Vulnerabilities > CVE-2007-5848 - Buffer Errors vulnerability in Apple mac OS X 10.4.11
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-009.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 29723 published 2007-12-18 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29723 title Mac OS X Multiple Vulnerabilities (Security Update 2007-009) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29723); script_version("1.27"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2006-0024", "CVE-2007-1218", "CVE-2007-1659", "CVE-2007-1660", "CVE-2007-1661", "CVE-2007-1662", "CVE-2007-3798", "CVE-2007-3876", "CVE-2007-4131", "CVE-2007-4351", "CVE-2007-4572", "CVE-2007-4708", "CVE-2007-4709", "CVE-2007-4710", "CVE-2007-4766", "CVE-2007-4767", "CVE-2007-4768", "CVE-2007-4965", "CVE-2007-5116", "CVE-2007-5379", "CVE-2007-5380", "CVE-2007-5398", "CVE-2007-5476", "CVE-2007-5770", "CVE-2007-5847", "CVE-2007-5848", "CVE-2007-5849", "CVE-2007-5850", "CVE-2007-5851", "CVE-2007-5853", "CVE-2007-5854", "CVE-2007-5855", "CVE-2007-5856", "CVE-2007-5857", "CVE-2007-5858", "CVE-2007-5859", "CVE-2007-5860", "CVE-2007-5861", "CVE-2007-5863", "CVE-2007-6077", "CVE-2007-6165"); script_bugtraq_id(17106, 22772, 24965, 25417, 25696, 26096, 26268, 26274, 26346, 26350, 26421, 26454, 26455, 26510, 26598, 26908, 26910, 26926); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-009)"); script_summary(english:"Check for the presence of Security Update 2007-009"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs."); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=307179"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/13649"); script_set_attribute(attribute:"solution", value:"Install Security Update 2007-009."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mail.app Image Attachment Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(16, 20, 22, 79, 119, 134, 189, 200, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if ( ! uname ) exit(0); if ( egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2007-009|200[89]-|20[1-9][0-9]-)", string:packages)) security_hole(0); } else if ( egrep(pattern:"Darwin.* (9\.[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages/boms"); if ( ! packages ) exit(0); if ( !egrep(pattern:"^com\.apple\.pkg\.update\.security\.2007\.009\.bom", string:packages) ) security_hole(0); }NASL family SuSE Local Security Checks NASL id SUSE_CUPS-4805.NASL description This update fixes a buffer overflow that can be exploited by users that are allowed to configure CUPS. (CVE-2007-5848) last seen 2020-06-01 modified 2020-06-02 plugin id 29913 published 2008-01-10 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29913 title SuSE 10 Security Update : cups (ZYPP Patch Number 4805) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29913); script_version ("1.16"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-5848"); script_name(english:"SuSE 10 Security Update : cups (ZYPP Patch Number 4805)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes a buffer overflow that can be exploited by users that are allowed to configure CUPS. (CVE-2007-5848)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-5848.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4805."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, reference:"cups-1.1.23-40.35")) flag++; if (rpm_check(release:"SLED10", sp:1, reference:"cups-client-1.1.23-40.35")) flag++; if (rpm_check(release:"SLED10", sp:1, reference:"cups-devel-1.1.23-40.35")) flag++; if (rpm_check(release:"SLED10", sp:1, reference:"cups-libs-1.1.23-40.35")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"cups-libs-32bit-1.1.23-40.35")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"cups-1.1.23-40.35")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"cups-client-1.1.23-40.35")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"cups-devel-1.1.23-40.35")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"cups-libs-1.1.23-40.35")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"cups-libs-32bit-1.1.23-40.35")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE9_12016.NASL description This update fixes a buffer overflow that can be exploited by users that are allowed to configure CUPS. (CVE-2007-5848) last seen 2020-06-01 modified 2020-06-02 plugin id 41175 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41175 title SuSE9 Security Update : cups (YOU Patch Number 12016) NASL family SuSE Local Security Checks NASL id SUSE_CUPS-4806.NASL description This update fixes a buffer overflow that can be exploited by users that are allowed to configure CUPS. (CVE-2007-5848) Additionally a buffer overflow in the SNMP backend of CUPS was fixed that allowed remote attackers to execute arbitrary code by sending specially crafted SNMP responses. (CVE-2007-5849) This vulnerability affects 10.2 and 10.3 only. last seen 2020-06-01 modified 2020-06-02 plugin id 29914 published 2008-01-10 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29914 title openSUSE 10 Security Update : cups (cups-4806)
Seebug
| bulletinFamily | exploit |
| description | CVE-2007-4708 CVE-2007-4709 CVE-2007-4710 CVE-2007-5847 CVE-2007-5848 CVE-2007-5849 CVE-2007-5850 CVE-2007-5851 CVE-2007-5853 CVE-2007-5854 CVE-2007-5855 CVE-2007-5856 CVE-2007-5857 CVE-2007-5859 CVE-2007-5876 CVE-2007-5860 CVE-2007-5861 These issues affect Mac OS X and various applications, including Address Book, CFNetwork, ColorSync, CoreFoundation, CUPS, Desktop Services, iChat, IO Storage Family, Launch Services, Mail, Quick Look, Safari, Safari RSS, SMB, Software Update, Spin Tracer, Spotlight, tcpdump, and XQuery. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. rPath rPath Linux 1 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.5 Apple Mac OS X 10.5.1 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.5 Apple Mac OS X Server 10.4.11 Apple Security Update 2007-009 (10.4.11 PPC) <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat=</a> 1&platform=osx&method=sa/SecUpd2007-009Univ.dmg Apple Security Update 2007-009 (10.4.11 Universal) <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat=</a> 1&platform=osx&method=sa/SecUpd2007-009Univ.dmg Apple Mac OS X 10.4.11 Apple Security Update 2007-009 (10.4.11 PPC) <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat=</a> 1&platform=osx&method=sa/SecUpd2007-009Univ.dmg Apple Security Update 2007-009 (10.4.11 Universal) <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16521&cat=</a> 1&platform=osx&method=sa/SecUpd2007-009Univ.dmg Apple Mac OS X Server 10.5.1 Apple Security Update 2007-009 (10.5.1) <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat=</a> 1&platform=osx&method=sa/SecUpd2007-009.dmg Apple Mac OS X 10.5.1 Apple Security Update 2007-009 (10.5.1) <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat= target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat=</a> 1&platform=osx&method=sa/SecUpd2007-009.dmg |
| id | SSV:2771 |
| last seen | 2017-11-19 |
| modified | 2008-01-06 |
| published | 2008-01-06 |
| reporter | Root |
| title | Apple Mac OS X v10.5.1 2007-009 Multiple Security Vulnerabilities |
Statements
| contributor | Joshua Bressers |
| lastmodified | 2008-01-02 |
| organization | Red Hat |
| statement | Not vulnerable. After a detailed analysis of this flaw, it has been determined that it is not exploitable on Red Hat Enterprise Linux 3, 4, or 5. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=415141 |
References
- http://docs.info.apple.com/article.html?artnum=307179
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2008-01/msg00003.html
- http://secunia.com/advisories/28136
- http://secunia.com/advisories/28344
- http://secunia.com/advisories/28441
- http://secunia.com/advisories/28636
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:050
- http://www.novell.com/linux/security/advisories/suse_security_summary_report.html
- http://www.securityfocus.com/archive/1/485829/100/0/threaded
- http://www.securityfocus.com/bid/26910
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://www.vupen.com/english/advisories/2007/4238
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39096
- https://issues.rpath.com/browse/RPL-2009