连接到其他主机。 CVE-2007-4680 证书验证中存在错误,中间人攻击可能将用户定向到具备有效SSL证书的合法站点,然后重新定向到错误的显示为可信任的欺骗站点,导致泄漏凭据或其他信息。 CVE-2007-4681 CoreFoundation在列出目录内容时存在单字节溢出漏洞。如果用户受骗读取了恶意的目录结构,就会导致应用程序意外终止或执行任意代码。 CVE-2007-4682 处理文本内容时存在未初始化对象指针漏洞。如果用户受骗查看了恶意的文本内容,就会导致应用程序意外终止或执行任意代码。 CVE-2007-3749 在执行特权二进制程序时,内核没有重置当前的Mach线程端口或线程异常端口,允许本地用户将任意数据写入到系统进程的地址空间,导致以系统权限执行任意指令。 CVE-2007-4683 chroot机制应限制设置进程可访问的文件,但攻击者可以使用相对路径更改工作目录,绕过这种限制。 CVE-2007-4684 i386_set_ldt系统调用中的单字节溢出漏洞可能允许本地用户以提升的权限执行任意指令。 CVE-2007-4685 在执行setuid和setgid程序时标准文件描述符的处理中存在漏洞,可能允许本地用户通过执行处于非预期状态中有标准文件描述符的setuid程序获得系统权限。 CVE-2007-4686 ioctl请求处理中存在整数溢出漏洞,本地攻击者可以通过发送恶意的ioctl请求导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4687 默认下/private/tftpboot/private目录包含有到根目录的符号链接,这允许客户端访问系统上的任意路径。 CVE-2007-4688 Node Information Query机制实现中的漏洞允许远程用户查询主机的所有地址,包括link-local地址。 CVE-2007-4689 处理某些IPV6报文中存在双重释放漏洞,可能导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4268 AppleTalk在处理内存分配时存在算法错误,可能触发堆溢出。本地用户可以通过发送恶意的AppleTalk消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4269 AppleTalk处理ASP消息时存在整数溢出,本地攻击者可以通过对AppleTalk套接字发送恶意的ASP消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4690 在处理AUTH_UNIX RPC调用时可能在NFS中触发双重释放,远程攻击者可以通过TCP或UDP发送恶意的AUTH_UNIX RPC调用导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4691 在判断URL是否引用了本地文件系统时NSURL中存在区分大小写文件,API的调用者可能做出错误的安全决定,导致未经提供合适的安全警告便执行本地系统或网络卷标上的任意文件。 CVE-2007-4692 Safari的Tabbed浏览功能实现中存在漏洞,如果非活动标签所加载站点使用了HTTP认证的话,尽管标签及其相关页面是不可见的,但仍可以显示认证表。用户可能认为认证表来自当前的活动页面,这可能导致泄漏用户凭据。 CVE-2007-4693 在从休眠或屏保状态唤醒计算机时,物理访问的用户可以向屏保认证对话后运行的进程发送键盘动作。 CVE-2007-4694 Safari在加载资源时没有阻断file:// URL,如果用户受骗访问了恶意站点的话,远程攻击者就可以查看本地文件的内容。 CVE-2007-4695 在处理HTML表单时存在输入验证错误,如果用户受骗上传了恶意文件的话,攻击者就可以更改表单字段的值,导致服务器在处理表单时可能会出现非预期的行为。 CVE-2007-4696 Safari在处理页面转换时存在竞争条件,如果用户受骗访问了恶意网页的话,攻击者就可以获得其他站点上表单所输入的信息。 CVE-2007-4697 在处理浏览器的历史记录时存在内存破坏漏洞,如果用户受骗访问了恶意网页的话,攻击者就可以导致应用程序意外终止或执行任意代码。 CVE-2007-4698 Safari允许将JavaScript事件关联到错误的帧,如果用户受骗访问了恶意网页,攻击者就可以在其他站点的上下文执行JavaScript。 CVE-2007-4699 默认下当Safari向密钥链添加私钥时可能未提供警告便允许应用程序访问密钥。 CVE-2007-4700 Safari可能允许恶意站点向任意TCP端口发送远程指定的数据。 CVE-2007-4701 WebKit/Safari在预览PDF文件时会创建临时文件,这允许本地用户访问文件的内容。 Apple Mac OS X 10.4 - 10.4.10 Apple MacOS X Server 10.4 - 10.4.10 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.11Intel.dmg</a> <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.11PPC.dmg</a> |
| id | SSV:2432 |
| last seen | 2017-11-19 |
| modified | 2007-11-17 |
| published | 2007-11-17 |
| reporter | Root |
| title | Apple Mac OS X v10.4.11之前版本多个安全漏洞 |
References
- http://docs.info.apple.com/article.html?artnum=307041
- http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html
- http://secunia.com/advisories/27643
- http://securitytracker.com/id?1018950
- http://www.securityfocus.com/bid/26444
- http://www.us-cert.gov/cas/techalerts/TA07-319A.html
- http://www.vupen.com/english/advisories/2007/3868
- https://exchange.xforce.ibmcloud.com/vulnerabilities/38472