Vulnerabilities > CVE-2007-4692 - Improper Authentication vulnerability in Apple Safari

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
apple
microsoft
CWE-287
nessus

Summary

The tabbed browsing feature in Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to spoof HTTP authentication for other sites and possibly conduct phishing attacks by causing an authentication sheet to be displayed for a tab that is not active, which makes it appear as if it is associated with the active tab.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_10_4_11.NASL
descriptionThe remote host is running a version of Mac OS X 10.4 which is older than version 10.4.11 or a version of Mac OS X 10.3 which does not have Security Update 2007-008 applied. This update contains several security fixes for the following programs : - Flash Player Plugin - AppleRAID - BIND - bzip2 - CFFTP - CFNetwork - CoreFoundation - CoreText - Kerberos - Kernel - remote_cmds - Networking - NFS - NSURL - Safari - SecurityAgent - WebCore - WebKit
last seen2020-06-01
modified2020-06-02
plugin id28212
published2007-11-14
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/28212
titleMac OS X < 10.4.11 Multiple Vulnerabilities (Security Update 2007-008)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26444 CVE(CAN) ID: CVE-2007-4678,CVE-2007-4679,CVE-2007-4680,CVE-2007-4681,CVE-2007-4682,CVE-2007-3749,CVE-2007-4683,CVE-2007-4684,CVE-2007-4685,CVE-2007-4686,CVE-2007-4687,CVE-2007-4688,CVE-2007-4689,CVE-2007-4269,CVE-2007-4268,CVE-2007-4690,CVE-2007-4691,CVE-2007-4692,CVE-2007-4693,CVE-2007-4694,CVE-2007-4695,CVE-2007-4696,CVE-2007-4697,CVE-2007-4698,CVE-2007-4699,CVE-2007-4700,CVE-2007-4701 Apple Mac OS X是苹果家族机器所使用的操作系统。 Apple Mac OS X的10.4.11之前版本中存在多个安全漏洞: CVE-2007-4678 在加载剥离的磁盘镜像时AppleRAID中存在空指针引用,可能导致系统意外关闭。如果启用了“下载后打开安全文件”选项的话,Safari会自动加载磁盘镜像。 CVE-2007-4679 CFNetwork的FTP部分实现中存在漏洞,如果发送了特制的FTP PASV命令的话,FTP服务器就会导致客户端连接到其他主机。 CVE-2007-4680 证书验证中存在错误,中间人攻击可能将用户定向到具备有效SSL证书的合法站点,然后重新定向到错误的显示为可信任的欺骗站点,导致泄漏凭据或其他信息。 CVE-2007-4681 CoreFoundation在列出目录内容时存在单字节溢出漏洞。如果用户受骗读取了恶意的目录结构,就会导致应用程序意外终止或执行任意代码。 CVE-2007-4682 处理文本内容时存在未初始化对象指针漏洞。如果用户受骗查看了恶意的文本内容,就会导致应用程序意外终止或执行任意代码。 CVE-2007-3749 在执行特权二进制程序时,内核没有重置当前的Mach线程端口或线程异常端口,允许本地用户将任意数据写入到系统进程的地址空间,导致以系统权限执行任意指令。 CVE-2007-4683 chroot机制应限制设置进程可访问的文件,但攻击者可以使用相对路径更改工作目录,绕过这种限制。 CVE-2007-4684 i386_set_ldt系统调用中的单字节溢出漏洞可能允许本地用户以提升的权限执行任意指令。 CVE-2007-4685 在执行setuid和setgid程序时标准文件描述符的处理中存在漏洞,可能允许本地用户通过执行处于非预期状态中有标准文件描述符的setuid程序获得系统权限。 CVE-2007-4686 ioctl请求处理中存在整数溢出漏洞,本地攻击者可以通过发送恶意的ioctl请求导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4687 默认下/private/tftpboot/private目录包含有到根目录的符号链接,这允许客户端访问系统上的任意路径。 CVE-2007-4688 Node Information Query机制实现中的漏洞允许远程用户查询主机的所有地址,包括link-local地址。 CVE-2007-4689 处理某些IPV6报文中存在双重释放漏洞,可能导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4268 AppleTalk在处理内存分配时存在算法错误,可能触发堆溢出。本地用户可以通过发送恶意的AppleTalk消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4269 AppleTalk处理ASP消息时存在整数溢出,本地攻击者可以通过对AppleTalk套接字发送恶意的ASP消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4690 在处理AUTH_UNIX RPC调用时可能在NFS中触发双重释放,远程攻击者可以通过TCP或UDP发送恶意的AUTH_UNIX RPC调用导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4691 在判断URL是否引用了本地文件系统时NSURL中存在区分大小写文件,API的调用者可能做出错误的安全决定,导致未经提供合适的安全警告便执行本地系统或网络卷标上的任意文件。 CVE-2007-4692 Safari的Tabbed浏览功能实现中存在漏洞,如果非活动标签所加载站点使用了HTTP认证的话,尽管标签及其相关页面是不可见的,但仍可以显示认证表。用户可能认为认证表来自当前的活动页面,这可能导致泄漏用户凭据。 CVE-2007-4693 在从休眠或屏保状态唤醒计算机时,物理访问的用户可以向屏保认证对话后运行的进程发送键盘动作。 CVE-2007-4694 Safari在加载资源时没有阻断file:// URL,如果用户受骗访问了恶意站点的话,远程攻击者就可以查看本地文件的内容。 CVE-2007-4695 在处理HTML表单时存在输入验证错误,如果用户受骗上传了恶意文件的话,攻击者就可以更改表单字段的值,导致服务器在处理表单时可能会出现非预期的行为。 CVE-2007-4696 Safari在处理页面转换时存在竞争条件,如果用户受骗访问了恶意网页的话,攻击者就可以获得其他站点上表单所输入的信息。 CVE-2007-4697 在处理浏览器的历史记录时存在内存破坏漏洞,如果用户受骗访问了恶意网页的话,攻击者就可以导致应用程序意外终止或执行任意代码。 CVE-2007-4698 Safari允许将JavaScript事件关联到错误的帧,如果用户受骗访问了恶意网页,攻击者就可以在其他站点的上下文执行JavaScript。 CVE-2007-4699 默认下当Safari向密钥链添加私钥时可能未提供警告便允许应用程序访问密钥。 CVE-2007-4700 Safari可能允许恶意站点向任意TCP端口发送远程指定的数据。 CVE-2007-4701 WebKit/Safari在预览PDF文件时会创建临时文件,这允许本地用户访问文件的内容。 Apple Mac OS X 10.4 - 10.4.10 Apple MacOS X Server 10.4 - 10.4.10 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11Intel.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11Intel.dmg</a> <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11PPC.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11PPC.dmg</a>
idSSV:2432
last seen2017-11-19
modified2007-11-17
published2007-11-17
reporterRoot
titleApple Mac OS X v10.4.11之前版本多个安全漏洞