Vulnerabilities > CVE-2007-4695 - Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
apple
CWE-20
nessus

Summary

Unspecified "input validation" vulnerability in WebCore in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to modify form field values via unknown vectors related to file uploads.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_10_4_11.NASL
descriptionThe remote host is running a version of Mac OS X 10.4 which is older than version 10.4.11 or a version of Mac OS X 10.3 which does not have Security Update 2007-008 applied. This update contains several security fixes for the following programs : - Flash Player Plugin - AppleRAID - BIND - bzip2 - CFFTP - CFNetwork - CoreFoundation - CoreText - Kerberos - Kernel - remote_cmds - Networking - NFS - NSURL - Safari - SecurityAgent - WebCore - WebKit
last seen2020-06-01
modified2020-06-02
plugin id28212
published2007-11-14
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/28212
titleMac OS X < 10.4.11 Multiple Vulnerabilities (Security Update 2007-008)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26444 CVE(CAN) ID: CVE-2007-4678,CVE-2007-4679,CVE-2007-4680,CVE-2007-4681,CVE-2007-4682,CVE-2007-3749,CVE-2007-4683,CVE-2007-4684,CVE-2007-4685,CVE-2007-4686,CVE-2007-4687,CVE-2007-4688,CVE-2007-4689,CVE-2007-4269,CVE-2007-4268,CVE-2007-4690,CVE-2007-4691,CVE-2007-4692,CVE-2007-4693,CVE-2007-4694,CVE-2007-4695,CVE-2007-4696,CVE-2007-4697,CVE-2007-4698,CVE-2007-4699,CVE-2007-4700,CVE-2007-4701 Apple Mac OS X是苹果家族机器所使用的操作系统。 Apple Mac OS X的10.4.11之前版本中存在多个安全漏洞: CVE-2007-4678 在加载剥离的磁盘镜像时AppleRAID中存在空指针引用,可能导致系统意外关闭。如果启用了“下载后打开安全文件”选项的话,Safari会自动加载磁盘镜像。 CVE-2007-4679 CFNetwork的FTP部分实现中存在漏洞,如果发送了特制的FTP PASV命令的话,FTP服务器就会导致客户端连接到其他主机。 CVE-2007-4680 证书验证中存在错误,中间人攻击可能将用户定向到具备有效SSL证书的合法站点,然后重新定向到错误的显示为可信任的欺骗站点,导致泄漏凭据或其他信息。 CVE-2007-4681 CoreFoundation在列出目录内容时存在单字节溢出漏洞。如果用户受骗读取了恶意的目录结构,就会导致应用程序意外终止或执行任意代码。 CVE-2007-4682 处理文本内容时存在未初始化对象指针漏洞。如果用户受骗查看了恶意的文本内容,就会导致应用程序意外终止或执行任意代码。 CVE-2007-3749 在执行特权二进制程序时,内核没有重置当前的Mach线程端口或线程异常端口,允许本地用户将任意数据写入到系统进程的地址空间,导致以系统权限执行任意指令。 CVE-2007-4683 chroot机制应限制设置进程可访问的文件,但攻击者可以使用相对路径更改工作目录,绕过这种限制。 CVE-2007-4684 i386_set_ldt系统调用中的单字节溢出漏洞可能允许本地用户以提升的权限执行任意指令。 CVE-2007-4685 在执行setuid和setgid程序时标准文件描述符的处理中存在漏洞,可能允许本地用户通过执行处于非预期状态中有标准文件描述符的setuid程序获得系统权限。 CVE-2007-4686 ioctl请求处理中存在整数溢出漏洞,本地攻击者可以通过发送恶意的ioctl请求导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4687 默认下/private/tftpboot/private目录包含有到根目录的符号链接,这允许客户端访问系统上的任意路径。 CVE-2007-4688 Node Information Query机制实现中的漏洞允许远程用户查询主机的所有地址,包括link-local地址。 CVE-2007-4689 处理某些IPV6报文中存在双重释放漏洞,可能导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4268 AppleTalk在处理内存分配时存在算法错误,可能触发堆溢出。本地用户可以通过发送恶意的AppleTalk消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4269 AppleTalk处理ASP消息时存在整数溢出,本地攻击者可以通过对AppleTalk套接字发送恶意的ASP消息导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4690 在处理AUTH_UNIX RPC调用时可能在NFS中触发双重释放,远程攻击者可以通过TCP或UDP发送恶意的AUTH_UNIX RPC调用导致系统意外关闭或以系统权限执行任意指令。 CVE-2007-4691 在判断URL是否引用了本地文件系统时NSURL中存在区分大小写文件,API的调用者可能做出错误的安全决定,导致未经提供合适的安全警告便执行本地系统或网络卷标上的任意文件。 CVE-2007-4692 Safari的Tabbed浏览功能实现中存在漏洞,如果非活动标签所加载站点使用了HTTP认证的话,尽管标签及其相关页面是不可见的,但仍可以显示认证表。用户可能认为认证表来自当前的活动页面,这可能导致泄漏用户凭据。 CVE-2007-4693 在从休眠或屏保状态唤醒计算机时,物理访问的用户可以向屏保认证对话后运行的进程发送键盘动作。 CVE-2007-4694 Safari在加载资源时没有阻断file:// URL,如果用户受骗访问了恶意站点的话,远程攻击者就可以查看本地文件的内容。 CVE-2007-4695 在处理HTML表单时存在输入验证错误,如果用户受骗上传了恶意文件的话,攻击者就可以更改表单字段的值,导致服务器在处理表单时可能会出现非预期的行为。 CVE-2007-4696 Safari在处理页面转换时存在竞争条件,如果用户受骗访问了恶意网页的话,攻击者就可以获得其他站点上表单所输入的信息。 CVE-2007-4697 在处理浏览器的历史记录时存在内存破坏漏洞,如果用户受骗访问了恶意网页的话,攻击者就可以导致应用程序意外终止或执行任意代码。 CVE-2007-4698 Safari允许将JavaScript事件关联到错误的帧,如果用户受骗访问了恶意网页,攻击者就可以在其他站点的上下文执行JavaScript。 CVE-2007-4699 默认下当Safari向密钥链添加私钥时可能未提供警告便允许应用程序访问密钥。 CVE-2007-4700 Safari可能允许恶意站点向任意TCP端口发送远程指定的数据。 CVE-2007-4701 WebKit/Safari在预览PDF文件时会创建临时文件,这允许本地用户访问文件的内容。 Apple Mac OS X 10.4 - 10.4.10 Apple MacOS X Server 10.4 - 10.4.10 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11Intel.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16036&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11Intel.dmg</a> <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11PPC.dmg" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16051&amp;cat=1&amp;platform=osx&amp;method=sa/MacOSXUpdCombo10.4.11PPC.dmg</a>
idSSV:2432
last seen2017-11-19
modified2007-11-17
published2007-11-17
reporterRoot
titleApple Mac OS X v10.4.11之前版本多个安全漏洞