Vulnerabilities > CVE-2007-4691 - Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
apple
CWE-264
critical
nessus

Summary

The NSURL component in Apple Mac OS X 10.4 through 10.4.10 performs case-sensitive comparisons that allow attackers to bypass intended restrictions for local file system URLs.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_10_4_11.NASL
descriptionThe remote host is running a version of Mac OS X 10.4 which is older than version 10.4.11 or a version of Mac OS X 10.3 which does not have Security Update 2007-008 applied. This update contains several security fixes for the following programs : - Flash Player Plugin - AppleRAID - BIND - bzip2 - CFFTP - CFNetwork - CoreFoundation - CoreText - Kerberos - Kernel - remote_cmds - Networking - NFS - NSURL - Safari - SecurityAgent - WebCore - WebKit
last seen2020-06-01
modified2020-06-02
plugin id28212
published2007-11-14
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/28212
titleMac OS X < 10.4.11 Multiple Vulnerabilities (Security Update 2007-008)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26444 CVE(CAN) ID: CVE-2007-4678,CVE-2007-4679,CVE-2007-4680,CVE-2007-4681,CVE-2007-4682,CVE-2007-3749,CVE-2007-4683,CVE-2007-4684,CVE-2007-4685,CVE-2007-4686,CVE-2007-4687,CVE-2007-4688,CVE-2007-4689,CVE-2007-4269,CVE-2007-4268,CVE-2007-4690,CVE-2007-4691,CVE-2007-4692,CVE-2007-4693,CVE-2007-4694,CVE-2007-4695,CVE-2007-4696,CVE-2007-4697,CVE-2007-4698,CVE-2007-4699,CVE-2007-4700,CVE-2007-4701 Apple Mac OS X是苹果家族机器所使用的操作系统。 Apple Mac OS X的10.4.11之前版本中存在多个安全漏洞: CVE-2007-4678 在加载剥离的磁盘镜像时AppleRAID中存在空指针引用,可能导致系统意外关闭。如果启用了“下载后打开安全文件”选项的话,Safari会自动加载磁盘镜像。 CVE-2007-4679 CFNetwork的FTP部分实现中存在漏洞,如果发送了特制的FTP PASV命令的话,FTP服务器就会导致客户端连接到其他主机。 CVE-2007-4680 证书验证中存在错误,中间人攻击可能将用户定向到具备有效SSL证书的合法站点,然后重新定向到错误的显示为可信任的欺骗站点,导致泄漏凭据或其他信息。 CVE-2007-4681 CoreFoundation在列出目录内容时存在单字节溢出漏洞。如果用户受骗读取了恶意的目录结构,就会导致应用程序意外终止或执行任意代码。 CVE-2007-4682 处理文本内容时存在未初始化对象指针漏洞。如果用户受骗查看了恶意的文本内容,就会导致应用程序意外终止或执行任意代码。 CVE-2007-3749 在执行特权二进制程序时,内核没有重置当前的Mach线程端口或线程异常端口,允许本地用户将任意数据写入到系统进程的地址空间,导致以系统权限执行任意指令。 CVE-2007-4683 chroot机制应限制设置进程可访问的文件,但攻击者可以使用相对路径更改工作目录,绕过这种限制。 CVE-2007-4684 i386_set_ldt系统调用中的单字节溢出漏洞可能允许本地用户以提升的权限执行任意指令。 CVE-2007-4685 在执行setuid和setgid程序时标准文件描述符的处理中存在漏洞,可能允许本地用户通过执行处于非预期状态中有标准文件描述符的setuid程序获得系统权限。 CVE-2007-4686 ioctl请求处理中存在整数溢出漏洞,本地攻击者可以通过发送恶意的ioctl请求导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4687 默认下/private/tftpboot/private目录包含有到根目录的符号链接,这允许客户端访问系统上的任意路径。 CVE-2007-4688 Node Information Query机制实现中的漏洞允许远程用户查询主机的所有地址,包括link-local地址。 CVE-2007-4689 处理某些IPV6报文中存在双重释放漏洞,可能导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4268 AppleTalk在处理内存分配时存在算法错误,可能触发堆溢出。本地用户可以通过发送恶意的AppleTalk消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4269 AppleTalk处理ASP消息时存在整数溢出,本地攻击者可以通过对AppleTalk套接字发送恶意的ASP消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4690 在处理AUTH_UNIX RPC调用时可能在NFS中触发双重释放,远程攻击者可以通过TCP或UDP发送恶意的AUTH_UNIX RPC调用导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4691 在判断URL是否引用了本地文件系统时NSURL中存在区分大小写文件,API的调用者可能做出错误的安全决定,导致未经提供合适的安全警告便执行本地系统或网络卷标上的任意文件。 CVE-2007-4692 Safari的Tabbed浏览功能实现中存在漏洞,如果非活动标签所加载站点使用了HTTP认证的话,尽管标签及其相关页面是不可见的,但仍可以显示认证表。用户可能认为认证表来自当前的活动页面,这可能导致泄漏用户凭据。 CVE-2007-4693 在从休眠或屏保状态唤醒计算机时,物理访问的用户可以向屏保认证对话后运行的进程发送键盘动作。 CVE-2007-4694 Safari在加载资源时没有阻断file:// URL,如果用户受骗访问了恶意站点的话,远程攻击者就可以查看本地文件的内容。 CVE-2007-4695 在处理HTML表单时存在输入验证错误,如果用户受骗上传了恶意文件的话,攻击者就可以更改表单字段的值,导致服务器在处理表单时可能会出现非预期的行为。 CVE-2007-4696 Safari在处理页面转换时存在竞争条件,如果用户受骗访问了恶意网页的话,攻击者就可以获得其他站点上表单所输入的信息。 CVE-2007-4697 在处理浏览器的历史记录时存在内存破坏漏洞,如果用户受骗访问了恶意网页的话,攻击者就可以导致应用程序意外终止或执行任意代码。 CVE-2007-4698 Safari允许将JavaScript事件关联到错误的帧,如果用户受骗访问了恶意网页,攻击者就可以在其他站点的上下文执行JavaScript。 CVE-2007-4699 默认下当Safari向密钥链添加私钥时可能未提供警告便允许应用程序访问密钥。 CVE-2007-4700 Safari可能允许恶意站点向任意TCP端口发送远程指定的数据。 CVE-2007-4701 WebKit/Safari在预览PDF文件时会创建临时文件,这允许本地用户访问文件的内容。 Apple Mac OS X 10.4 - 10.4.10 Apple MacOS X Server 10.4 - 10.4.10 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11Intel.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11Intel.dmg</a> <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11PPC.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11PPC.dmg</a>
idSSV:2432
last seen2017-11-19
modified2007-11-17
published2007-11-17
reporterRoot
titleApple Mac OS X v10.4.11之前版本多个安全漏洞